Qun l truy cp internet vi Squid proxy

Hu ht cc t chc, doanh nghip c va v nh u c nhu cu gii hn truy cp internet

ch cho 1 s ngi dng v tit kim bng thng internet. Mt trong nhng gii php m,
min ph v rt hiu qu hin nay l s dng Squid trn nn Linux lm 1 Proxy Server.
Ngi s dng cu hnh trnh duyt web ca h kt ni internet thng qua Squid Server
thay v kt ni trc tip. Khi 1 yu cu duyt web n t ngi dng, Squid s kim tra trong
cache ca n thng tin v trang web . Nu tm thy, n s gi trang web v trnh duyt
ngi dng m khng cn kt ni vo internet. Nu khng thy, n bt u kt ni vo a ch
trang v ti v ri chuyn tip cho trnh duyt.
iu ny lm gim ng k lng d liu ti v t internet. Mt li ch khc na l chng ta
c th cu hnh firewall ch cho php kt ni web thng qua Squid, cn li tt c cc my
trong mng ni b u khng c php kt ni trc tip internet. Do , ta c th kim sot
truy cp internet ca ngi dng thng qua c ch xc thc User/Password.

Download v Ci t Squid Package

Hin nay, hu ht cc phn mm trn Linux u ph bin 2 dng c bin dch sn l
RPM (dnh cho distro Redhat Linux) v DEB (cho Debian Linux). Vic download v ci t
cc gi phn mm ny khng kh. Trong tt c cc distro ny u h tr c ch ci t t
ng (trnh ci t s kt ni n Server ca hng v ti gi phn mm c yu cu v v
tin hnh ci t). Vi nhng phin bn mi nht, Squid l 1 ty chn ci t trong qu trnh
ci t h iu hnh.
Trong bn demo ny, ti tin hnh trn bn Fedora Core 8, mt phin bn rt n nh ca
Redhat Linux, yu cu cu hnh khng cao, d cu hnh, qun tr. i vi nhng qun tr vin
c kinh nghim v Linux, c th s dng bn Ubuntu Server 7.10 (ch c giao din
command line). y l bn cng thch hp cho mi trng doanh nghip c trung bnh, phc
v khong 1000-2000 ngi dng.

Khi ng Squid
S dng lnh chkconfig cu hnh chy Squid mi khi khi ng my:
[root@proxy tmp]# chkconfig squid on
S dng cu lnh service start, stop, v restart Squid sau khi khi chy:
[root@proxy tmp]# service squid start
[root@proxy tmp]# service squid stop
[root@proxy tmp]# service squid restart
S dng cu lnh pgrep kim tra Squid c ang chy hay khng:
[root@proxy tmp]# pgrep squid
Kt qu cu lnh trn s l ProcessID ca Squid
Hoc bn cng c th dng cu lnh:
[root@proxy tmp]# ps aux

File cu hnh Squid: /etc/squid/squid.conf

File cu hnh chnh ca Squid l squid.conf. cu hnh Squid, cn phi chnh sa cc thng
s cn thit trong file cu hnh v khi ng li Squid
Thng s Visible Host Name
Squid s khng th khi chy nu khng c cung cp tn my. cung cp thng s ny,
hiu chnh thng s visible_hostname. y, hostname l tn ca Proxy server
visible_hostname proxy
Cc danh sch truy cp: Access Control Lists
gii hn ngi dng duyt web, chng ta s dng access control lists (ACLs). Mi dng
ACL nh ngha mt loi gii hn hot ng c th, v d nh thi gian truy cp hoc mng
ngun (thng l LAN). Cc dng ACL sau c lin kt ti cc pht biu http_access
tng ng, cung cp thng tin cho Squid Allow hay Deny yu cu khi yu cu nm trong
phm vi ca ACL
Squid so snh mi yu cu truy cp web m n nhn c bng cch kim tra danh sch
http_access t u ti cui. Nu n tm thy 1 pht biu ph hp, n s p dng Allow hay
Deny v dng khng c tip cc pht biu pha di na. Do vy, chng ta cn phi cn
thn khi sp sp cc pht biu. Khng c t cc pht biu Deny bn trn cc pht biu
Allow trong khi mun Allow cc ACL tha mn pht biu . Cui cng, phi c pht biu:
http_access deny all
t chi tt c cc yu cu m khng c ni n trong cc pht biu trc .

MT VI V D
Gii hn truy cp web theo thi gian
Chng ta c th to ACL vi cc thng s l thi gian. V d, nu mun ch cho php truy cp
web trong thi gian lm vic, trong khi cm truy cp n host 192.168.1.123, chng ta thc
hin nh sau:
#
# Thm cc dng ACL ny vo pha trn trong on ACL trong
squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl RestrictedHost src 192.168.1.23
#
# Thm cc pht biu sau vo phn di cng ca on
http_access trong file squid.conf
#
http_access deny RestrictedHost
http_access allow home_network business_hours

#ch rng pht biu deny phi t trc

Hoc nu ch mun cho truy cp vo bui sng:
#
# Thm dng ACL ny vo pha trn trong on ACL trong
squid.conf
#
acl mornings time 08:00-12:00
#
# Thm pht biu sau vo phn di cng ca on http_access
trong file squid.conf
#
http_access allow mornings
Gii hn truy cp ti cc website xc nh
gii hn ngi dng khng truy cp n nhng website khng c php, chng ta c th
lu danh sch cc website vo trong 1 file. Squid c th c nhng file cha danh sch
cc website hoc domain s dng trong cc ACL. V d, chng ta c 2 danh sch c lu
trong 2 file:
/usr/local/etc/allowed-sites.squid
/usr/local/etc/restricted-sites.squid.
Vi ni dung cc file nh sau:
# File: /usr/local/etc/allowed-sites.squid
www.openfree.org
www.ncsteam.com
# File: /usr/local/etc/restricted-sites.squid
www.porn.com
illegal.com
Chng ta c th s dng ngn chn cc site b gii hn v cho php truy cp cc site khng
b gii hn trong sut thi gian lm vic nh v d di y:
#
# Thm vo pha di ca on ACL trong squid.conf
#
acl
acl
acl
acl

home_network src 192.168.1.0/24

business_hours time M T W H F 9:00-17:00
GoodSites dstdomain "/usr/local/etc/allowed-sites.squid"
BadSites dstdomain "/usr/local/etc/restricted-sites.squid"

#
# Thm vo phn u tin ca on http_access trong squid.conf
#
http_access deny BadSites
http_access allow home_network business_hours GoodSites
Gii hn truy cp web theo IP

Chng ta c th to cc ACL gii hn truy cp web ca ngi dng c th thng qua a

ch IP m h s dng. Trong v d di, chng ta nh ngha gii a ch LAN l 192.168.1.0
#
# Thm vo pha di ca on ACL trong squid.conf
#
acl home_network src 192.168.1.0/255.255.255.0
Thm pht biu http_access tng ng cho php cc a ch IP
tha mn ACL
#
# Thm vo phn u tin ca on http_access trong squid.conf
#
http_access allow home_network
Ngoi ra, chng ta c th cu hnh xc thc ngi dng thng qua User name v
password. Tham kho thm ti liu v Squid bit thm chi tit.

Bt buc tt c ngi dng phi s dng Squid

bt buc tt c ngi dng truy cp web u phi thng qua Squid, chng ta phi thit lp
firewall (Iptables) ch cho php duy nht Squid server c kh nng truy cp internet.
Ngi dng mun truy cp internet phi thng qua Squid.
Cu hnh Squid Server trong sut i vi ngi dng
gii hn ch cho Squid server truy cp web m khng phi chnh sa g cc thng s
proxy trong trnh duyt ca ngi dng, chng ta phi cu hnh Squid t ng nhn cc yu
cu kt ni web (transparent) ca ngi dng.
Cc version trc 2.6: Chng ta cu hnh cc thng s nh sau:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Cc Version t 2.6 tr v sau: thm t kha transparent ng sau dng khai bo port:
http_port 8080 transparent

Cu hnh Iptable h tr Squid Transparent Proxy

bt buc tt c cc yu cu kt ni web u phi thng qua Squid proxy, chng ta thc
hin cu hnh Iptable nh sau:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
-j REDIRECT --to-port 3128
iptables -A INPUT -j ACCEPT -m state \
--state NEW,ESTABLISHED,RELATED -i eth1 -p tcp \
--dport 3128
iptables -A OUTPUT -j ACCEPT -m state \
--state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \
--dport 80

iptables -A INPUT -j ACCEPT -m state \

--state ESTABLISHED,RELATED -i eth0 -p tcp \
--sport 80
iptables -A OUTPUT -j ACCEPT -m state \
--state ESTABLISHED,RELATED -o eth1 -p tcp \
--sport 80
Vi eth0 kt ni ra internet, eth1 kt ni ti mng ni b, Squid v Iptables nm trn cng 1
server
bit thm chi tit trong cc trng hp khc, nh nhiu LAN, Iptables v Squid nm trn
server khc nhau, cc th thut optimize Squid......cc bn hy tham kho thm ti liu chi
tit v Squid (ti www.squid-cache.org) v ti liu qun tr vn hnh Linux.

Squid Proxy trong sut cho php client kt ni internet m khng cn phi cu
hnh g. Mi cu hnh u ti server. Vi Squid t phin bn 2.6 tr i cu
hnh proxy trong sut ch cn thm vo file cu hnh dng:
http_port 3128 transparent

Sau s dng IPtables thc hin cc lnh sau:

# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --toport 3128
# echo 1 > /proc/sys/net/ipv4/ip_forward

vi eth1 l card mng kt ni vi LAN. Cu lnh th nht thc hin i tt c

cc kt ni i qua cng 80 sang cng 3128, cu lnh th hai bt ch IP
forwarding.
Tuy nhin nu server ca bn kt ni internet ppp0 qua mt card mng khc
eth0 th cn thc hin mt lnh na:
# iptables --table nat --append POSTROUTING --out-interface ppp0 -j
MASQUERADE

Khi ng li squid l xong.

kim tra th xem proxy trong sut hay cha, trn client hy vo mt
trang web bt k v ti terminal trn server chy:
# tail /var/log/squid/access.log

bn d dng c th nhn thy. Nh rng trn client khng cn cu hnh g ht.