Squid ako anonymny proxy server

O užitočností ananoymných proxy serverov asi ani netreba hovoriť.
Squid je pre tento účel priam dokonalý a inštlacia a konfigurácia je jednoducha.

Postup tvorby anonymného proxy

  1. Inštalácia Squid-u
  2. Konfigurácia
  3. Nastavenie ACL
  4. Nastavenie klienta(IE, firefox)


warrnings.jpg Nezabudnite nastavit ACL, nechcete predsa aby vam cez Váš anonymný proxy niekdo surfoval nejake nelegálne weby.


Inštalácia Squid-u

Záleži od distribúcie.
RedHat like

yum install squid

Konfigurácia

Nasledujúci config by mal plne postačiť pre spustenie anonymného proxy. Verzia Squid je Squid Cache: Version 3.0.STABLE10

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
icp_access allow localnet
icp_access deny all

htcp_access allow localnet
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
refresh_pattern .               0       20%     4320
icp_port 3130
coredump_dir /var/spool/squid

acl all src all
acl ofice src 208.77.188.166/32
acl home src 208.77.188.167/32
acl mybuddy src 208.77.188.168/32

http_access allow mm
http_access allow office
http_access allow kenny
http_access deny all

http_reply_access allow mm
http_reply_access allow office
http_reply_access allow kenny
http_reply_access deny all

forwarded_for off

request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

Nastavenie ACL

Nastavenie ACL je naozaj veľmi dvoležité. V prechadzajúcom kroku su už zahrnuté, teraz si ixh trochu vysvetlíme.

Takto si nastavime IP,ktoré chceme povoliť

acl all src all
acl ofice src 208.77.188.166/32
acl home src 208.77.188.167/32
acl mybuddy src 208.77.188.168/32

A týmto ich povolíme

http_access allow mm
http_access allow office
http_access allow kenny
http_access deny all

http_reply_access allow mm
http_reply_access allow office
http_reply_access allow kenny
http_reply_access deny all

Nastavenie klienta(IE, firefox)

Nezabudnite, že Squid počúva na porte 3128.

IE

Nástroje → Možnosti Interneti → Připojení → Nastavení místni síte

Firefox

Nástroje → Možnosti → Rozšířené → Síť → Nastavení připojení


Personal Tools