相关文章推荐
小百科  ›  Chapter 16. Configuring the Squid Caching Proxy Server Red Hat Enterprise Linux 7 | Red Hat Customer Portal
squid acl
慷慨大方的火腿肠
1 年前

Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

Learn More Go to Insights

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities. Product Security Center

Keep your systems secure with Red Hat's specialized responses to security vulnerabilities. View Responses Squid is a proxy server that caches content to reduce bandwidth and load web pages more quickly. This chapter describes how to set up Squid as a proxy for the HTTP, HTTPS, and FTP protocol, as well as authentication and restricting access.

This section describes a basic configuration of Squid as a caching proxy without authentication. The procedure limits access to the proxy based on IP ranges.

Prerequisites

Procedure

  1. Install the squid package: 
    # yum install squid
  2. Edit the /etc/squid/squid.conf file: Adapt the localnet access control lists (ACL) to match the IP ranges that should be allowed to use the proxy: 
    acl localnet src 192.0.2.0/24
acl localnet 2001:db8::/32
    By default, the /etc/squid/squid.conf file contains the http_access allow localnet rule that allows using the proxy from all IP ranges specified in localnet ACLs. Note that you must specify all localnet ACLs before the http_access allow localnet rule.

    Important

    Remove all existing acl localnet entries that do not match your environment. The following ACL exists in the default configuration and defines 443 as a port that uses the HTTPS protocol: 
    acl SSL_ports port 443
    If users should be able to use the HTTPS protocol also on other ports, add an ACL for each of these port: 
    acl SSL_ports port port_number
  3. Update the list of acl Safe_ports rules to configure to which ports Squid can establish a connection. For example, to configure that clients using the proxy can only access resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl Safe_ports statements in the configuration: 
    acl Safe_ports port 21
acl Safe_ports port 80
acl Safe_ports port 443
    By default, the configuration contains the http_access deny !Safe_ports rule that defines access denial to ports that are not defined in Safe_ports ACLs. Configure the cache type, the path to the cache directory, the cache size, and further cache type-specific settings in the cache_dir parameter: 
    cache_dir ufs /var/spool/squid 10000 16 256
    With these settings: Squid uses the ufs cache type. Squid stores its cache in the /var/spool/squid/ directory. The cache grows up to 10000 MB. Squid creates 16 level-1 sub-directories in the /var/spool/squid/ directory. Squid creates 256 sub-directories in each level-1 directory. If you do not set a cache_dir directive, Squid stores the cache in memory. If you set a different cache directory than /var/spool/squid/ in the cache_dir parameter: Create the cache directory: 
    # mkdir -p path_to_cache_directory
  4. Configure the permissions for the cache directory: 
    # chown squid:squid path_to_cache_directory
  5. If you run SELinux in enforcing mode, set the squid_cache_t context for the cache directory: 
    # semanage fcontext -a -t squid_cache_t "path_to_cache_directory(/.*)?"
# restorecon -Rv path_to_cache_directory
    If the semanage utility is not available on your system, install the policycoreutils-python-utils package. Open the 3128 port in the firewall: 
    # firewall-cmd --permanent --add-port=3128/tcp
# firewall-cmd --reload
  6. Start the squid service: 
    # systemctl start squid
  7. Enable the squid service to start automatically when the system boots: 
    # systemctl enable squid

Verification Steps

To verify that the proxy works correctly, download a web page using the curl utility: 
# curl -O -L "https://www.redhat.com/index.html" -x "proxy.example.com:3128"
If curl does not display any error and the index.html file was downloaded to the current directory, the proxy works.
 
推荐文章
Link管理   ·   51好读   ·   Sov5搜索   ·   小百科
小百科 - 百科知识指南