7 Centos squid server configuration ACL access control and log analysis

Deployment squid proxy services and configure traditional reference Bowen: Centos 7 install Squid proxy services and build traditional proxy
configuration squid transparent proxy reference Bowen: Centos7 install Squid agency services and transparent proxy configuration

A, ACL access control

squid proxy provides a powerful control mechanisms, limited by a reasonable set of ACL and, for a variety of conditions can filter source address, destination address, URL path access, time of access. In the configuration file squid.conf, ACL access control is implemented in two steps: First, use ACL entry defines the conditions necessary to control the configuration; secondly, by http_access configuration items on the list have been defined to do "allow" or "deny "controlling access.

1, access control lists

Each row acl configuration may define an access control list, the following format:

acl 列表名称 列表类型 列表内容

Wherein "name list" is specified by the administrator themselves, to identify the control condition ;; "list type" squid must use a predefined value, the control conditions corresponding to different categories; "content list" is a specific object to be controlled, different types of content corresponding list are not the same, can have multiple values ​​(separated by a space, the relationship of "or").

Can be found by the above-described format, the definition of the access control list, the key is to select the "list type" and set the conditions of the object. Squid predefined list there are many types, commonly includes a source address, destination address, access time, access ports, as follows:

ACL Definition Example:

[root@centos02~ ]# vim /etc/squid.conf
                             ..........................
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network    <!--squid默认的一些ACL-->
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network    <!--默认存在-->
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network    <!--默认存在-->
acl localhost src 127.0.0.1/255.255.255.255            <!--源地址为127.0.0.1-->
acl mylan src 192.168.1.0/24 192.168.4.0/24          <!--客户机网段-->
acl to_localhost dst 127.0.0.0/8                        <!--目标地址为127.0.0.0/8网段-->
acl mc20 maxconn 20                              <!--最大并发连接量为20-->
acl blackurl url_regex -i ^rtsp:// ^emule://              <!--以rtsp：//等开头的URL-->
acl mediafile urlpath_regex -i \.mp3$ \.mp4$ \.rmvb$    <!--以.mp3等结尾的URL路径-->
acl worktime time MTWHF 9:00-18:00                 <!--时间为周一至周五的 9:00-18:00-->   
                              ........................

When there are many restrictions in a subject in need of the same class, a separate file may be used to store a file location corresponding to the row disposed at the content acl. as follows:

[root@centos02~ ]# mkdir /etc/squid
[root@centos02~ ]# cd /etc/squid
[root@centos02 squid]# vim ipblock.list         <!--建立目标IP地址名单-->

61.135.167.36
125.39.127.25
60.28.14.0

[root@centos02 squid]# vim dmblock.list         <!--建立目标域地址名单-->

.qq.com
.msn.com
.live.com
.verycd.com

[root@centos02 squid]#  vim /etc/squid.conf                  

acl ipblock dst "/etc/squid/ipblock.list"           <!--调用指定文件中的列表内容-->
acl dmblock dstdomain "/etc/squid/dmblock.list"

When the ACL is set up, you need to be controlled by http_access configuration items. It must be noted that, http_access configuration line must be placed after the corresponding row acl configuration. Each row arranged http_access determining an access rule, the following format:

http_access allow or deny list name

The acl just defined rules applied to, the following:

[root@centos02 squid]# vim /etc/squid.conf
                        ......................
http_access deny !Safe_ports     <!--squid默认存在的访问权限-->
http_access deny mediafile        <!--禁止客户机下载mp3等文件-->
http_access deny ipblock              <!--禁止客户机访问黑名单中的IP地址-->
http_access deny dmblock              <!--禁止客户机访问黑名单中网站域-->
http_access deny mc20        <!--客户机的并发连接量超过20时将被阻止-->
http_access allow worktime           <!--允许客户机在工作时间内上网-->
reply_body_max_size 10 MB        <!--允许下载的最大文件大小（10M）-->
                            .......................
http_access deny all  <!--默认禁止所有客户机使用代理，squid默认存在的访问权限-->

When configuring access, you need to pay attention to the following points:

• Each http_access rules, you can include multiple simultaneous access control list names, separated by spaces between each list, it is "AND", expressed must meet all the conditions will limit the access control list corresponding.

• Need to use the inverted condition, you can add "!" Sign in front of the access control list.

• When performing access control, squid will be checked in accordance with the order of the rules in turn, if a match is found the rule is no longer search backward (this rule and iptables match similar). Therefore, the order of the rules is important.

• When not set any rules, squid service denies client's request. This is why the default configuration file ACL rule, there are three network segment, if you want to reject three segments in a default exists, the need to comment it out, and then to limit, in order to avoid conflict, resulting in access rules do not take effect.

• There are rules but can not find items that match: squid will use the last rule opposite action, that is, if a rule is best to allow, reject the client's request, otherwise the request is allowed, the final rule exists by default is " http_access deny all "
  typically, the most commonly used control rules on the front, to reduce the load of squid. On the overall policy access control, we recommend the use of "first refusal to allow" or "first refused to allow" approach.

Two, squid log analysis

In order for us to view the log more intuitive, you could use SARG, it is a squid log analysis tool, HTML format, detailing each user to access information on the Internet site, time occupancy information, rank, number of connections, traffic Wait.

1, package introduced gd

1) into the package gd

[root@centos02 ~]# rz  

[root@centos02 ~]# ls
anaconda-ks.cfg  gd-devel-2.0.35-11.el6.x86_64.rpm  initial-setup-ks.cfg

2, installation and configuration sarg

[root@centos02 ~]# mount /dev/cdrom /mnt/  <!--挂载linux光盘-->
mount: /dev/sr0 写保护，将以只读方式挂载
[root@centos02 ~]# tar zxvf /mnt/sarg-2.3.7.tar.gz -C /usr/src/ 
          <!--解压缩sarg软件包-->
[root@centos02 ~]# umount /mnt/   <!--卸载光盘-->
[root@centos02 ~]# mount /dev/cdrom /mnt/  <!--挂载操作系统盘-->
mount: /dev/sr0 写保护，将以只读方式挂载
[root@centos02 ~]# rm -rf /etc/yum.repos.d/CentOS-* 
[root@centos02 ~]# yum -y install gd gd-devel httpd 
            <!--安装sarg依赖软件-->
[root@centos02 ~]# rpm -ivh gd-devel-2.0.35-11.el6.x86_64.rpm 
<!--检查sarg软件所需的依赖-->
[root@centos02 ~]# rpm -ivh gd-devel-2.0.35-11.el6.x86_64.rpm --nodeps    <!--强制忽略依赖关系安装gd-devel-->
[root@centos02 ~]# rpm -qa | grep gd <!--检查是否安装成功-->
[root@centos02 ~]# rpm -qa | grep gd-devel <!--检查是否安装成功-->
[root@centos02 ~]# rpm -qa | grep httpd <!--检查是否安装成功-->
[root@centos02 ~]# mkdir /usr/local/sarg  <!--创建安装sarg目录-->
[root@centos02 ~]# cd /usr/src/sarg-2.3.7/   <!--进入sarg目录-->
[root@centos02 sarg-2.3.7]# ./configure --prefix=/usr/local/sarg --sysconfdir=/etc/sarg --enable-extraprotection    <!--配置sarg-->
[root@centos02 sarg-2.3.7]# make && make install <!--安装sarg-->
[root@centos02 sarg-2.3.7]# ls -ld /etc/sarg/        
                <!--查看是否生成配置文件-->
drwxr-xr-x 2 root root 83 11月 18 10:35 /etc/sarg/     
[root@centos02 sarg-2.3.7]# ls -ld /usr/local/sarg/   
                <!--查看是否生成配置文件-->
drwxr-xr-x 4 root root 30 11月 18 10:35 /usr/local/sarg/
[root@centos02 ~]# cp /etc/sarg/sarg.conf /etc/sarg/sarg.conf.bak <!--备份sarg主配置文件-->
[root@centos02 ~]# vim /etc/sarg/sarg.conf  <!--修改sarg主配置文件-->
8 access_log /usr/local/squid/var/logs/access.log  
                      <!--指定squid的访问日志文件-->
27 title "Squid User Access Reports"  <!--网页标题-->
122 output_dir /var/www/html/squid-reports  <!--sarg报告的输出目录-->
182 user_ip no      <!--使用用户名显示-->
189 topuser_sort_field BYTES reverse     <!--在top排序中，指定连接次数、访问次数，
采用降序排序，升序将reverse换成normal-->
196 user_sort_field BYTES reverse <!--对于用户访问记录，
连接次数按降序排序-->
211 exclude_hosts /usr/local/sarg/noreport     
                              <!--指定不计入排序的站点列表文件-->
265 overwrite_report no  <!--当那个日期报告已经存在，是否覆盖报告-->
298 mail_utility mailx   <!--发送邮件报告的命令-->
444 charset utf-8      <!--使用字符集-->
529 weekdays 0-6     <!--指定top排序时的星期周期，0为周日-->
537 hours 0-23         <!--指定top排序时的时间周期-->
646 www_document_root /var/www/html       <!--网页根目录-->
[root@centos02 ~]# mkdir -p /usr/local/sarg/noreport 
          <!--创建不计入排序的目录-->
[root@centos02 ~]# ln -s /usr/local/sarg/bin/sarg /usr/local/bin/  
<!--优化执行命令-->
[root@centos02 ~]# sarg       <!--执行sarg启动一次记录-->
SARG: 纪录在文件: 27, reading: 100.00%
SARG: 成功的生成报告在 /var/www/html/squid-reports/2019Nov18-2019Nov18
[root@centos02 ~]# systemctl start httpd   <!--启动httpd服务-->
[root@centos02 ~]# systemctl enable httpd <!--设置开机自动启动-->

3, windows client browser to access test

http://192.168.100.20/squid-reports/

http://192.168.100.20/sarg/

Third, the preparation of periodic refresh script logs

[root@centos02 ~]# vim log.sh  <!--创建脚本-->
#!/bin/bash
TD=$(date -d '1 day ago' +%d/%M/%Y)
/usr/local/sarg/bin/sarg -l /usr/local/squid/var/logs/access.log -o /var/www/html/sarg -z -d $YETD_$TD &> /dev/null
exit 0
[root@centos02 ~]# chmod +x log.sh   <!--脚本添加执行权限-->
[root@centos02 ~]# ./log.sh &   <!--执行脚本-->
[1] 7798
[root@centos02 ~]# vim /etc/rc.d/rc.local    
          <!--将脚本添加至开机自动启动配置文件中-->
/root/log.sh
[root@centos02 ~]# chmod +x /etc/rc.d/rc.local  <!--添加执行权限-->

------ This concludes the article, thanks for reading ------