next up previous contents
Next: 安全機制 Up: Squid Proxy Previous: Squid 簡介   Contents

Squid 架設

  1. 安裝 squid 套件。
    [root@dyw219 ~]# yum install -y squid
    
  2. 編輯 /etc/squid/squid.conf 設定檔:安裝好 squid 此設定檔即已有基本設定,以下僅做一小修改並說明。
    [root@dyw219 ~]# cat /etc/squid/squid.conf
    
  3. 定義 manager 為管理功能,localhost 為本機,可以連線到本機的 ip 等。
    #
    # Recommended minimum configuration:
    #
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
    
  4. 定義可以存取此 proxy 的 ip,除預設的內網,名稱設為 localnet 外,此例中加入一名為 externat 的外網,其 ip 只有 1.168.209.95。
    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl externat src 1.168.209.95
    acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
    acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
    acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
    
  5. 定義可以取得資料的 ports。
    acl SSL_ports port 443
    acl Safe_ports port 80		# http
    acl Safe_ports port 21		# ftp
    acl Safe_ports port 443		# https
    acl Safe_ports port 70		# gopher
    acl Safe_ports port 210		# wais
    acl Safe_ports port 1025-65535	# unregistered ports
    acl Safe_ports port 280		# http-mgmt
    acl Safe_ports port 488		# gss-http
    acl Safe_ports port 591		# filemaker
    acl Safe_ports port 777		# multiling http
    acl CONNECT method CONNECT
    
  6. 定義那些主機可以放行執行那些權限,與 iptables 防火牆一樣,必須依照順序判斷是否放行。例如:第一條允許 localhost 進行管理功能,第二條不允許管理。在這一段落除使用預設規則外,加了一條 http_access allow externat 允許剛剛定對的外部網路 externat 進行 http 存取。
    #
    # Recommended minimum Access Permission configuration:
    #
    # Only allow cachemgr access from localhost
    http_access allow manager localhost
    http_access deny manager
    
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports
    
    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports
    
    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    #http_access deny to_localhost
    
    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #
    
    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow localnet
    http_access allow localhost
    http_access allow externat
    
    # And finally deny all other access to this proxy
    http_access deny all
    
  7. 定義 proxy 協定的 port。
    # Squid normally listens to port 3128
    http_port 3128
    
  8. 用戶端所需要的網址列有 cgi-bin,則不快取。
    # We recommend you to use at least the following line.
    hierarchy_stoplist cgi-bin ?
    
  9. 預設使用 100M 的容量放置快取,若要修改可把註解拿掉。
    # Uncomment and adjust the following to add a disk cache directory.
    #cache_dir ufs /var/spool/squid 100 16 256
    
  10. 定義 coredumps 的目錄。
    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid
    
  11. 快取存在時間相關設定。
    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp:		1440	20%	10080
    refresh_pattern ^gopher:	1440	0%	1440
    refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
    refresh_pattern .		0	20%	4320
    
  12. 啟動 squid 服務
    [root@dyw219 ~]# /etc/init.d/squid start
    Starting squid: .                                          [  OK  ]
    
  13. 查看 squid 服務是否啟動。
    [root@dyw219 ~]# netstat -tulnp | grep squid
    tcp        0      0 :::3128                     :::*                        LISTEN      23254/(squid)       
    udp        0      0 0.0.0.0:36211               0.0.0.0:*                               23254/(squid)       
    udp        0      0 :::51734                    :::*                                    23254/(squid)
    

  14. 設定開機啟動 squid 服務
    [root@dyw219 ~]# chkconfig squid on
    



2018-04-25