• No results found

SQUID Proxy server

In document linux (Page 101-104)

Two important goals of squid are to:

 Reduce Internet bandwidth charges

 Limit access to the Web to only authorized users.

Users configure their web browsers to use the Squid proxy server instead of going to the web directly. The Squid server then checks its web cache for the web information requested by the user. It will return any matching information that finds in its cache, and if not, it will go to the web to find it on behalf of the user. Once it finds the information, it will populate its cache with it and also forward it to the user's web browser.

As you can see, this reduces the amount of data accessed from the web. Another advantage is that you can configure your firewall to only accept HTTP web traffic from the Squid server and no one else. Squid can then be configured to request usernames and passwords for each user that users its services. This provides simple access control to the Internet.

Install the Squid package from the 3rd CD of RedHat9 distribution.

Note: Before we configure a PROXY server its compulsory that you configure Internet connection either by using a Leased line or by using PPP Dial-out server. If the ISP connection we have is a Leased line or Cable connection, simply configure /etc/resolv.conf with your ISP’s DNS <domain name> and nameserver <IP addresses>. In case you are using a modem Dial-out server to connect to the ISP, use kppp Dial-out configuration GUI utility.

19.2 Configuring SQUID

Start the SQUID service

Use the chkconfig to configure Squid to start at boot:

[root@skynet tmp]# chkconfig squid on

Use the service command can be used to start/stop/restart Squid after booting [root@skynet tmp]# service squid start

[root@skynet tmp]# service squid stop [root@skynet tmp]# service squid restart

You can test whether the Squid process is running with the following command, you should get a response of plain old process ID numbers:

[root@skynet tmp]# pgrep squid

19.2.1 The /etc/squid/squid.conf File

The main Squid configuration file is squid.conf which we'll discuss in detail in following sections.

Activating Configuration Changes

Like most Linux applications, Squid needs to be restarted in order for changes to the configuration file can take effect.

The Visible Host Name

Note: Older versions of Squid will fail to start if you don't give your server a hostname. You can set this with the

"visible_hostname" parameter in /etc/squid/squid.conf. Here we set it to the real name of our server "wstsun1".

visible_hostname wstsun1

Linux Administration – SQUID Proxy Page 102 of 167

www.wilshiresoft.com Wilshire Software Technologies Rev Dt: 15-Oct-08

19.2.2 Access Control Lists

You can limit users' ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells squid whether or not to deny or allow traffic that matches the ACL.

Here are some guide lines that may be helpful:

Squid matches each web access request it receives by checking the http_access list from top to bottom. If it finds a match, it enforces the "allow" or "deny" statement and stops reading further. You will have to be careful not to place a "deny" statement in the list that blocks a similar "allow" statement below it. The final http_access statement denies everything, so it is best to place new http_access statements above it.

Squid has a minimum required set of ACL statements in the ACCESS_CONTROL section of the squid.conf file. It is best to put new customized entries right after this list to make the file easier to read.

19.2.3 Restricting Web Access by Time

Access control lists can be created with time parameters. Here are some quick examples. Remember to restart Squid for the changes to take effect.

Only Allow Business Hour Access from the Home Network

#

# Add this to the bottom of the ACL section of squid.conf

#

acl home_network src 192.168.1.0/24

acl business_hours time M T W H F 9:00-17:00

#

# Add this at the top of the http_access section of squid.conf

#

http_access allow home_network business_hours Only Allow Access In The Morning

#

# Add this to the bottom of the ACL section of squid.conf

#

acl mornings time 08:00-12:00

#

# Add this at the top of the http_access section of squid.conf

#

http_access allow mornings

Restricting Web Access By IP Address

You can create an access control list (ACL) that restricts web access to users on certain networks. In this case we're creating an ACL that defines our home network of 192.168.1.0.

#

# Add this to the bottom of the ACL section of squid.conf

#

acl home_network src 192.168.1.0/255.255.255.0

You will also have to add a corresponding http_access statement that allows traffic that matches the ACL.

#

# Add this at the top of the http_access section of squid.conf

#

http_access allow home_network

Remember to restart Squid for the changes to take effect.

[root@skynet tmp]# service squid restart

Linux Administration – SQUID Proxy Page 103 of 167

19.2.4 Configure the Web Browsers to Use Your Squid Server

If you don't have a firewall that supports redirection then you'll need to:

 Configure your firewall to only accept HTTP Internet access from the Squid server

 Configure your PC browser's proxy server settings manually to use the squid server using the following methods:

Internet Explorer

Here's how to make these changes using Internet Explorer.

1. Click on the "Tools" item on the menu bar of the browser.

2. Click on "Internet Options"

3. Click on "Connections"

4. Click on "LAN Settings"

5. Configure with the address and TCP port (3128 default) used by your Squid server.

Mozilla / Netscape

Here's how to make these changes using Mozilla.

Click on the "Edit" item on the menu bar of the browser.

1. Click on "Preferences"

2. Click on "Advanced"

3. Click on "Proxies"

4. Configure with the address and TCP port (3128 default) used by your Squid server under "Manual Proxy Configuration"

Linux Administration – IPTABLES Page 104 of 167

www.wilshiresoft.com Wilshire Software Technologies Rev Dt: 15-Oct-08

20. IPTABLES (Netfilter)

In document linux (Page 101-104)
Download now "linux"

Outline

Related documents