The configuration file contains comments that describe what each configuration option does. By default, Squid allows access only from the localhost. Install htpasswd by installing the Apache utility programs. If you have installed Apache on your Cloudraya Ubuntu VM, you will already have it and can skip this step. Share on Facebook. Follow us. Hot Posts.
Upvote 0 Views Followers 0. Write an Answer Register now or log in to answer. It is set to2 hours. Upvote 0 Downvote 0 Reply 0. Answer added by Deleted user 8 years ago. An e-mail address to which Squid sends a message if it unexpectedly crashes. The default is webmaster. If you run squid -k rotate , Squid can rotate secured log files.
The files are numbered in this process and, after reaching the specified value, the oldest file is overwritten. Usually, your own domain is entered here, so entering www in the browser accesses your own Web server. Otherwise it adds a line to the header like. Normally, you do not need to change these values. If you have a dial-up connection, however, the Internet may, at times, not be accessible. Squid makes a note of the failed requests then refuses to issue new ones, although the Internet connection has been reestablished.
In a case such as this, change the minutes to seconds. Then, after clicking Reload in the browser, the dial-up process should be reengaged after a few seconds. To prevent Squid from taking requests directly from the Internet, use the above command to force connection to another proxy. This might be necessary, for example, if you are using a provider that strictly stipulates the use of its proxies or denies its firewall direct Internet access.
Squid provides a detailed system for controlling the access to the proxy. By implementing ACLs, it can be configured easily and comprehensively. This involves lists with rules that are processed sequentially. ACLs must be defined before they can be used. Some default ACLs, such as all and localhost , already exist.
However, the mere definition of an ACL does not mean that it is actually applied. An ACL requires at least three specifications to define it. The following are some simple examples:. For this, ACLs must be given. In the following example, the localhost has free access to everything while all other hosts are denied access completely.
In another example using these rules, the group teachers always has access to the Internet. The group students only gets access Monday to Friday during lunch time. That is, between the text. With this option, specify a redirector such as squidGuard, which allows the blocking of unwanted URLs. Internet access can be individually controlled for various user groups with the help of proxy authentication and the appropriate ACLs.
In addition, an ACL is still required, so only clients with a valid login can use the Internet:. With this, have an ident request run for all ACL-defined clients to find each user's identity. Also, an ident daemon must be running on all clients. For Linux, install the pidentd package for this purpose. For Microsoft Windows, free software is available for download from the Internet. To ensure that only clients with a successful ident lookup are permitted, define a corresponding ACL here:.
Using ident can slow down the access time quite a bit, because ident lookups are repeated for each request. The usual way of working with proxy servers is the following: the Web browser sends requests to a certain port in the proxy server and the proxy provides these required objects, whether they are in its cache or not. When working in a network, several situations may arise:. For security reasons, it is recommended that all clients use a proxy to surf the Internet.
The proxy in a network is moved, but the existing clients need to retain their old configuration. In all these cases, a transparent proxy may be used. The principle is very easy: the proxy intercepts and answers the requests of the Web browser, so the Web browser receives the requested pages without knowing from where they are coming.
As the name indicates, the entire process is done transparently. In the following squid config line, this would be the port Now redirect all incoming requests via the firewall with help of a port forwarding rule to the Squid port. The configuration file consists of well-documented entries. To set a transparent proxy, you must configure several firewall options:. In this example, only Web services are offered to the outside:. This allows accessing Web services and Squid whose default port is This service is commonly used.
Otherwise, simply take it out of the above entries and set the following option to no :. The comments above show the syntax to follow. First, enter the IP address and the netmask of the internal networks accessing the proxy firewall. Second, enter the IP address and the netmask to which these clients send their requests. In this example, Web services port 80 are redirected to the proxy port port If there are more networks or services to add, they must be separated by a blank space in the respective entry.
Start Squid as shown in Section To verify that all ports are correctly configured, perform a port scan on the machine from any computer outside your network.
Only the Web services port 80 should be open. How does Proxy Authentication work in Squid? If the header is present, Squid decodes it and extracts a user credentials. The user agent browser receives the reply and then attempts to locate the users credentials. Sometimes this means a background lookup, sometimes a popup prompt for the user to enter a name and password. The name and password are encoded, and sent in the Authorization header for subsequent requests to the proxy.
However, base64 is a binary-to-text encoding only, it does NOT encrypt the information it encodes. This means that the username and password are essentially "cleartext" between the browser and the proxy. Therefore, you probably should not use the same username and password that you would use for your account login. Authentication is actually performed outside of main Squid process.
When Squid starts, it spawns a number of authentication subprocesses. This technique allows you to use a number of different authentication protocols named "schemes" in this context. When multiple authentication schemes are offered by the server Squid in this case , it is up to the User-Agent to choose one and authenticate using it.
By RFC it should choose the safest one it can handle; in practice usually Microsoft Internet Explorer chooses the first one it's been offered that it can handle, and Mozilla browsers are bug-compatible with the Microsoft system in this field. In addition to the well known Basic authentication Squid also supports the NTLM, Negotiate and Digest authentication schemes which provide more secure authentication methods, in that where the password is not exchanged in plain text over the wire. Notice that helpers for different authentication schemes use different protocols to talk with squid, so they can't be mixed.
The Squid source code bundles with a few authentication backends " helpers " for authentication. POP3: Uses an email server to validate credentials. Useful for single-signon to proxy and email.
Due to its simplicity Basic authentication has by far the most helpers, but the other schemes also have several helpers available. In order to authenticate users, you need to compile and install one of the supplied authentication helpers, one of the others , or supply your own. Specify the name of the program, plus any command line options if necessary. Make sure that your authentication program is installed and working correctly.
You can test it by hand. Note that allow will NOT trigger the authentication denial to fetch new auth details if the user is not correctly logged in already.
0コメント