1. Squid server ACL access control
(1) The principle of ACL access control:
1. First define acl list: format: acl list name list type list content...
2. Specify rules based on acl list: format: http_access allow|deny list name
(2) The type of acl list:
| Types of | Example |
|---|---|
| src source address | acl localhost src 192.168.175.136/32 ##Define the source host ip acl MYLAN src 192.168.175.0/24 ##Define the network segment |
| dst destination address | acl destionhost dst 192.168.175.130/32 ##Define the specific target host ip |
| port destination port | // |
| dstdomain target domain name | // |
| time access time | acl work time MTWHFAC 08:30-17:30 Note: MTWHFAC letters refer to Monday to Sunday respectively |
| maxconn maximum concurrency | acl MC20 maxconn 20 ##Define the MC20 list and specify the maximum number of connections |
| url_regex target URL | acl BURL ur1_regex -i ^rtsp:// ^emule:// ##The domain name can be defined by regular |
| url path_regex the entire target URL path | acl PURL urlpath_regex -i .mp3$ .mp4$ .rmvb$ ##End with .mp3, .mp4, etc. |
(3) Store the list in a file and define the file for access control
Example:
[root@localhost ~]# vi /etc/squid/ipblock.list ##创建ip名单,注意,要在
61.135.167.36
60.28.14.0/24
[root@localhost ~]# vi /etc/squid/dmblock.list
.qq.com
.msn.com
[root@squid ~]# vim /etc/squid.conf
acl lPBLOCK dst "/etc/squid/ipblock.list" ##定义目标ip的文件
acl DMBLOCK dstdomain "/etc/squid/dmblock.list" ##定义目标域名的文件
thttp_access deny IPBLOCK
http_access deny DMBLOCK
demonstration:
1. Add ACl rules
[root@squid ~]# vim /etc/squid.conf
acl MMM src 192.168.30.0/24 ##Define an access control list named MMM
http_access deny MMM ##Reject all http requests in the MMM list
http_access allow all ##放通All (the default is the opposite of the last ACL rule, you don’t need to set it)
2. Client access web test
(1) Before configuring rules
(2) After configuring ACL rules, the request fails
Two, Squid reverse proxy
Experimental topology:
Continue to experiment based on the last traditional mode https://blog.csdn.net/CN_LiTianpeng/article/details/109387464
[Web1 side] IP: 192.168.30.30
1. Make a test page
[root@localhost httpd]# cd /var/www/html/
[root@localhost html]# vi index.html
<title>HELLO</title>
<h1>this is test1 Web</h1>
[root@localhost html]# systemctl restart httpd
2. Visit the web test, the page is displayed normally
[Web2 side] IP: 192.168.30.40
1. Make a test page
[root@localhost httpd]# cd /var/www/html/
[root@localhost html]# vi index.html
<title>GOOD</title>
<h1>this is test2 Web</h1>
[root@localhost html]# systemctl restart httpd
2. Visit the web test, the page is displayed normally
[Squid side] IP: 192.168.30.10
1. Clear the firewall rules and allow port 80
[root@squid ~]# iptables -F
[root@squid ~]# iptables -t nat -F
[root@squid ~]# systemctl start firewalld
[root@squid ~]# iptables -I INPUT -p tcp --dport 80 -j ACCEPT
2. Modify the configuration file, reverse proxy configuration
[root@squid init.d]# vim /etc/squid.conf ##修改配置
#http_port 3128
http_port 192.168.10.10:80 accel vhost vport ##配置监听地址80端口作为虚拟加速地址和端口,配置80端口后,客户机浏览器就可以不用做代理服务器了,可以http直接访问。
cache_peer 192.168.10.20 parent 80 0 no-query originserver round-robin max_conn=30 weight=1 name=web1 ##匹配192.168.10.20地址80端口,并且禁止查询真实域内服务器,轮询调度,最大连接数30,权重为1,该域内服务器命名为web1
cache_peer 192.168.10.40 parent 80 0 no-query originserver round-robin max_conn=30 weight=1 name=web2
cache_peer_domain web1 web2 www.yun.com 192.168.30.10 ##匹配域内主机web1,web2;可以使用域名www.yun.com或IP地址192.168.30.10访问
//注意:若在cache_peer_domain配置的末尾不加域名或者ip,就无法使用域名或ip进行负载均衡反向代理,并且如果只有域名,那么只能访问域名进行反向代理轮询调度,访问ip无效,反之同理。一般只需要配置域名即可
[root@squid init.d]# service squid stop
[root@squid init.d]# service squid start
正在启动 squid....
[root@squid init.d]# netstat -lanpt |grep 80
tcp 0 0 192.168.30.10:80 0.0.0.0:* LISTEN 3935/(squid-1)
[Client access test] IP: 192.168.30.100
3. Squid-Sarg log statistics function
1. Install the sarg log program
[root@squid ~]# ls ##查看sarg软件包
sarg-2.3.7.tar.gz ……省略部分
[root@squid ~]# yum -y install gd gd-devel
[root@squid ~]# yum -y install gcc gcc-c++ make
[root@squid ~]# tar zxvf sarg-2.3.7.tar.gz -C /opt
[root@squid ~]# cd /opt/sarg-2.3.7/
[root@squid sarg-2.3.7]# ./configure \
--prefix=/usr/local/sarg \
--sysconfdir=/etc/sarg \
--enable-extraprotection ##额外安全防护
[root@squid sarg-2.3.7]# make -j3 && make install
2. Modify the configuration file
[root@squid sarg-2.3.7]# cd /etc/sarg/
[root@squid sarg]# vim sarg.conf
7行// access_log /usr/local/squid/var/logs/access.log ##指定访问日志文件
25行// title "Squid User Access Reports" ##网页标题
120行// output_dir /var/www/html/squid-reports ##报告输出目录
178行// user_ip no ##使用用户名显示
184行// topuser_sort_field connect reverse ### 在 top 排序中,指定连接次数,访问字节数,采用降序排列,升序是normal
206行// exclude_hosts /usr/local/sarg/noreport ##不计入排序的站点列表文件
257行// overwrite_report no ##同名日志是否覆盖
289行// mail_utility mailq.postfix ##发送邮箱报告的命令
434行// charset UTF-8 ##使用字符集
516行// weekdays 0-6 ##指定 top 排序时的星期周期,0 为周日
525行// hours 0-23 ## top排序的时间周期
633行// www_document_root /var/www/html ##网页根目录
[root@squid sarg]# egrep -vn '^#|^$' /etc/sarg/sarg.conf ##过滤检查配置是否修改正确
7:access_log /usr/local/squid/var/logs/access.log
25:title "Squid User Access Reports"
120:output_dir /var/www/html/squid-reports
178:user_ip no
184:topuser_sort_field connect reverse
206:exclude_hosts /usr/local/sarg/noreport
257:overwrite_report no
289:mail_utility mailq.postfix
434:charset UTF-8
516:weekdays 0-6
525:hours 0-23
633:www_document_root /var/www/html
[root@squid sarg]# touch /usr/local/sarg/noreport
3. Optimize the path and generate report files
[root@squid ~]# ln -s /usr/local/sarg/bin/sarg /usr/local/bin/
[root@squid ~]# sarg ##生成报告
SARG: Records in file: 2528, reading: 100.00%
SARG: Successful report generated on /var/www/html/squid-reports/2020Oct30-2020Nov01
[root@squid ~]# cd /var/www/html/squid-reports/
[root@squid squid-reports]# ls ##查看,里面有index.html首页文件
2020Oct30-2020Nov01 images index.html
[root@squid sarg-2.3.7]# cd /etc/sarg/
[root@squid sarg]# vim sarg.conf
190行// user_sort_field reverse ##对于用户访问记录,连接次数按降序排列。注意,这个功能一定要在使用sarg命令生成报告文件后开启,否则会报错
4. Install Apache service
[root@squid ~]# yum -y install httpd ##安装一个Apache访问
[root@squid ~]# systemctl start httpd ##启动Apache
[root@squid ~]# cd /var/www/html/
[root@squid html]# ls
squid-reports
5. Client access view
6. Develop periodic scheduled tasks
[root@squid html]# sarg -l /usr/local/squid/var/logs/access.log -o /var/www/html/squid-reports/ -z -d $(date -d "1 day ago" +%d/%m/%Y)-$(date +%d/%m/%Y)
##执行这条语句,制定每日计划任务,sarg -l 生成访问日志,-o输出到/var/www/html/squid-reports/目录下,-d指定时间间隔“当天时间减去前一天时间” 即一天间隔。