squid 配置详解 + 认证 !

晨想 · 发表于 2005-11-23 06:55:01

抛砖引玉，按照楼主的文章，再参考了 squid FAQ 以及 man，装了一个 PAM 认证。因为用NCSA太麻烦了，还要用那个htpasswd什么的，我不会。（羞ing）。

squid 版本：squid-2.5.STABLE12

1. 解压，编译，安装。

./configure \
--prefix=/opt/Squid --sysconfdir=/etc/squid \
--enable-storeio=ufs,null --enable-arp-acl \
--enable-linux-netfilter --enable-underscore \
--enable-pthreads --enable-ssl \
--enable-large-file --enable-large-cache-file \
--disable-ident-lookups \
--enable-auth=basic --enable-basic-auth-helpers='PAM NCSA' \
&&
make -j2 &&
make install

复制代码

2. 编辑 squid.conf 文件。

http_port 193.168.0.1:3128
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
acl QUERY urlpath_regex bbs \?
no_cache deny QUERY
cache_mem 64 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
cache_replacement_policy lru
memory_replacement_policy lru
cache_dir ufs /var/cache/Squid 1000 16 256
cache_access_log /var/log/Squid/access.log
cache_log /var/log/Squid/cache.log
cache_store_log /var/log/Squid/store.log
pid_filename /var/run/squid.pid
auth_param basic program /opt/Squid/libexec/pam_auth -o
auth_param basic children 5
auth_param basic realm Tell me who you are!
auth_param basic credentialsttl 12 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl our_networks src 192.168.0.0/24
acl emailClient browser Outlook #让outlook不用认证。也许存在漏洞！
acl authbody proxy_auth REQUIRED
http_access allow manager our_networks
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow emailClient
http_access allow authbody
http_access allow our_networks
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr william
cache_effective_user squid
cache_effective_group squid
visible_hostname FantasySquid
forwarded_for off
coredump_dir /var/cache/Squid

复制代码

3. 配置 /etc/pam.d/squid

# Begin /etc/pam.d/squid
auth sufficient pam_unix.so shadow md5 nullok likeauth
account required pam_access.so
account required pam_unix.so
session sufficient pam_unix.so
# End /etc/pam.d/squid

复制代码

4. 因为用到了UNIX local password，所以要把pam_auth程序setuid。
这个步骤在 man pam_auth 里边提及到的。

chown root /opt/Squid/libexec/pam_auth
chmod u+s /opt/Squid/libexec/pam_auth

复制代码

5。重启 squid。测试。应该就没问题的了。

fengchuixue451 · 发表于 2005-11-23 09:22:46

请教一下吖,为什么访问控制列表
acl advance 192.168.0.2-192.168.0.10/32
acl normal src 192.168.0.11-192.168.0.200/32
acl baduser src 192.168.0.100/32
中,后面的数字都是32呢,32代表什么意思?不是24吗?
谢谢!

晨想 · 发表于 2005-11-23 12:23:50

32的话，就是本机咯。

tekkensky · 发表于 2005-12-13 13:37:00

官方网站上有很多版本！

下那个好啊？

多谢！

水兵琪 · 发表于 2006-10-10 15:59:27

UBUNTU 怎么弄呢？

lic358 · 发表于 2006-11-2 11:20:28

OK THANK YOU

bluefish20 · 发表于 2007-2-28 20:07:50

谢谢楼主啊！正需要呢

mh169 · 发表于 2007-3-1 11:47:18

不错收藏先
学习中……

l76862157 · 发表于 2007-5-16 10:37:19

hao tie

churchmouse · 发表于 2007-5-20 16:59:47

顶一个,好文章,学习了.

		自动登录	找回密码
密码			注册