SQUID unter CentOS 6.x - Grund-Installation und -Konfiguration

Squid Proxy Logo
In diesem Kapitel werden wir uns näher mit der Installation und Konfiguration von Squid unter CentOS 6.x beschäftigen.

Wie soll es anders sein, funktioniert die Installation der benötigten Programme im gewohnten Rahmen via yum, welches wir als User root ausführen.

 # su -
 # yum install squid -y

Was uns das Paket squid alles mitbringt offenbart eine Blick, nach erfolgter Installation des Paketes, in das RPM.

 # rpm -qil squid
 

Die Konfiguration des Proxyservers erfolgt über die zentrale Konfigurationsdatei /etc/squid/squid.conf.

Grundkonfiguration

Im ersten Schritt werden wir uns damit begnügen, die Konfiguration auf unser Netzwerk einzustellen und den Squid-Cache zu aktivieren.

Mit dem Editor unserer Wahl z.B. vim bearbeiten wir nun die Konfigurationsdatei des squid's:

 # vim /etc/squid/squid.conf
/etc/squid/squid.conf
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32
# Django : 2011-11-14 IPv6 deaktiviert
# acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
# Django : 2011-11-14 IPv6 deaktiviert
# acl to_localhost dst ::1/128
 
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
# Django : 2011-11-14 Definition des/der eigenen Netzwerke
# acl localnet src 10.0.0.0/8   # RFC1918 possible internal network
# acl localnet src 172.16.0.0/12        # RFC1918 possible internal network
# acl localnet src 192.168.0.0/16       # RFC1918 possible internal network
# acl localnet src fc00::/7   # RFC 4193 local private network range
# acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) machines
acl localnet src 10.0.0.0/24
acl localnet src 10.0.10.0/26
 
 
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
 
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
 
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
 
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
 
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
 
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
 
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
 
# And finally deny all other access to this proxy
http_access deny all
 
# Squid normally listens to port 3128
http_port 3128
 
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
 
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Django 2011-11-14 : Squid Cache aktiviert
cache_dir ufs /var/spool/squid 100 16 25
 
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
 
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
 
# Django : 2011-11-14 Definition des Squid-Logformates
logformat squid  %tl.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt

Paketfilter anpassen

Damit nun auf unserem Squid-Server auch Anfragen auf Port 3128 auch zugelassen werden, passen wir noch die iptables-Filterregeln auf unserem System an.

Wir überprüfen also erst einmal die Paketfiltereinstellungen

 # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
 
Chain OUTPUT (policy ACCEPT)

Für den Squid-Proxyserver, der auf Port 3128 lauschen wird, tragen wir also eine passende Regel in der Konfigurationsdatei des Paketfilters iptables ein.

 # vim /etc/sysconfig/iptables
/etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Django : 2011-11-14 squid-proxy-Zugriff freigeschaltet
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT
#
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Anschließend aktivieren wir die neue Regel, indem wir den Service iptables einmal durchstarten.

 # service iptables restart
 iptables: Flushing firewall rules:                         [  OK  ]
 iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
 iptables: Unloading modules:                               [  OK  ]
 iptables: Applying firewall rules:                         [  OK  ]

Eine erneute Abfrage der Paketfilterregeln zeigt uns nun die neue Einstellung.

 # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:squid 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

erster Systemstart

Nun ist es an der Zeit unseren Squid-Proxyserver das erste mal zu starten.

 # service squid start
 init_cache_dir /var/spool/squid... Starting squid: .       [  OK  ]

In der Logdatei wurde uns der erfolgreiche Start entsprechend protokolliert.

2011/11/14 09:42:45| Creating Swap Directories
2011/11/14 09:42:45| /var/spool/squid exists
2011/11/14 09:42:45| Making directories in /var/spool/squid/00
2011/11/14 09:42:45| Making directories in /var/spool/squid/01
2011/11/14 09:42:45| Making directories in /var/spool/squid/02
2011/11/14 09:42:45| Making directories in /var/spool/squid/03
2011/11/14 09:42:45| Making directories in /var/spool/squid/04
2011/11/14 09:42:45| Making directories in /var/spool/squid/05
2011/11/14 09:42:45| Making directories in /var/spool/squid/06
2011/11/14 09:42:45| Making directories in /var/spool/squid/07
2011/11/14 09:42:45| Making directories in /var/spool/squid/08
2011/11/14 09:42:45| Making directories in /var/spool/squid/09
2011/11/14 09:42:45| Making directories in /var/spool/squid/0A
2011/11/14 09:42:45| Making directories in /var/spool/squid/0B
2011/11/14 09:42:45| Making directories in /var/spool/squid/0C
2011/11/14 09:42:45| Making directories in /var/spool/squid/0D
2011/11/14 09:42:45| Making directories in /var/spool/squid/0E
2011/11/14 09:42:45| Making directories in /var/spool/squid/0F
2011/11/14 09:42:45| Starting Squid Cache version 3.1.4 for x86_64-unknown-linux-gnu...
2011/11/14 09:42:45| Process ID 8995
2011/11/14 09:42:45| With 1024 file descriptors available
2011/11/14 09:42:45| Initializing IP Cache...
2011/11/14 09:42:45| DNS Socket created at [::], FD 7
2011/11/14 09:42:45| Adding domain dmz.nausch.org from /etc/resolv.conf
2011/11/14 09:42:45| Adding domain intra.nausch.org from /etc/resolv.conf
2011/11/14 09:42:45| Adding domain nausch.org from /etc/resolv.conf
2011/11/14 09:42:45| Adding nameserver 10.0.0.20 from /etc/resolv.conf
2011/11/14 09:42:45| User-Agent logging is disabled.
2011/11/14 09:42:45| Referer logging is disabled.
2011/11/14 09:42:46| Unlinkd pipe opened on FD 12
2011/11/14 09:42:46| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2011/11/14 09:42:46| Store logging disabled
2011/11/14 09:42:46| Swap maxSize 102400 + 262144 KB, estimated 28041 objects
2011/11/14 09:42:46| Target number of buckets: 1402
2011/11/14 09:42:46| Using 8192 Store buckets
2011/11/14 09:42:46| Max Mem  size: 262144 KB
2011/11/14 09:42:46| Max Swap size: 102400 KB
2011/11/14 09:42:46| Rebuilding storage in /var/spool/squid (DIRTY)
2011/11/14 09:42:46| Using Least Load store dir selection
2011/11/14 09:42:46| Set Current Directory to /var/spool/squid
2011/11/14 09:42:46| Loaded Icons.
2011/11/14 09:42:46| Accepting  HTTP connections at [::]:3128, FD 14.
2011/11/14 09:42:46| HTCP Disabled.
2011/11/14 09:42:46| Squid modules loaded: 0
2011/11/14 09:42:46| Adaptation support is off.
2011/11/14 09:42:46| Ready to serve requests.
2011/11/14 09:42:46| Done scanning /var/spool/squid swaplog (0 entries)
2011/11/14 09:42:46| Finished rebuilding storage from disk.
2011/11/14 09:42:46|         0 Entries scanned
2011/11/14 09:42:46|         0 Invalid entries.
2011/11/14 09:42:46|         0 With invalid flags.
2011/11/14 09:42:46|         0 Objects loaded.
2011/11/14 09:42:46|         0 Objects expired.
2011/11/14 09:42:46|         0 Objects cancelled.
2011/11/14 09:42:46|         0 Duplicate URLs purged.
2011/11/14 09:42:46|         0 Swapfile clashes avoided.
2011/11/14 09:42:46|   Took 0.01 seconds (  0.00 objects/sec).
2011/11/14 09:42:46| Beginning Validation Procedure
2011/11/14 09:42:46|   Completed Validation Procedure
2011/11/14 09:42:46|   Validated 25 Entries
2011/11/14 09:42:46|   store_swap_size = 0
2011/11/14 09:42:47| storeLateRelease: released 0 objects

In unserem definierten Cache-Verzeichnis /var/spool/squid wurden automatisch die Swap Directories angelegt.

 # ll /var/spool/squid
total 84
drwxr-x---  27 squid squid  4096 Nov 14 09:42 00
drwxr-x---  27 squid squid  4096 Nov 14 09:42 01
drwxr-x---  27 squid squid  4096 Nov 14 09:42 02
drwxr-x---  27 squid squid  4096 Nov 14 09:42 03
drwxr-x---  27 squid squid  4096 Nov 14 09:42 04
drwxr-x---  27 squid squid  4096 Nov 14 09:42 05
drwxr-x---  27 squid squid  4096 Nov 14 09:42 06
drwxr-x---  27 squid squid  4096 Nov 14 09:42 07
drwxr-x---  27 squid squid  4096 Nov 14 09:42 08
drwxr-x---  27 squid squid  4096 Nov 14 09:42 09
drwxr-x---  27 squid squid  4096 Nov 14 09:42 0A
drwxr-x---  27 squid squid  4096 Nov 14 09:42 0B
drwxr-x---  27 squid squid  4096 Nov 14 09:42 0C
drwxr-x---  27 squid squid  4096 Nov 14 09:42 0D
drwxr-x---  27 squid squid  4096 Nov 14 09:42 0E
drwxr-x---  27 squid squid  4096 Nov 14 09:42 0F
drwx------.  2 squid squid 16384 Nov 11 19:55 lost+found
-rw-r-----   1 squid squid    72 Nov 14 09:42 swap.state

automatisches Starten der Dienste beim Systemstart

Damit der squid-Daemon automatisch bei jedem Systemstart startet, kann die Einrichtung der Start-Scripte über folgende Befehle erreicht werden:

 # chkconfig squid on

Die Überprüfungung ob der Dienst (Daemon) squid auch wirklich bei jedem Systemstart automatisch mit gestartet werden, kann durch folgenden Befehle erreicht werden:

 # chkconfig --list | grep squid
 squid           0:Aus   1:Aus   2:Ein   3:Ein   4:Ein   5:Ein   6:Aus

Wichtig sind jeweils die Schalter on bzw. Ein bei den Runleveln - 2 3 4 5.

Bei einem ersten (Test-)Host in unserem Netzwerk werden wir nun bei unserem Browser als Proxy unseren neu definierten Squid-Proxyserver eintragen. Am Beispiel von Firefox finden wir die betreffenden Einstellungen auf dem Reiter [Netzwerk]] im Menüpunkt [Einstellungen].

Bildschrimhardcopy: Einstellungen / Netzwerk

Auf dem folgenden Einstellungsfenster tragen wir nun die IP-Adresse unseres Squid-Proxyservers, wie auch die Portnummer 3128 ein.

Bildschrimhardcopy: Einstellungen / Netzwerkproxy

Wenn wir nun eine beliebige Seite im Internet aufrufen, wird uns der Squid-Proxyserver seine Aktivitäten im Access-Log entsprechend Dokumentieren.

 14/Nov/2011:10:27:51 +0100.174    451 10.0.0.20 TCP_MISS/200 32093 GET http://wetterstation-pliening.info/ - DIRECT/88.217.187.21 text/html
 14/Nov/2011:10:27:51 +0100.201      6 10.0.0.20 TCP_MISS/403 544 GET http://wetter.nausch.org/wxtoimg-appetizer.png - DIRECT/88.217.187.21 text/html
 14/Nov/2011:10:27:51 +0100.566    364 10.0.0.20 TCP_MISS/200 13226 GET http://wetterstation-pliening.info/quer.png - DIRECT/88.217.187.21 image/png
 14/Nov/2011:10:27:51 +0100.693    485 10.0.0.20 TCP_MISS/200 1705 GET http://wetterstation-pliening.info/baromday.png - DIRECT/88.217.187.21 image/png
 14/Nov/2011:10:27:51 +0100.765    563 10.0.0.20 TCP_MISS/200 2329 GET http://wetterstation-pliening.info/tempdaycomp.png - DIRECT/88.217.187.21 image/png
 14/Nov/2011:10:27:51 +0100.880    185 10.0.0.20 TCP_MISS/200 19350 GET http://piwik.nausch.org/piwik.js - DIRECT/88.217.187.21 application/x-javascript
 14/Nov/2011:10:27:51 +0100.932    742 10.0.0.20 TCP_MISS/200 2652 GET http://wetterstation-pliening.info/django_bg.jpg - DIRECT/88.217.187.21 image/jpeg
 14/Nov/2011:10:27:52 +0100.185    304 10.0.0.20 TCP_MISS/200 3327 GET http://wetterstation-pliening.info/knopf.png - DIRECT/88.217.187.21 image/png
 14/Nov/2011:10:27:52 +0100.247     60 10.0.0.20 TCP_MISS/200 1222 GET http://wetterstation-pliening.info/humiddial.png - DIRECT/88.217.187.21 image/png
 14/Nov/2011:10:27:52 +0100.388   1186 10.0.0.20 TCP_MISS/200 1965 GET http://wetterstation-pliening.info/heatchillcomp.png - DIRECT/88.217.187.21 image/png
 14/Nov/2011:10:27:52 +0100.730   1534 10.0.0.20 TCP_MISS/200 9338 GET http://piwik.nausch.org/index.php? - DIRECT/88.217.187.21 text/html
 14/Nov/2011:10:27:53 +0100.124    638 10.0.0.20 TCP_MISS/200 13147 GET http://piwik.nausch.org/index.php? - DIRECT/88.217.187.21 text/css
 14/Nov/2011:10:27:53 +0100.221   1654 10.0.0.20 TCP_MISS/200 2853 GET http://www4.clustrmaps.com/counter/map.js - DIRECT/67.228.10.162 text/javascript
 14/Nov/2011:10:27:53 +0100.240    992 10.0.0.20 TCP_MISS/200 1392 GET http://wetterstation-pliening.info/netRainDay.png - DIRECT/88.217.187.21 image/png
 14/Nov/2011:10:27:53 +0100.411   2220 10.0.0.20 TCP_MISS/200 50809 GET http://wetterstation-pliening.info/wetterstation-pliening.info-banner.png - DIRECT/88.217.187.21 image/png

Links

Cookies helfen bei der Bereitstellung von Inhalten. Durch die Nutzung dieser Seiten erklären Sie sich damit einverstanden, dass Cookies auf Ihrem Rechner gespeichert werden. Weitere Information
  • centos/squid/install.txt
  • Zuletzt geändert: 20.04.2018 10:35.
  • (Externe Bearbeitung)