FreeBSD - squid

Установка squid

 cd /usr/ports/www/squid
 make showconfig |grep =on
 
 SQUID_KERB_AUTH=on "Install Kerberos authentication helpers"
 SQUID_NIS_AUTH=on "Install NIS/YP authentication helpers"
 SQUID_DELAY_POOLS=on "Enable delay pools"
 SQUID_CARP=on "Enable CARP support"
 SQUID_IDENT=on "Enable ident (RFC 931) lookups"
 SQUID_KQUEUE=on "Use kqueue(2) instead of poll(2)"
 
 make install clean

/etc/rc.conf

 squid_enable="YES"
 squid_flags="-D -s -l local0"

Настройка squid

Настройка аутентификации

Аутентификация будет производиться через MySQL.
Допустим, уже есть БД squid, User squid с паролем 123.

Создадим структуру БД

 cat base.sql |mysql -u squid -p123 squid

base.sql

 CREATE TABLE proxy_users (
   id int(11) unsigned NOT NULL auto_increment,
   username varchar(255) NOT NULL default '',
   password varchar(255) NOT NULL default '',
   disabled int(1) unsigned NOT NULL,
   PRIMARY KEY  (id),
   KEY username (username),
   KEY password (password)
 );

Пример заполнения БД

Создание пользователя squid
 mysql> INSERT INTO proxy_users (username,password,disabled) VALUES('squid',password('123'),0);

Блокировка пользователя vukor

 mysql> update proxy_users SET disabled=1 where username='squid';

Установка программы аутентификации

 cd ~
 wget http://kaba.org.ua/soft/squid/mysql_auth.tar.bz2
 tar -xvjf mysql_auth.tar.bz2
 cd mysql_auth
Поправим строку в mysql_auth.c
 sprintf(qbuf, "select " A_USERNAME " from " A_TABLE " where " A_USERNAME "='%s' and " A_PASSWORD "=password('%s') AND disabled = '0'", buf, p);
Cборка программы
 make
 make install
 ls -l /usr/local/sbin/mysql_auth
 -rwx--x--t  1 root  wheel  10146 22 июл 10:41 /usr/local/sbin/mysql_auth

Конфигурация squid

/usr/local/etc/squid/squid.conf

 http_port x.x.x.x:3128
 dns_nameservers 127.0.0.1                          
 tcp_outgoing_address x.x.x.x
 #visible_hostname proxy.roshoster.com
 
 # -------------------- Auth -------------------------------------------------------
 auth_param basic program /usr/local/sbin/mysql_auth                                
 auth_param basic children 5                                                        
 auth_param basic realm Squid proxy-caching web server                              
 auth_param basic credentialsttl 5 minutes                                          
 # ---------------------------------------------------------------------------------
 
 # -------------------- ACLs -------------------------------------------------------
 acl all src all                                                                    
 acl manager proto cache_object                                                     
 acl localhost src 127.0.0.1/32                                                     
 
 acl SSL_ports port 443
 
 acl Safe_ports port 80          # http
 acl Safe_ports port 21          # ftp 
 acl Safe_ports port 443         # https
 acl Safe_ports port 70          # gopher
 acl Safe_ports port 210         # wais
 acl Safe_ports port 1025-65535  # unregistered ports
 acl Safe_ports port 280         # http-mgmt
 acl Safe_ports port 488         # gss-http
 acl Safe_ports port 591         # filemaker
 acl Safe_ports port 777         # multiling http
 
 acl CONNECT method CONNECT
 
 acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
 upgrade_http0.9 deny shoutcast
 acl apache rep_header Server ^Apache
 
 acl password proxy_auth REQUIRED
 # ---------------------------------------------------------------------------------
 
 # -------------------- Limit bandwith  --------------------------------------------
 #delay_pools 1
 #delay_class 1 1
 #delay_access 1 allow password
 #delay_parameters 1 64000/64000 # канал 64 кбайт/с для каждого.
 #delay_access 1 deny all
 
 delay_pools 1
 delay_class 1 2
 delay_access 1 allow password
 
 #               pool      bytes/sec / download size
 #delay_parameters 1 64000/64000 8000/16000 # файлы размером > 16 кбайт качаются со скоростью 8 кбайт/с, файлы < 16 кбайт - со скоростью 64 кбайт/с.
 delay_parameters 1 64000/64000 -1/-1 # канал 64 кбайт/с делится на всех.
 
 delay_access 1 deny all
 # ---------------------------------------------------------------------------------
 
 # -------------------- Access -----------------------------------------------------
 http_access allow manager localhost
 http_access deny manager
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 http_access allow password
 
 http_access deny all
 icp_access deny all
 # ---------------------------------------------------------------------------------
 
 hierarchy_stoplist cgi-bin ?
 
 access_log /var/squid/logs/access.log squid
 
 refresh_pattern ^ftp:           1440    20%     10080
 refresh_pattern ^gopher:        1440    0%      1440
 refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
 refresh_pattern .               0       20%     4320
 
 broken_vary_encoding allow apache
 
 coredump_dir /var/squid/cache
 error_directory /usr/local/etc/squid/errors/Russian-1251

Настройка логов

 touch /var/squid/logs/squid.log
 chmod 640 /var/squid/logs/squid.log
 chown squid:squid /var/squid/logs/squid.log
/etc/syslog.conf
 local0.*                                                               -/var/squid/logs/squid.log
 *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;!local0   /var/log/messages
/etc/rc.d/newsyslog
 /var/squid/logs/access.log      squid:squid     640  365   *    @T00  JC
 /var/squid/logs/cache.log       squid:squid     640  30    *    @T00  JC
 /var/squid/logs/squid.log       squid:squid     640  30    *    @T00  JC
 /var/squid/logs/store.log       squid:squid     640  30    *    @T00  JC

Перезапуск служб

 /etc/rc.d/syslogd restart
 /etc/rc.d/newsyslog restart

Запуск squid

 /usr/local/etc/rc.d/squid start

Ссылки

Комментарии

 
blog/2011/12/09-freebsd_-_squid.txt · Последние изменения: 2014/10/01 12:02 — Антон Бугреев · []