Squid for deployment services can refer Bowen: Squid Proxy Server installation and deployment
for service configuration Squid proxy server can refer Bowen: the use of traditional building Squid proxy and transparent proxy
Squid ACL access control services
Squid proxy provides a powerful control mechanism, a reasonable set by ACL (Access Control List) and to limit, for a variety of conditions can filter source address, destination address, URL path access, time of access.
In the configuration file squid.conf in, ACL access control is implemented in two steps:
-
Acl CI defined conditions needs to be controlled;
- By http_access configuration item on the list has been defined to do "allow" or "deny" control.
1. Define the access control list
Each row acl configuration may define an access control list, the following format:
其中: “列表名称”由管理员自行指定,用来识别控制条件; “列表类型”必须使用Squid预定义的值,对应不同类别的控制条件; “列表内容”是要控制的具体对象,不同类型的列表所对应的内容也不一样,可以有多个值(以空格分隔,是“或者”的关系)
Defining access control list, the key is to select the "list type" and set the conditions of the object. Squid has a wide variety of predefined types, as shown: 
in defining access control lists is the correct analysis of user access needs should be combined with the current network environment, accurately defined controlled conditions using a proxy service. such as:
首先创建一个存放域名黑名单的文件:
[root@www ~]# vim /etc/squid/dmblock.list
.qq.com
.msn.com
//定义存放域名的文件,当然也可以创建存放IP地址的文件,在配置文件,引用一下即可格式跟引用地址文件一样
[root@www ~]# vim /etc/squid.conf
……………… //省略部分内容
acl MYLAN src 192.168.1.0/24
//定义列表名为MYLAN,源地址为192.168.1.0网段
acl MEDIAFILE urlpath_regex -i \.3gp$ \.mp4$ \.f4v$ \.mkv$ \.rmvb$ \.avi$
//定义列表名为MEDIAFILE,以 .3gp、.mp4、.f4v、.mkv、.rmvb、.avi结尾的URL路径
acl DMBLOCK dstdomain "/etc/squid/dmblock.list"
//定义列表名为DMBLOCK,目标域存放在etc/squid/dmblock.list文件中
acl deny10 src 192.168.1.10
//定义列表名为deny10,源地址为192.168.1.10
acl WORKTIME time MWTHF 08:30-17:30
//定义列表名称为WORKTIME,时间为周一到周五8:30~17:302. Set access rights
After the definition of a good variety of access control lists, you need to use the http_access configuration item to be controlled, it must be noted, http_access configuration aircraft must be placed after the corresponding configuration acl line. Each line http_access configured to determine an access control rule. Syntax: 
http_access statement instructions:
-
Each http_access rules may comprise a plurality of control list simultaneously, separated by a space relationship of "AND";
-
When negated conditions with! symbol;
- http_access must be placed after acl.
[root@www ~]# vim /etc/squid.conf ……………… //省略部分内容 http_access deny deny10 //禁止列表deny10 http_access allow MYLAN WORKTIME Safe_ports !MEDIAFILE !DMBLOCK //允许列表MYLAN、WORKTIME、Safe_ports列表和与MEDIAFILE和DMBLOCK列表条件相反的 http_access deny all //默认禁止所有客户机使用代理After the setup is complete restart the Squid service
[root@www ~]# squid -k reconfigureAbout execution rules:
-
Search to find a rule that is no longer backwards;
-
When not configured any rules, squid service denies client's request;
- There are rules but can not find items that match: squid will use the last rule of the opposite authority. That is, if a final rule is allow, reject the client's request, otherwise the request is allowed.
Typically, the most commonly used control rules on the front, in order to reduce the load Squid. The overall strategy as early as access control, recommended "first refused to allow" or "after the first allowed to refuse," the way, the last rule as the default rule.
3. Verify access control effect
(1) test access restrictions (in the traditional client agent) to authenticate themselves!
(2) test file download limit
① create a file larger than 10M under the web root directory of the web server:
[root@localhost ~]# if=/dev/zero of=/var/www/html/dltest.data bs=1M count=15② on squid proxy server edit the configuration file, add the following line:
[root@www ~]# vim /etc/squid.conf
……………… //省略部分内容
reply_body_max_size 10 MB
//限制最大网站文件10MB
[root@www ~]# squid -k reconfigure
//重启Squid服务Client Test (Do not be accessed with 192.168.1.10) be independently verified
Squid log analysis
SARG Squid is a log analysis tool, HTML format, detailing each user access to the Internet site information, time information such as occupation, rank, number of connections, traffic and so on.
1. squid locally installed GD library
[root@www ~]# yum -y install gd 2. Install the SARG
network disk download link sarg package: https://pan.baidu.com/s/1WItXGVlvrLQ9TijB7CWLmQ
extraction code: zh41
[root@www ~]# tar zxf sarg-2.3.7.tar.gz -C /usr/src
[root@www ~]# cd /usr/src/sarg-2.3.7/
[root@www sarg-2.3.7]# ./configure --prefix=/usr/local/sarg --sysconfdir=/etc/sarg \
--enable-extraprotection && make && make installCI following meanings:
--prefix = / usr / local / SARG: specify the installation directory;
--sysconfdir = / etc / SARG: configuration file directory, if not specified, the default is / usr / local / etc;
--enable- extraprotection: Add extra security protection
3. Configuration
[root@www sarg-2.3.7]# vim /etc/sarg/sarg.conf
......................
#若只实现基本的功能,则配置以下三项即可:
access_log /usr/local/squid/var/logs/access.log #指定squid的访问日志文件
output_dir /var/www/html/sarg #sarg报告的输出目录,指向网站的根目录下
www_document_root /var/www/html #网页根目录
#其余一些优化的配置项如下,根据需求来改即可:
title "Squid User Access Reports" #网页标题
user_ip no #使用用户名显示
exclude_hosts /usr/local/sarg/noreport #指定不计入排序的站点列表文件
topuser_sort_field connect BYTES reverse
#在top排名中,指定连接次数、访问字节数,采用降序排列,升序将reverse换成normal即可。
user_sort_field connect reverse #对于用户访问记录,连接次数按降序排列
overwrite_report no #当那个日期报告已经存在,是否覆盖报告
mail_utility mailq.postfix #发送邮件报告的命令
charset utf-8 #使用字符集
weekdays 0-6 #指定top排序时的星期周期,0为周日。
hours 7-12,14,16,18-20 #指定top排序时的时间周期。4. Run
[root@www sarg-2.3.7]# touch /usr/local/sarg/noreport
//上面的配置项中添加了不计入排序的站点,需要存在这个文件中。
//这个文件中添加的域名将不被显示在排序中。
[root@www sarg-2.3.7]# ln -s /usr/local/sarg/bin/sarg /usr/local/bin
[root@www sarg-2.3.7]# sarg //启动sarg
SARG: 纪录在文件: 21, reading: 100.00%
SARG: 成功的生成报告在 /var/www/html/sarg/2019Aug17-2019Aug18
[root@localhost sarg]# systemctl start httpd #启动httpd服务,若没有该服务,须自行安装。5. Verify
