Set Up Squid as A Proxy Server Set Up Squid as A Proxy Server

Document Sample
Set Up Squid as A Proxy Server Set Up Squid as A Proxy Server Powered By Docstoc
					              Set Up Squid as A Proxy Server
           What is a proxy server
                A server that sits between a web browser and a real
                web server
                      It intercepts all requests to the real server to see if it can fulfill
                      the requests itself
                           If yes, it forwards the request to the real server
           Why use a proxy server
                 Improve Performance
                      Proxy servers can dramatically improve performance for
                      groups of users
                           Because a proxy server saves the results of all requests for a
                           certain amount of time



James Deng, Business Computing, U. of Winnipeg                                                 1




              Set Up Squid as A Proxy Server
                  Filter Requests
                      Proxy servers can also be used to filter requests
                           For example, a company might use a proxy server to
                           prevent its employees from accessing a specific set of web
                           sites
                  More administrative control
                      With the proxy log, an administrator can easily find
                      out who has been accessing what web site, time...




James Deng, Business Computing, U. of Winnipeg                                                 2




                                                                                                   1
              Set Up Squid as A Proxy Server
           Install squid
           Configure the squid
                The squid.conf file
                      In /etc/squid
                      ACCESS CONTROLS: acl
                           Usage: acl <aclname> acltype string1 ...
                      Acltype
                            src
                                  This will look client IP address.
                                  Usage: acl aclname src ip-address/netmask
                                  This refers to the whole Network with address 192.168.1.0 - acl
                                  <aclname> src 192.168.1.0/24
                                  This refers to a range of IP addresses from 192.168.1.25 to
                                  192.168.1.35 - acl <aclname> src 192.168.1.25-192.168.1.35/32




James Deng, Business Computing, U. of Winnipeg                                                           3




              Set Up Squid as A Proxy Server
                           Dst
                                  This is same as src with only difference as it refers to Server’s IP
                                  address (destination)
                                  Usage: acl <aclname> dst ip-address/netmask
                           Time
                                  It defines the time of day, and day of week
                                  Usage: acl <aclname> time [day-abbreviations] [h1:m1-h2:m2]
                                  day-abbreviations:
                                  S - Sunday
                                  M - Monday
                                  T - Tuesday
                                  W - Wednesday
                                  H - Thursday
                                  F - Friday
                                  A - Saturday
                                  h1:m1 must be less than h2:m2
                                  Example
                                  acl ACLTIME time M 9:00-17:00
                                  ACLTIME refers day of Monday from 9:00 to 17:00.


James Deng, Business Computing, U. of Winnipeg                                                           4




                                                                                                             2
              Set Up Squid as A Proxy Server
                           url_regex
                                The url_regex means to search the entire URL for the
                                regular expression specified
                                Note that these regular expressions are case-sensitive – To
                                make them case-insensitive, use the -i option.
                                Usage: acl <aclname> url_regex pattern
                                Example
                                acl ACLREG url_regex cooking
                           urlpath_regex
                                The urlpath_regex searches regular expression pattern
                                matching from URL but without protocol and hostname
                                Note that these regular expressions are case-sensitive
                                Usage: acl <aclname> urlpath_regex pattern
                                Example
                                acl ACLPATHREG urlpath_regex cooking



James Deng, Business Computing, U. of Winnipeg                                                     5




              Set Up Squid as A Proxy Server
                           Port
                                   Access can be controlled by destination (server) port address
                                   Usage: acl <aclname> port port-no
                                   Example
                                   This example allows http_access only to the destination
                                   172.16.1.115:80 from network 172.16.1.0
                                   acl acceleratedhost dst 172.16.1.115/255.255.255.255
                                   acl acceleratedport port 80
                                   acl mynet src 172.16.1.0/255.255.255.0
                                   http_access allow acceleratedhost acceleratedport mynet
                                   http_access deny all
                           Proto
                                   This specifies the transfer protocol
                                   Usageacl <aclname> proto protocol
                                   Example
                                   acl <aclname> proto HTTP FTP


James Deng, Business Computing, U. of Winnipeg                                                     6




                                                                                                       3
              Set Up Squid as A Proxy Server
                           Browser
                               It tries regular expression pattern matching on the request's user-
                               agent (Internet browser) header
                               Usage: acl <aclname> browser pattern
                               Example
                               acl <aclname> browser MOZILLA
                           Maxconn
                               A limit on the maximum number of connections from a single
                               client IP address
                               It is an ACL that will be true if the user has more than maxconn
                               connections open
                               It is used in http_access to allow/deny the request just like all the
                               other acl types.
                               Example
                               acl someuser src 1.2.3.4
                               acl twoconn maxconn 2
                               http_access deny someuser twoconn
                               http_access allow !twoconn


James Deng, Business Computing, U. of Winnipeg                                                         7




              Set Up Squid as A Proxy Server
                      Control the access
                           http_access
                           Usage http_access allow|deny [!]aclname ...
                           This actually sets allowing or denying http access based
                           on defined access lists
                           If none of the "access" lines cause a match, the default is
                           the opposite of the last line in the list
                                If the last line was deny, then the default is allow
                                If the last line is allow, the default will be deny
                                For these reasons, it is a good idea to have a "deny
                                all" entry at the end of your access lists


James Deng, Business Computing, U. of Winnipeg                                                         8




                                                                                                           4
              Set Up Squid as A Proxy Server
                           Example
                              http_access allow manager localhost
                              http_access deny manager
                              http_access deny !Safe_ports
                              http_access deny CONNECT !SSL_ports
                              http_access deny all
                           Another example: To restrict access to work hours (9am -
                           5pm, Monday to Friday) from IP 192.168.2/24
                              acl ip_acl src 192.168.2.0/24
                              acl time_acl time M T W H F 9:00-17:00
                              http_access allow ip_acl time_acl
                              http_access deny all


James Deng, Business Computing, U. of Winnipeg                                           9




              Set Up Squid as A Proxy Server
                           Another note:
                            Rules are read from top to bottom. The first rule
                               matched will be used. Other rules won't be applied
                            Example:
                               http_access allow xyz morning
                               http_access deny xyz
                               http_access allow xyz lunch
                            If xyz tries to access something in the morning, access
                               will be granted. But if he tries to access something at
                               lunchtime, access will be denied. It will be denied by
                               the deny xyz rule, that was matched before the 'xyz
                               lunch' rule.


James Deng, Business Computing, U. of Winnipeg                                           10




                                                                                              5
              Set Up Squid as A Proxy Server
           Access logs
                 /var/log/squid/access.log
           Try it yourself
                 Open /etc/squid/squid.conf
                      Search for second occurance of “Recommended minimum
                      configuration” in the file
                           add an acl for the local network if it’s not defined alrady
                      Search for “INSERT YOUR OWN RULE(S) HERE “
                           Add your access control
                 After each change, remember to restart squid

James Deng, Business Computing, U. of Winnipeg                                           11




              Set Up Squid as A Proxy Server
           Test your proxy server
                  On your Windows box open IE
                      Click “tools”->”Internet Options”->connections
                           Click “LAN settings”, then check “Use proxy server …”
                           Fill in the proper proxy server address and the port
                 Set up different access lists and put your PC
                in/out the range defined by the access lists
                       See how they work
                       At least you should define client IP, server IP, and
                      time range

James Deng, Business Computing, U. of Winnipeg                                           12




                                                                                              6

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:32
posted:2/17/2011
language:English
pages:6