proxy fc4 web
TRANSCRIPT
Fedora Core4
Proxy Server
Proxy Server Server Proxy Client Server (Mediator) Computer Communications Web Caching Client Client Client Proxy Server Client Proxy Server IP (Registered IP)
Proxy Server Caching Caching + Gateway Network Card Proxy Server 1 iptables Proxy Server Gateway Network Firewall
Proxy Server CachingProxy Server202.129.48.10
202.129.48.2
PC202.129.48.11
Dedicated Line to ISP
Serial 202.129.16.238
Ethernet 202.129.48.1
Modem
Router
Switch PC202.129.48.12
PC
Proxy Server Caching + GatewayWeb Server Mail Server Ftp Server202.129.48.7 202.129.48.6
202.129.48.4/29
202.129.48.8
202.129.48.5
202.129.16.236/30Dedicated Line to ISP Serial 202.129.16.238
202.129.48.0/30Ethernet 202.129.48.1 202.129.48.2
Switch
192.168.1.1
Switch
Modem
Router Proxy + Gateway Server 192.168.1.0/24192.168.1.11
PC192.168.1.13 192.168.1.12
PC
PC
Proxy Server Access List (ACL) IP Network Transparent Proxy Internet Client IP Proxy Server
Squid shell prompt squid 1 FC4
squid GUI (Package Management) Desktop System SettingsAdd/Remove Applications Servers Web Server
Squid Config File /etc/squid/squid.conf # acl our_network src Network Squid # http_access allow our_networks
Start Squid Start Service DesktopSystem SettingsServer SettingsServices
Start shell prompt service squid start/stop/restart /etc/init.d/squid start/stop/restart /etc/init.d/ link /etc/rc.d/init.d
Start Squid ( ) start squid hostname visible_hostname /etc/squid/squid.conf
Start Squid ( ) start
Transparent Proxy Linux browser Proxy Server Packet gateway gateway Packet http (TCP 80) http Packet Proxy Server IP Proxy Server Proxy Server ( 3128) Proxy Server Squid Transparent Proxy
Transparent Proxy1. iptables Packet Gateway http Redirect Proxy Server Gateway Proxy Serveriptables -t nat -A PREROUTING -p tcp -i eth1 -s 192.168.1.0/24 -d ! 203.146.55.131 --dport 80 -j DNAT -- to-dest 203.146.55.132:3128
Gateway Proxy Server iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128
Gateway Proxy Server
Gateway Proxy Server
Transparent Proxy ( )2. Proxy Server (Squid) Transparent Proxy httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on gateway Linux Server Router Router Packet http Redirect Proxy Server
Transparent Proxy Transparent Proxy DNS Client ( Proxy Server Server DNS Server Client ) Client DNS Server Outbound NAT Client Outbound NAT + Transparent Proxy Outbound NAT + Transparent Proxy Proxy down iptables squid
Proxy Server Squid Proxy cache_access_log Squid Default /var/log/squid/access.log web site client tail tail f /var/log/squid/access.log
log file 2 /var/log/squid/cache.log your caches behavior /var/log/squid/store.log //show which objects are ejected from the cache, and which objects are saved and for how long
tail f /var/log/squid/access.log
access.log TCP_MISS : cache GET Web Site SINGLE_PAREN : Parent Proxy TCP_CLIENT_REFRESH_MIS TCP_IMS_HIT : Proxy refresh client Proxy TCP_MEM_HIT TCP_HIT : cache GET
Access Control Lists Squid You can limit users' ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL. Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it finds a match, it enforces the allow or deny statement and stops reading further.
Access Control Lists Squid ( ) The final http_access statement denies everything, so it is best to place new http_access statements above it The very last http_access statement in the squid.conf file denies all access. You therefore have to add your specific permit statements above this line. In the courses examples, I've suggested that you place your statements at the top of the http_access list for the sake of manageability, but you can put them anywhere in the section above that last line. Squid has a minimum required set of ACL statements in the ACCESS_CONTROL section of the squid.conf file. It is best to put new customized entries right after this list to make the file easier to read.
Access Control Lists (ACLs)
Access Control Lists1. access list ACLs (/etc/squid/squid.conf) acl our_network acl ban_dst_domain dstdom_regex thumbnow.com japangirl.com newpicpost.com
2. http_access 1 http_access deny ban_dst_domain : acl our_network Access Control
Access Control Lists IP acl ban_src_ip src 192.168.1.1/255.555.255.255 http_access deny ban_src_ip
acl ban_dst_domain dstdom_regex thumbnow.com japangirl.com acl ban_dst_domain dstdomain .thumbnow.com .japangirl.com http_access deny ban_dst_domain
url / acl ban_word url_regex nude sucker porn http_access deny ban_word
Access Control Lists ( ) acl ban_dst_domain dstdom_regex /etc/squid/ban_dst_dommain http_access deny ban_dst_domain
url / / acl ban_word url_regex /etc/squid/ban_word http_access deny ban_word
Restricting Web Access By TimeYou can create access control lists with time parameters. For example, you can allow only business hour access from the home network.# Add this to the bottom of the ACL section of squid.conf acl home_network src 192.168.1.0/24 acl business_hours time M T W H F 9:00-17:00 # Add this at the top of the http_access section of squid.confhttp_access allow home_network business_hours
Restricting Web Access By Time (Cont.)
Or, you can allow morning access only:# Add this to the bottom of the ACL section of squid.conf acl mornings time 08:00-12:00# Add this at the top of the http_access section of squid.conf http_access allow mornings
Password Authentication Using NCSA
Password Authentication Using NCSA
web page web HTML Editor Web page /etc/squid/errors/ERR_ACCESS_DENIED
Multi-Level Web Caching
Multi-Level Web Caching ( )
Proxy
Proxy 1
ISPProxy 2
Proxy 3
Cache Peer parent A parent cache can get documents from another cache higher in the hierarchy or from the source, depending whether it has more parent or neighbor caches in its level. A parent cache should be used when there are no more opportunities to get the document from a cache on the same level. sibling A neighbor (or sibling) cache is one that serves only documents it already has.
Cache Peer /etc/squid/squid.conf cache_peer cache_peer cache_peer cache_peer hostname type http_port icp_port parent.foo.net parent 3128 3130 [proxy-only] sib1.foo.net sibling 3128 3130 [proxy-only] sib2.foo.net sibling 3128 3130 [proxy-only]
[proxy-only] : to specify that objects fecthed from this cache should not be saved locally parent sibling cache_peer icp_port 3130 (default) icp_port 0
Reverse Proxy Server
Reverse Proxy Server ( ) In reverse proxy mode, the proxy server functions more like a web server with respect to the clients it services. Unlike internal clients, external clients are not preconfigured to access the proxy server. Instead, the site URL routes the client to the proxy as if it were a web server. Replicated content is delivered from the proxy cache to the external client without exposing the origin server or the private network residing safely behind the firewall. Multiple reverse proxy servers can be used to balance the load on an overtaxed web server in much the same way. Reverse proxy servers are commonly used for secure web publishing. Having a proxy server accepting and filling outside requests allows you to keep your web server behind the firewall. You can then use the web server as a protected web site, staging documents for testing before they are published externally. When you are ready, you can publish selected content to the reverse proxy server's cache.