Set up a Squid reverse proxy, configure ACL access control and sarg logs, he is here

One: ACL access control

Squid provides a powerful proxy control mechanism. By setting ACLs and restricting reasonably, you can perform conditional filtering in many ways, such as the following ways: for source address, destination address, access URL path, access time, etc.

There are two steps to configure ACL :
1: Use the acl configuration item in the main configuration file to define the conditions that need to be controlled.
2: Use the http_access configuration item to "allow" and "deny" access to the defined list.

1.1: ACL access control method:

Define the list according to the source address, target URL, file type, etc.

acl列表名称列表类型列表内容....

Restrictions on the defined acl list

http_access allow或deny列表名称...

1.2: ACL rule priority

• When a user accesses the proxy server, Squid will match
  all the rule lists defined in Squid in order . Once the match is successful, it will stop the match immediately

• When none of the rules match, Squid will use the opposite rule to the last one

1.3: Commonly used ACL list types

src →源地址
dst→>目标地址
port端口
dstdomain >目标域
time →访问时间
maxconn 最大并发连接
url_regex →>目标URL地址
Urlpath_regex→>整个目标URL路径

1.4: The simplest ACL control

This is based on traditional squid proxy settings! !

For details, please visit https://blog.csdn.net/weixin_47151643/article/details/108433807

1.41: Set ACL access rules

//编辑squid配置文件
[root@tom03 init.d]# vim /etc/squid.conf
# should be allowed
acl hostlocal src 20.0.0.20/32          //监控client客户端的主机（20.0.0.20/32）取名为hostlocal

Deny requests to certain unsafe ports

//下面添加
http_access deny hostlocal       //调用hostlocal，设置拒绝访问
#重载配置文件
[root@tom03 init.d]# service squid reload

• The ACL policy is set successfully, and host access to 20.0.0.20 has been denied
• Because we also need to use the client client for testing next, delete the ACL rules just set and restart the squid service
• The client first clears the browser data!

我们把注释关掉

#acl hostlocal src 20.0.0.20/32
#http_access deny hostlocal

1.42: Restrict the target website through the blacklist

[root@tom03 init.d]# vim /etc/squid.conf

# should be allowed
acl hostlocal src "/etc/squid/src.list"    //拒绝访问目录文件

# Deny requests to certain unsafe ports
http_access deny hostlocal        //调用hostlocal，设置拒绝访问


//创建地址列表文件
[root@tom03 init.d]# mkdir /etc/squid
[root@tom03 init.d]# cd /etc/squid/
[root@tom03 squid]# vim src.list
//查看文件里添加的IP
[root@tom03 squid]# cat src.list 
20.0.0.20

#重载服务
[root@tom03 squid]# service squid reload

Conduct an access test

Two: Squid log analysis tool Sarg

2.1: Install and configure Sarg

[root@tom03 ~]# tar zxvf sarg-2.3.7.tar.gz -C /opt
[root@tom03 ~]# cd /opt
[root@tom03 opt]# cd sarg-2.3.7/
[root@tom03 sarg-2.3.7]# yum install gd gd-devel pcre pcre-devel -y
//安装gc库 gcc gcc-c++之前装过了

[root@squid sarg-2.3.7]# mkdir /usr/local/sarg
[root@squid sarg-2.3.7]# ./configure \		
--prefix=/usr/local/sarg \
--sysconfdir=/etc/sarg \	
--enable-extraprotection

#编辑安装
[root@squid sarg-2.3.7]# make &&: make install

2.2: Configure the sarg configuration file

[root@tom03 sarg]# pwd
/etc/sarg
[root@tom03 sarg]# vim sarg.conf 
//配置文佳的所有配置都被注释了，我们需要取消注释内容

7行//取消注释
access_log /usr/local/squid/var/logs/access.log             //指定访问日志

25行//
title "Squid User Access Reports"                         //网页标题

120行//
output_dir /var/www/html/squid-reports                     

178//
user_ip no                           //使用用户名显示

184行//修改内容
topuser_sort_field connect reverse    //top排序中有连续次数、访问字节、降序排列 升序是normal

206行//   修改内容
exclude_hosts /usr/local/sarg/noreport     //不计入排序的站点列表文件

257行//
overwrite_report no                     //同名日志是否哦覆盖

289//
mail_utility mailx.postfix              //发送邮件报告

434//
charset UTF-8                           //使用字符集

518//
weekdays 0-6                            //top排行的星期周期

525//
hours 0-23                               ///top排行的时间周期

633// 
www_document_root /var/www/html          //网页跟目录


//添加不计入站文件，添加的域名将不被显示
[root@tom03 sarg]# touch /usr/local/sarg/noreport
//创建sarg的软链接
[root@tom03 sarg]# ln -s /usr/local/sarg/bin/sarg /usr/local/bin/

//生成报告
[root@tom03 sarg]# sarg
SARG: 纪录在文件: 696, reading: 100.00%
SARG: 成功的生成报告在 /var/www/html/squid-reports/2020Sep07-2020Sep07

//提示报告在这个目录
[root@tom03 ~]# ls /var/www/html/squid-reports/
  images index.html

//下载httpd服务
[root@tom03 ~]# yum -y install httpd
//开启服务
[root@tom03 ~]# systemctl start httpd
//关闭防火墙跟防护功能
[root@tom03 ~]# systemctl stop firewalld.service
[root@tom03 ~]# setenforce 0
//查看端口
[root@tom03 ~]# netstat -ntap | grep httpd
tcp6       0      0 :::80                   :::*                    LISTEN      11516/httpd         

2.3: Use the client client to access the sarg log

View 20.0.0.43/squid-reports

2.31: Perform periodic scheduled tasks and generate reports every day

[root@tom03 ~]# sarg -l /usr/local/squid/var/logs/access.log -o /var/www/html/squid-reports/ -z -d $(date -d "1 day ago" +%d/%m/%Y)-$(date +%d/%m/%Y):

Four: Squid reverse proxy

The Squid reverse proxy can speed up the access speed of the website, and can distribute different URL requests to different web servers in the background. At the same time, Internet users can only see the address of the reverse proxy server, which strengthens the access security of the website.

4.1: Overview of Reverse Proxy

If the requested resource is cached in the Squid reverse proxy server, the source of the requested resource will be directly returned to the client; otherwise, the reverse proxy server will request the resource from the web server in the background, and then return the response to the request to the client. Also cache the response locally and provide it to the next requester

4.2: Reverse proxy website acceleration

Working Mechanism

• Cache web page objects to reduce repeated requests

• Polling Internet requests or assigning them to intranet web servers according to weight

• Proxy user requests, avoid users directly accessing the web server, improve security

Five: Build a reverse proxy to accelerate

• Environment introduction

name	Roles	address
centos-1	squid	20.0.0.43
centos-2	web1	20.0.0.44
centos-3	web2	20.0.0.45
win 10	Client	20.0.0.20:

5.1: Add a web2 server

web2下载httpd
[root@web2 ~]# yum -y install httpd
[root@web2 ~]# cd /var/www/html/
[root@web2 html]# vim index.html
//编写首页信息
<h1>this is shuai02</h1>

//编写web1首页信息
[root@web1 html]# cd /var/www/html/
[root@web1 html]# vim index.html 

//编写首页信息
<h1>this is shuai01</h1>
//重启关闭防火墙
[root@web1 html]# systemctl start httpd
[root@web1 html]# iptables -F
[root@web1 html]# setenforce 0

5.2: Set up reverse proxy

#http_port 3128    //注释
http_port 20.0.0.43:80 accel vhost vport       //监听本机80端口 
cache_peer 20.0.0.44 parent 80 0 no-query originserver round-robin max_conn=30 weight=1 name=web1    //web1服务器最大访问30 权重1 
cache_peer 20.0.0.45 parent 80 0 no-query originserver round-robin max_conn=30 weight=1 name=web2    //web2服务器最大访问30 
权重为1
cache_peer_domain web1 web2 www.shuai.com    //访问shuai.com匹配web1跟web2节点

#关闭httpd服务，因为会占用80端口，后面设置代理需要用到80端口
[root@tom03 ~]# systemctl stop httpd

#重启squid服务
[root@tom03 ~]# service squid restart
正在关闭 squid...
正在启动 squid...

[root@tom03 ~]# netstat -ntap | grep squid
tcp        0      0 20.0.0.43:80            0.0.0.0:*               LISTEN      12:593/(squid-1)   

5.3: The client sets up domain name resolution and squi proxy and tests

Client visit www.shuai.com to check whether the proxy is successful