- A+
一.准备工作
1.基础环境规划
| 基础项目 | 基础信息 |
|---|---|
| Suid服务器IP | 192.168.250.231 |
| 测试客户机 | WIN10家庭版,10.129.1.200,浏览器:火狐 |
2.安全问题预处理
关闭selinux:
- [root@mysquid ~]# setenforce 0
- [root@mysquid ~]# vim /etc/selinux/config
- [root@mysquid ~]# cat /etc/selinux/config
- # This file controls the state of SELinux on the system.
- # SELINUX= can take one of these three values:
- # enforcing - SELinux security policy is enforced.
- # permissive - SELinux prints warnings instead of enforcing.
- # disabled - No SELinux policy is loaded.
- SELINUX=disabled
- # SELINUXTYPE= can take one of three values:
- # targeted - Targeted processes are protected,
- # minimum - Modification of targeted policy. Only selected processes are protected.
- # mls - Multi Level Security protection.
- SELINUXTYPE=targeted
- [root@mysquid ~]#
防火墙稍后处理。
二.安装Squid服务
Squid是一个功能全面的缓存代理服务器,它支持著名的网络协议像HTTP,HTTPS,FTP 等等。将 Squid 放在网页服务器的前端,通过缓存重复请求,过滤网络流量等,可以极大地提高服务器的性能。
1.yum方式安装squid
- [root@mysquid ~]# yum -y install squid
- 已加载插件:fastestmirror, langpacks
- Determining fastest mirrors
- * base: mirrors.aliyun.com
- * extras: mirrors.aliyun.com
- * updates: mirrors.aliyun.com
- base | 3.6 kB 00:00:00
- extras | 2.9 kB 00:00:00
- updates | 2.9 kB 00:00:00
- (1/2): extras/7/x86_64/primary_db | 246 kB 00:00:05
- (2/2): updates/7/x86_64/primary_db | 15 MB 00:00:44
- 正在解决依赖关系
- --> 正在检查事务
- ---> 软件包 squid.x86_64.7.3.5.20-17.el7_9.6 将被 安装
- --> 正在处理依赖关系 squid-migration-script,它被软件包 7:squid-3.5.20-17.el7_9.6.x86_64 需要
- --> 正在处理依赖关系 perl(Digest::MD5),它被软件包 7:squid-3.5.20-17.el7_9.6.x86_64 需要
2.启动squid服务
- [root@mysquid ~]# systemctl start squid
- [root@mysquid ~]# systemctl enable squid
- Created symlink from /etc/systemd/system/multi-user.target.wants/squid.service to /usr/lib/systemd/system/squid.service.
- [root@mysquid ~]#
3.查看服务启动状态
- [root@mysquid ~]# systemctl status squid
- ● squid.service - Squid caching proxy
- Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
- Active: active (running) since 一 2022-04-18 11:25:22 CST; 4min 1s ago
- Main PID: 3019 (squid)
- CGroup: /system.slice/squid.service
- ├─3019 /usr/sbin/squid -f /etc/squid/squid.conf
- ├─3021 (squid-1) -f /etc/squid/squid.conf
- └─3024 (logfile-daemon) /var/log/squid/access.log
- 4月 18 11:25:22 mysquid systemd[1]: Starting Squid caching proxy...
- 4月 18 11:25:22 mysquid squid[3019]: Squid Parent: will start 1 kids
- 4月 18 11:25:22 mysquid squid[3019]: Squid Parent: (squid-1) process 3021 started
- 4月 18 11:25:22 mysquid systemd[1]: Started Squid caching proxy.
- [root@mysquid ~]#
active (running)表示启动成功。
三.配置 Squid
squid默认配置文件在/etc/squid/squid.conf下,默认内容如下:
- [root@mysquid ~]# cat /etc/squid/squid.conf
- #
- # Recommended minimum configuration:
- #
- # Example rule allowing access from your local networks.
- # Adapt to list your (internal) IP networks from where browsing
- # should be allowed
- acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
- acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
- acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
- acl localnet src fc00::/7 # RFC 4193 local private network range
- acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
- acl SSL_ports port 443
- acl Safe_ports port 80 # http
- acl Safe_ports port 21 # ftp
- acl Safe_ports port 443 # https
- acl Safe_ports port 70 # gopher
- acl Safe_ports port 210 # wais
- acl Safe_ports port 1025-65535 # unregistered ports
- acl Safe_ports port 280 # http-mgmt
- acl Safe_ports port 488 # gss-http
- acl Safe_ports port 591 # filemaker
- acl Safe_ports port 777 # multiling http
- acl CONNECT method CONNECT
- #
- # Recommended minimum Access Permission configuration:
- #
- # Deny requests to certain unsafe ports
- http_access deny !Safe_ports
- # Deny CONNECT to other than secure SSL ports
- http_access deny CONNECT !SSL_ports
- # Only allow cachemgr access from localhost
- http_access allow localhost manager
- http_access deny manager
- # We strongly recommend the following be uncommented to protect innocent
- # web applications running on the proxy server who think the only
- # one who can access services on "localhost" is a local user
- #http_access deny to_localhost
- #
- # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
- #
- # Example rule allowing access from your local networks.
- # Adapt localnet in the ACL section to list your (internal) IP networks
- # from where browsing should be allowed
- http_access allow localnet
- http_access allow localhost
- # And finally deny all other access to this proxy
- http_access deny all
- # Squid normally listens to port 3128
- http_port 3128
- # Uncomment and adjust the following to add a disk cache directory.
- #cache_dir ufs /var/spool/squid 100 16 256
- # Leave coredumps in the first cache dir
- coredump_dir /var/spool/squid
- #
- # Add any of your own refresh_pattern entries above these.
- #
- refresh_pattern ^ftp: 1440 20% 10080
- refresh_pattern ^gopher: 1440 0% 1440
- refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
- refresh_pattern . 0 20% 4320
- [root@mysquid ~]#
先进行备份:
- [root@mysquid ~]# cp /etc/squid/squid.conf /etc/squid/squid.conf.ori.20220418
- [root@mysquid ~]#
默认情况下,Squid 被配置成在服务器所有网络接口上监听端口3128。 如果想修改端口号,并且设置监听接口,定位到http_port处,并且指定接口 IP 地址和新端口。如果没有接口指定,Squid 将监听所有网络接口。
- /etc/squid/squid.conf
- # Squid normally listens to port 3128
- http_port IP_ADDR:PORT
在所有接口上和默认端口上运行 Squid 对大部分用户都很适用。
可以使用 Access Control Lists (ACLs)来控制 Squid 服务器的访问。
默认情况下,Squid 仅仅允许从本地主机和本地网络来的访问。
如果所有将要使用代理服务器的客户端都有一个固定 IP 地址,你可以创建一个 包含允许 IP 地址的 ACL。
不用在主要配置中添加 IP地址,我们可以创建一个新配置文件,用来配置地址:/etc/squid/myallowed_ips.txt
- [root@mysquid squid]# cat squid.conf
- acl allowed_ips src "/etc/squid/myallowed_ips.txt" 增加该项
- ……
- # Only allow cachemgr access from localhost
- http_access allow localhost manager
- http_access allow allowed_ips #增加该项
- http_access deny manager
这里需要注意的是,确认在http_access deny all之前添加了这一行。
http_access指令类似于防火墙规则。
Squid从上到下读取规则,并且后面匹配的规则不会被处理。
接着重启一下squid服务并查看状态:
- [root@mysquid squid]# systemctl status squid.service
- ● squid.service - Squid caching proxy
- Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
- Active: active (running) since 一 2022-04-18 11:54:04 CST; 4s ago
- Process: 3353 ExecStop=/usr/sbin/squid -k shutdown -f $SQUID_CONF (code=exited, status=1/FAILURE)
- Process: 3401 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
- Process: 3393 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
- Main PID: 3405 (squid)
- Tasks: 3
- CGroup: /system.slice/squid.service
- ├─3405 /usr/sbin/squid -f /etc/squid/squid.conf
- ├─3407 (squid-1) -f /etc/squid/squid.conf
- └─3410 (logfile-daemon) /var/log/squid/access.log
- 4月 18 11:53:59 mysquid systemd[1]: Starting Squid caching proxy...
- 4月 18 11:54:04 mysquid squid[3405]: Squid Parent: will start 1 kids
- 4月 18 11:54:04 mysquid squid[3405]: Squid Parent: (squid-1) process 3407 started
- 4月 18 11:54:04 mysquid systemd[1]: Started Squid caching proxy.
- [root@mysquid squid]#
四.Squid 身份验证
Squid 可以使用不同的后端,包括 Samba,LDAP 和 HTTP 基本验证来验证用户。
在本例中,我们配置 Squid 使用基本验证。它是一个简单的验证方法,内置在 HTTP 协议中。
我们将使用openssl来生成密码,并且附加username:password对到文件/etc/squid/htpasswd文件中,并且显示出来:
格式如下:
- printf "USERNAME:$(openssl passwd -crypt PASSWORD)\n" | sudo tee -a /etc/squid/htpasswd
比如,这里创建一个用户名为moonrong,密码为SUse#87ss,运行如下:
- [root@mysquid squid]# printf "moonrong:$(openssl passwd -crypt SUse#87ss)\n" | sudo tee -a /etc/squid/htpasswd
- Warning: truncating password to 8 characters
- moonrong:eM1d7DCkceo6g
- [root@mysquid squid]#
下一步是配置 Squid 去启用 HTTP 基本验证,并且使用这个文件。
打开主要配置文件,添加下面的内容: /etc/squid/squid.conf
- [root@mysquid squid]# vim squid.conf
- [root@mysquid squid]# cat squid.conf
- auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/htpasswd
- auth_param basic realm proxy
- acl authenticated proxy_auth REQUIRED
- # ...
- http_access allow localnet
- http_access allow localhost
- http_access allow authenticated
- # And finally deny all other access to this proxy
- http_access deny all
前面三行我们创建了一个 ACL 名称为authenticated,最后一行允许通过验证用户访问。
接着重启squid服务:
- [root@mysquid squid]# systemctl restart squid
- [root@mysquid squid]# systemctl status squid
- ● squid.service - Squid caching proxy
- Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
- Active: active (running) since 一 2022-04-18 12:04:40 CST; 8s ago
- Process: 3558 ExecStop=/usr/sbin/squid -k shutdown -f $SQUID_CONF (code=exited, status=0/SUCCESS)
- Process: 3569 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
- Process: 3563 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
- Main PID: 3572 (squid)
- Tasks: 3
- CGroup: /system.slice/squid.service
- ├─3572 /usr/sbin/squid -f /etc/squid/squid.conf
- ├─3574 (squid-1) -f /etc/squid/squid.conf
- └─3577 (logfile-daemon) /var/log/squid/access.log
- 4月 18 12:04:35 mysquid systemd[1]: Starting Squid caching proxy...
- 4月 18 12:04:40 mysquid squid[3572]: Squid Parent: will start 1 kids
- 4月 18 12:04:40 mysquid squid[3572]: Squid Parent: (squid-1) process 3574 started
- 4月 18 12:04:40 mysquid systemd[1]: Started Squid caching proxy.
- [root@mysquid squid]#
五.防火墙端口放行配置
squid服务需要打开3128端口:
- [root@mysquid /]# firewall-cmd --permanent --add-port=3128/tcp
- success
- [root@mysquid /]# firewall-cmd --reload
- success
- [root@mysquid /]#
六.客户端配置并测试
以火狐浏览器为例,设置代理服务器,进行测试。
