squid
TRANSCRIPT
Squid proxy
Trang 1
Squid proxy
Gio vin hng dn: Nhm thc hin: 1. Nguyn Quyt 2. Trn Tin
ng Ngc Cng Anonymous
3. Nguyn nh Minh PhcLp: K16TPM
Squid proxy
Trang 2
Mc lc1. Tng quan v proxy...................................................................................................3 1.1. Khi nim proxy.................................................................................................3 1.2. Chc nng v c ch hot ng ca proxy..........................................................3 1.3. Phn loi proxy...................................................................................................4 1.4. ngha ca proxy...............................................................................................6 2. Squid proxy................................................................................................................8 2.1. Squid proxy trong linux......................................................................................8 2.2. Ci t Squid.......................................................................................................8 2.3. Cu hnh Squid..................................................................................................10 2.4.1. Cu hnh c bn.........................................................................................10 2.4.2. Cu hnh cm client truy cp trong khong thi gian nh trc................11 2.4.3. Hn ch tp tin download...........................................................................12 2.4.4. T ng redirect sang website n nh trc khi truy cp nhng website ko c php.......................................................................................................12 2.4.5. Yu cu client phi nhp user & password.................................................12 2.4.6. Cu hnh cho my khng th kt ni trc tip vo Internet........................13 2.4. Khi ng Squid...............................................................................................13 3. S dng proxy..........................................................................................................15 4. Ti liu tham kho...................................................................................................17 4. Ti liu tham kho
Squid proxy
Trang 3
1. Tng quan v proxy1.1. Khi nim proxyProxy l mt Internet server lm nhim v chuyn tip thng tin v kim sot to s an ton cho vic truy cp Internet ca cc my khch ( Client ). Proxy server xc nh nhng yu cu t client v quyt nh p ng hay khng p ng, nu yu cu c p ng, proxy server s kt ni vi server tht thay cho client v tip tc chuyn tip n nhng yu cu t client n server, cng nh p ng nhng yu cu ca server n client. V vy proxy server ging cu ni trung gian gia server v client.
1.2. Chc nng v c ch hot ng ca proxyChc nng: i vi ngi dng: Gip nhiu my tnh truy cp Internet thng qua mt my tnh vi ti khon truy cp nht nh, my tnh ny c gi l Proxy server i vi nh cung cp dch v ng truyn internet (ISP): s dng proxy vi k thut tng la to ra mt b lc gi l firewall proxy nhm ngn chn cc thng tin theo tng mc ch khc nhau. a ch cc website m ngi dung truy cp s c lc ti b lc ny, nu a ch khng b cm th yu cu tip tc c gi i, ti cc DNS server ca cc nh cung cp dch v. Firewall proxy s lc tt c cc thng tin t internet gi vo my ca khch hng v ngc li.
Squid proxy
Trang 4
C ch hot ng:Respond Request 1.2.3.4:8080 abc.com 5.6.7.8
Client c ip 5.6.7.8 mun connect n website http://abc.com bng giao thc HTTP thng qua proxy c ip 1.2.3.4 cng 8080 th c nhng bc sau: 1. Client 5.6.7.8 gi request cha thng tin truy cp website abc.com n proxy server 1.2.3.4 cng 8080. 2. Proxy 1.2.3.4 sau khi nhn c request t client, n s tip tc gi request n website abc.com. 3. Website abc.com nhn request, x l v tr kt qu (respond) v cho proxy 1.2.3.4. 4. Proxy server tip tc tr kt qu (respond) v cho client.
1.3. Phn loi proxyTheo chc nng: Anonymous: i khi cn c gi l web proxy, gip ngi dng n danh (giu IP), khi lt Web. HTTP Proxy server khng gi thng s c th ca bin HTTP_X_FORWARDED_FOR ti Host ang truy cp, do vy c th che du IP ca bn. tuy nhin, iu khng c ngha gip bn n du hon ton, v cc website c th s dng cc site script thu thp thng tin v vic bn ang truy cp Host ca h thng qua mt Proxy no ang phc v cho bn. High Anonymity: Mc che du tung tch cao hn anonymous. Http Proxy hon ton khng gi i bt k thng s no ca cc bin HTTP_X_FORWARDED_FOR, HTTP_VIA v
Squid proxy
Trang 5
HTTP_PROXY_CONNECTION. Do vy Internet Host khng th bit bn ang dng Proxy server, cng nh khng pht hin c real IP ca bn. Transparent: Proxy xuyn sut, i khi cn c gi l Intercepting proxy, khc vi 2 loi trn, transparent l s kt hp 1 proxy server v 1 gateway. y l phng thc thng c cc Network Admin p User trong mng Lan, User khng nhn thc c mnh ang truy cp internet qua mt cng gim st. Yu cu truy cp ca Client c chuyn n gateway sau gateway chuyn sang Proxy server x l. Khi user dng loi proxy ny, th h khng bit c rng h ang dng 1 proxy v b..kim sot. User ch cn thit lp a ch IP ca gateway do Admin cung cp, m khng phi xc lp cc thng s Proxy trong trnh duyt cng nh Internet applications khc.. Thng c cc Admin trong cng ty trin khai, h mun cc chnh sch ca Policy c p t ln user, nhng user hu nh khng bit mnh ang qua 1 proxy. Theo kh nng h tr: HTTP/HTTPS Proxy: Cc proxy servers sn sng cho cc dch v thng thng trn internet, v d nh: mt HTTP proxy c dng cho truy cp Web, mt FTP proxy c dng cho truyn File. Nhng Proxy trn, c gi l application-level proxies hay application-level gateways, bi v chng c ch nh lm vic vi nhng application v protocol v nhn ra c ni dung cc Packet c gi n n. Mt h thng proxy khc c gi l circuit-level proxy, h tr nhiu applications cng lc. v d, SOCKS l mt IP-based proxy server (circuit-level proxy), h tr hu ht cc applications trn nn TCP v UDP. SOCKS hay Sockets: Chnh l mt circuit-level proxy server cho cc IP networks theo nh ngha t (IETF (Internet Engineering Task Force)- mt cng ng cc chuyn gia v network designers, operators, vendors, and researchers tham gia vo cuc xy dng kin trc Internet v ngy cng hon thin Internet hn.) SOCKS c vit bi David v Michelle Koblas vo nhng nm u ca thp nin 90.
Squid proxy
Trang 6
SOCKS nhanh chng tr thnh mt de facto standard (hardware hay software c dng rng ri nhng khng c chng nhn t nhng t chc chuyn cung cp cc nh chun), ngc li l de jure standard. Mc d SOCKS ra i sm v c dng ph bin, nhng SOCKS c IETF thng qua ln u tin l SOCKS5. SOCKS ban u l h thng Proxy c s dng cho cc traffic nh FTP, Telnet, v.vv, nhng khng dnh cho HTTP. SOCKS4 kim sot cc TCP connections (l phn ln cc Application trn Internet), SOCKS5 cn h tr thm UDP, ICMP, xc thc User (user authentication) v gii quyt hostname (DNS service). SOCKS bt buc Client phi c cu hnh chuyn trc tip cc yu cu n SOCKS server, hoc ngc li SOCKS driver s ngn chn cc Clients chuyn cc yu cu non-SOCKS application. Nhiu Web browsers v cc Internet applications khc hin nay h tr SOCKS, cho nn kh d dng khi lm vic vi cc SOCKS server. tm hiu chi tit v SOCKS v cc Applications tun theo SOCKS Cng cn xem thm m hnh giao tip TCP/IP.
1.4. ngha ca proxyProxy khng ch c gi tr bi n lm c nhim v ca mt b lc thng tin, n cn to ra c s an ton cho cc khch hng ca n, firewal Proxy ngn chn hiu qu s xm nhp ca cc i tng khng mong mun vo my ca khch hng. Proxy lu tr c cc thng tin m khch hng cn trong b nh, do lm gim thi gian truy tm lm cho vic s dng bng thng hiu qu. Proxy server ging nh mt v s bo v khi nhng rc ri trn Internet. Mt Proxy server thng nm bn trong tng la, gia trnh duyt web v server tht, lm chc nng tm gi nhng yu cu Internet ca cc my khch chng khng giao tip trc tip Internet. Ngi dng s khng truy cp c nhng trang web khng cho php (b cm). Mi yu cu ca my khch phi qua Proxy server, nu a ch IP c trn proxy, ngha l website ny c lu tr cc b, trang ny s c truy cp m khng cn phi kt ni Internet, nu khng c trn Proxy server v trang ny khng b cm, yu cu s c chuyn n server tht, DNS server... v ra Internet. Proxy server lu tr cc b
Squid proxy
Trang 7
cc trang web thng truy cp nht trong b m gim chi ph kt ni, gip tc duyt web nhanh hn. Proxy server bo v mng ni b khi b xc nh bi bn ngoi bng cch mang li cho mng hai nh danh: mt cho ni b, mt cho bn ngoi. iu ny to ra mt b danh i vi th gii bn ngoi v gy kh khn i vi nu ngi dng t tung t tc hay cc hacker mun xm nhp trc tip my tnh no . Nhc im: Do cc proxy c quy m b nh khc nhau v s lng ngi ang s dng proxy nhiu-t khc nhau, Proxy server hot ng qu ti th tc truy cp internet ca client c th b chm.
Squid proxy
Trang 8
2. Squid proxy2.1. Squid proxy trong linuxSquid l mt proxy server, kh nng ca squid l tit kim bng thng (bandwidth), ci tin vic bo mt, tng tc truy cp web cho ngi s dng v tr thnh mt trong nhng proxy ph bin c nhiu ngi bit n. Hin nay, trn th trng c rt nhiu chng trnh proxy-server nhng chng li c hai nhc im, th nht l phi tr tin s dng, th hai l hu ht khng h tr ICP (ICP c s dng cp nht nhng thay i v ni dung ca nhng URL sn c trong cache l ni lu tr nhng trang web m bn tng i qua). Squid l s la chn tt nht cho mt proxy-cache server, squid p ng hai yu cu ca chng ta l s dng min ph v c th s dng c trng ICP. Squid a ra k thut lu tr cp cao ca cc web client, ng thi h tr cc dch v thng thng nh FTP, Gopher v HTTP. Squid lu tr thng tin mi nht ca cc dch v trn trong RAM, qun l mt c s d liu ln ca cc thng tin trn a, c mt k thut iu khin truy cp phc tp, h tr giao thc SSL cho cc kt ni bo mt thng qua proxy. Hn na, squid c th lin kt vi cc cache ca cc proxy server khc trong vic sp xp lu tr cc trang web mt cch hp l. Trang ch squid: http://www.squid-cache.org.
2.2. Ci t Squidu tin chng ta nn c mt s khi nim v i hi phn cng ca mt proxy server: 1. Tc truy cp a cng : rt quan trng v squid thng xuyn phi c v ghi d liu trn cng. Mt a SCSI vi tc truyn d liu ln l mt ng c vin tt cho nhim v ny. 2. Dung lng a dnh cho cache ph thuc vo kch c ca mng m Squid phc v. T 1 n 2 Gb cho mt mng trung bnh khong 100 my. Tuy nhin y ch l mt con s c tnh cht v d v nhu cu truy cp Internet mi l yu t quyt nh s cn thit ln ca a cng.
Squid proxy
Trang 9
3. RAM: rt quan trng, t RAM th Squid s chm hn mt cch r rng. 4. CPU: khng cn mnh lm, khong 133 MHz l cng c th chy tt vi ti l 7 requests/second. Ci t Squid vi RedHat Linux rt n gin. Squid s c ci nu bn chn n trong qu trnh ci t ngay t u. Hoc nu bn ci Linux khng Squid, bn c th ci sau qua tin ch rpm vi lnh:# rpm i tn_gi_Squid
Ci t t kho phn mm ca linux: i vi Ubuntu:# apt-get install squid
i vi Fedora/CentOS:# yum install squid
Ci t t source: Ta c file source ca squid l squid-version.tar.gz, ta thc hin cc bc lnh sau:# tar xzvf squid-version.tar.gz # cd squid-version # ./configure # make # make install
Sau khi squid c ci, bn c th bc qua phn cu hnh squid. Cc th mc mc nh ca squid: /usr/sbin /etc/squid /var/log/squid
Squid proxy
Trang 10
2.3. Cu hnh Squid2.4.1. Cu hnh c bnSau khi ci t xong squid, ta phi cu hnh squid ph hp vi tng yu cu ring. Ta cu hnh mt s tham s trong file /etc/squid/squid.conf nh sau: http_port 3128 (mc nh l 3128) icp_port 3130 (mc nh l 3130) cache_dir: khai bo kch thc th mc cache cho squid, mc nh l:cache_dir /var/spool/squid/cache 100 16 256
Gi tr 100 tc l dng 100 MB lm cache, nu dung lng a cng ln, ta c th tng thm tu thuc vo kch thc a. Nh vy squid s lu cache trong th mc /var/spool/squid/cache vi kch thc cache l 100MB. Access Control List v Access Control Operators: ta c th dng hai chc nng trn ngn chn v gii hn vic truy xut da vo destination domain, IP address ca my hoc mng. Mc nh squid s t chi phc v tt c, v vy ta phi cu hnh li tham s ny. c vy, ta cu hnh thm cho thch hp vi yu cu bng hai tham s l: acl v http_access. V d: Ta ch cho php mng 10.10.13.0/24 c dng proxy server bng t kho src trong acl:acl MyNetwork src 10.10.13.0/255.0.0.0 http_access allow MyNetwork http_access deny all
Ta cng c th cm cc my truy xut n nhng site khng c php bng t kho dstdomain trong acl, v d:acl BadDomain dstdomain .yahoo.com http_access deny BadDomain http_access deny all
Nu danh sch cm truy xut n cc site di qu, ta c th lu vo 1 file text, trong file l danh sch cc a ch nh sau:acl BadDomain dstdomain /etc/squid/danhsachcam http_access deny BadDomain
Squid proxy
Trang 11
Theo cu hnh trn th file /etc/squid/danhsachcam l file vn bn lu cc a ch khng c php truy xut c ghi ln lt theo tng dng. V d ni dung ca file trn nh sau:.yahoo.com .facebook.com .google.com
Ta c th c nhiu acl, ng vi mi acl phi c mt http_access nh sau:acl MyNetwork src 10.10.13.0/255.0.0.0 acl BadDomain dstdomain .yahoo.com http_access deny BadDomain http_access allow MyNetwork http_access deny all
Nh vy cu hnh trn cho ta thy proxy cm cc my truy xut n site www.yahoo.com v ch c mng 10.10.13.0/24 l c php dng proxy. http_access deny all: cm tt c ngoi tr nhng acl c khai bo.
2.4.2. Cu hnh cm client truy cp trong khong thi gian nh trcV d: Cm client truy cp trong gi lm vic t th 2 n th 6, t 8h00 n 17h00:acl giolamviec time M T W H F 8:00-17:00 http_access deny giolamviec
Trong : M: Th 2 T: Th 3 W: Th 4 H: Th 5 F: Th 6 A: Th 7 S: Ch nht
2.4.3. Hn ch tp tin downloadV d v hn ch download cc tp tin multimedia c ui l .mp3, .mpg, .mpeg, Ta thm 2 dng sau vo squid.conf:acl denyfiletypes url_regex -i .mp3$ .mpg$ .mpeg$ .mp2$ .avi$ .wmv$ .wma$ .exe$
Squid proxy
Trang 12
http_access deny denyfiletypes
2.4.4. T ng redirect sang website n nh trc khi truy cp nhng website ko c phpTrong v d mc 2.4.2 ta to mt file /etc/squid/danhsachcam lu cc trang web b cm truy cp. Khi client truy cp vo cc trang web trn th squid s a ra thng bo Access Denied!. Ta c th thay on thng bo trn bng cch redirect (chuyn hng truy cp) sang website khc (chng hn nh google.com). Ti dng cu hnh cm truy cp nhiu trang web trong v d 2.4.2:acl BadDomain dstdomain /etc/squid/danhsachcam http_access deny BadDomain
Ta thm vo bn di dng sau:deny_info http://google.com.vn BadDomain
2.4.5. Yu cu client phi nhp user & passwordBc 1: To mt file rng /etc/squid/squid-passwd Bc 2: To password bng dng lnh:# htpasswd /etc/squid/squid-passwd client_user
Nhp password vo v enter. Bc 3: Cu hnh squid.conf. Thm 3 dng sau vo file:auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid-passwd acl passw proxy_auth REQUIRED http_access allow passw
Sau khi khi ng li squid, khi client truy cp vo mt a ch website, h s phi nhp username v password m ta thit lp. Theo nh cu hnh trn th username l client_user v password l password ta thit lp.
2.4.6. Cu hnh cho my khng th kt ni trc tip vo InternetNu proxy khng th kt ni trc tip vi Internet v khng c a ch IP thc hoc proxy nm sau mt Firewall th ta phi cho proxy query n mt proxy khc c th dng Internet bng tham s sau :cache_peer 10.10.13.2 parent 8080 8082
Squid proxy
Trang 13
Cu hnh trn cho chng ta thy proxy s query ln proxy cha l 10.10.13.2 vi tham s parent thng qua http_port l 8080 v icp_port l 8082. Ngoi ra trong cng mt mng nu c nhiu proxy server th ta c th cho cc proxy server ny query ln nhau nh sau:cache_peer 10.10.13.2 sibling 8080 8082 cache_peer 10.10.13.3 sibling 8080 8082
2.4. Khi ng SquidSau khi ci t v cu hnh li squid, ta phi to cache trc khi chy squid bng lnh:# squid z
Nu trong qu trnh to cache b li, ta ch n cc quyn trong th mc cache c khai bo trong tham s cache_dir. C th th mc khng c php ghi. Nu c ta phi thay i bng:# chown squid:squid /var/spool/squid # chmod 770 /var/spool/squid
Sau khi to xong th mc cache, ta khi ng v dng squid bng script nh sau:# service squid start # service squid stop
Restart squid:# service squid restart
Sau khi squid khi ng, mun theo di v qun l vic truy cp ca cc client hay nhng g squid ang hot ng cache nh th no, ta thng xuyn xem xt nhng file sau y: /var/log/squid/cache.log: bao gm nhng cnh bo v thng tin trng thi ca cache. /var/log/squid/store.log: bao gm nhng c s d liu v nhng thng tin g mi c cp nht trong cache v nhng g ht hn. /var/log/squid/access.log: cha tt c nhng thng tin v vic truy cp ca client, bao gm a ch ngun, ch n, thi gian
Squid proxy
Trang 14
3. S dng proxyThit lp v s dng proxy trong trnh duyt: i vi Chng trnh Internet Explorer: - M Menu Tool -> Internet Options -> Connections -> chn LAN Settings. Sau bn s thy mc Use the proxy server for this connection bn nh du chn vo . Cui cng l g a ch IP ca proxy server m bn mun s dng nh km theo phn port na v mi proxy server c km port i theo.
Squid proxy
Trang 15
i vi Firefox: Vo Tools -> Options -> Advanced -> Network -> Settings Tick vo Manual proxy configuration v nhp a ch proxy cng vi port ca n vo:
Squid proxy
Trang 16
4. Ti liu tham kho1. Proxy server 2. Cc loi Proxy Server v chc nng Socks 3. Cu hnh Squid (v webadmin) 4. Ci t, cu hnh Linux SQUID Proxy Server