Базовая конфигурация SQUID

Базовая конфигурация SQUID

Инструкция по быстрому запуску PROXY-сервера #SQUID.

Установка

  • Установить пакеты SQUID:
1

apt update && apt install --yes squid

Конфигурация

  • Заменить файл конфигурации /etc/squid/squid.conf на:
squid.conf
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101

# -------------------------------------------------------------------------------------------------------------------- #
# GENERAL OPTIONS
# -------------------------------------------------------------------------------------------------------------------- #

coredump_dir /var/spool/squid
http_port 3128

# -------------------------------------------------------------------------------------------------------------------- #
# OPTIONS FOR AUTHENTICATION
# -------------------------------------------------------------------------------------------------------------------- #

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/users.conf
auth_param basic children 10
auth_param basic realm Proxy Server
auth_param basic credentialsttl 24 hours

# -------------------------------------------------------------------------------------------------------------------- #
# ACCESS CONTROLS
# -------------------------------------------------------------------------------------------------------------------- #

acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN).
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN).
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN).
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines.
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN).
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN).
acl localnet src fc00::/7               # RFC 4193 local private network range.
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines.

# acl clients src 185.60.216.35         # Allowed client IP.
# acl clients src 172.217.12.174        # Allowed client IP.
# acl clients src 104.244.42.129        # Allowed client IP.

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443

acl Safe_methods method GET POST OPTIONS CONNECT
acl users proxy_auth REQUIRED

# Access permission configuration.
http_access deny !Safe_ports
http_access allow localnet
http_access allow localhost
http_access allow clients
http_access allow users

# Deny all other access to proxy.
http_access deny all

# -------------------------------------------------------------------------------------------------------------------- #
# OPTIONS FOR TUNING THE CACHE
# -------------------------------------------------------------------------------------------------------------------- #

refresh_pattern ^ftp:             1440  20%   10080
refresh_pattern ^gopher:          1440  0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%    0
refresh_pattern .                 0     20%   4320

# -------------------------------------------------------------------------------------------------------------------- #
# SECURITY
# -------------------------------------------------------------------------------------------------------------------- #

httpd_suppress_version_string on
via off
forwarded_for delete
follow_x_forwarded_for deny all

reply_header_access X-Cache deny all
reply_header_access X-Cache-Lookup deny all
reply_header_access Server deny all

request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access All deny all

Параметры

Параметры, на которые стоит обратить внимание:

  • auth_param - параметр авторизации.
    • basic - базовый.
      • program /usr/lib/squid/basic_ncsa_auth /etc/squid/users.conf - файл с логинами и паролями для пользователей.
      • realm Proxy Server - строка (название сервера), отображающаяся в форме ввода логина и пароля у клиента. По умолчанию: Squid proxy-caching web server.
  • acl - список доступа.
    • clients - название списка доступа для авторизации пользователей БЕЗ ввода логина и пароля.
      • src - список IP-адресов пользователей для авторизации БЕЗ ввода логина и пароля.

Пользователи

  • Создать файл /etc/squid/users.conf с пользователями user01:user01 и user02:user02:
users.conf
1
2

user01:$2y$10$cw0GAqu2O1izjkewMh7bZ.Yv3krf4ypnvftjlz9WnHX5C1Jul9VlO
user02:$2y$10$5LzJ2CM3/QZnvs0sHatM2ewseoFRZiuqKLiL4ZSUsznq0ZjFojT66
  • Заменить содержимое файла /etc/squid/users.conf на собственное. Пароли можно шифровать при помощи этого инструмента, выбрав режим Bcrypt.