Está en la página 1de 11

Access Control Lists

by mike on November 9, 2008 · 2 comments in Proxy Server The importance of access controls cannot be overstated. It is important to have a good understanding of how to control who uses squid. When access controls are created you will use two components. The first is the acl which defines, clients, IP Addresses, hostnames, origin port numbers and request methods. Once these are created they are combined with rules for the acls. The acls are created using a basic structure. acl name type value Here is an example which shows the name as “net”, the type is “src” which is the source and the vlaue is the network address. acl net src ACL Types There are about 25 acl types which can be used. src, dst, myip Several types use ip addresses as a value. The following three examples are all acceptable to squid. Squid will try to calculate the subnet if it is not included, however, it is a good practice to add the correct subnet when the acl is written. acl net src acl net src acl net src Hostnames may be used in the acls but this is not a god idea and squid will convert hostnames on startup but will not make DNS lookups after that so if the address of the host changes it will be incorrect. src The src is the source or where the request is coming from. acl myworkstation src Here the source is the specific ip address of dst dst is where the request is directed at. One of the problems of using dst is that it must make a

This may be very useful for setting up squid so that it will listen on two separate networks with different ip addresses. the \ is added because “. Better to use dstdomain. mail. srcdom_regex. The dst type only checks the domain one time. then it will not be able to complete the reverse lookup and fail. so that if it changes you will not have the correct In the examples above the acl example1 will not match mail. If the acl begins with a “. srcdomian. However. The differences between dst and dstdomain. However. then it will be considered an exact lookup before it can process the request and this may take too acl example2 srcdomain . This is the biggest drawback to using srcdomain. url_regex.”. cache_host_domain These types use domain names.example. when using dstdomain. \.com.jpg$ The regular expression matches any file extension that ends in . because it must be an exact match.example.example.example. It is used to indicate which ip address for squid to use. req_mime_type. If it is without the “. . all will match the second acl. www. rep_mime_type ^http:// The regular expression matches any URL that begins with http://. proxy_auth These two types use usernames. ident. acl example1 srcdomain example. myip This type is useful only when squid will use several ip addresses. proxy_auth_regex.” then it is used as a wildcard and it will match all domains and subdomians. dstdom_regex.jpg. nor www. which is a safer situation. ident_regex. If a domain is not configured and example.example. srcdomain The srcdomain will force squid to do a reverse DNS lookup to verify the IP Address.” is also a wildcard. squid will check it every time it is accessed. Be careful with domain names because of the difference between domain names and subdomains. browser.

myport The port number is a number that is used by a service on a server or workstation to communicate with another service. port 80 for web services.acl net url_regex ^http://www Squid is case sensitive by default. In order to make it case insensitive use the -i option. acl net url_regex -i ^http://www port.7.443. port 443 for encrypted sites and port 1209 is a special port used for a web based learning site. Port 21 is used for ftp. For example if the squid server was accepting connections as a proxy for users and also accepting connections as a HTTP accelerator. The best configuration will deny all ports and only allow those determined to be safe.168.80.0/24 . acl net port 22 acl net port 20-21 port Ports are an area to be careful with. acl accelerator myport 80 acl proxy myport 3128 acl net src 192. Unregistered ports are ports that are used to connect to services on the Internet and are generally accepted as safe when they are outgoing ports. The configuration below allows only ports 21. acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 1209 # plato acl Safe_ports port 1025-65535 # unregistered ports http_access deny !Safe_ports myport Myport is used when a squid server may receive different types of requests for specific services.1209 and unregistered ports.

7 as the default which is focused on high-performance with features aimed at high traffic volume. The user.Ubuntu 10.Create Detailed Information About User Activity on the Internet 4. Be sure that any modifications you make are viewed as version specific.04 Squid Proxy by mike on April 9. sudo apt-get install squid Start / Stop / Restart Because squid is now integrated with upstart the best way to control squid is using these commands: start squid stop squid restart squid . Install and Start Squid Ubuntu now installs squid 2.Enforce Use by Authorized Users Only 6. This is in contrast to the other option squid 3. Squid can accelerate traffic from the inside network to the Internet or it can be employed to act as a front-end accelerator for a Web server. in reality never reaches the Internet as the proxy server retrieves and caches all the sites the user makes requests for. squid retrieves the web page and then provides it to the user. 2010 · 8 comments in Proxy Server Squid is a caching proxy server that can provide enhanced performance for HTTP. increasing access to the web pages on the server.Protect the Internal Network When Surfing the Internet 3. When squid works as a proxy and a user makes a request for a web site.0 which has a greater focus on web filtering.Filter Sensitive Material 7. and as a cache. Squid is compliant to the Harvest Cache architecture and uses the Inter-Cache Protocol (ICP) to transfer data between peer and /parent/child servers.Prevent Inappropriate Activity by Users on the Internet 5. working in behalf of a user. Squid will cache commonly accessed sites so that it can improve performance by 10-20% for Internet connections. Here is what Squid can do: 1.Accelerate Web Server Pages Live Ubuntu Courses or Online Ubuntu Courses are available. Squid acts both as a proxy.Accelerate Internet Connections for Internal Network 2.HTTPS and FTP.

restart squid squid start/running. The hostname is automatically discovered by squid. 677 http_access allow localhost 678 http_access allow localnet This is possible because the default settings now include these three private networks. .168. visible_hostname myserver The only line that must be set is to create a http_access variable that will allow users on the internal network to access the Internet. acl localnet src 10.Important Locations Once you install Squid.0/8 acl localnet src 172. since the Squid configuration file has over 4960 lines it is not the easiest to work with. A basic configuration of Squid only needs one modification. however if you want to set a specific name you can use visible hostname. /etc/squid config directory /etc/squid/squid.0.conf squid configuration file /usr/share/doc/squid documentation and examples /usr/lib/squid support files /usr/sbin/squid squid daemon /var/log/squid log directory /var/spool/squid cache directory Basic Squid Configuration The complete configuration file is found at /etc/squid/squid.0. The line should look something like this: http_access allow localnet This line needs to be placed in a specific location.conf. The default port that you will connect to is 3128 and set squid to use all protocols. note that the localhost is configured to work by default. Several points to note about the proxy settings.0/16 Once you have set this up restart squid with the following command.0. if you are using private networks.0/12 acl localnet src 192. you will need to be familiar with these locations that are important for Squid.0. process 13551 Here is a tutorial with additional information on Squid ACLs Point your browsers from those internal machines to the squid proxy.16. included in the example is the line number so it is easier to locate. Once that is set you should have Internet access. However.

168.0/24 to any port 3128 Tagged as: Proxy Server. ufw allow proto tp from 192. Limit access so that clients can only go through port 3128. Here is an example of allowing an entire subnet. ubuntu 10.You will need to configure your firewall.4. save resources and protect your internal machines. squid. This will force them to use the proxy which will provide speed.04 .

1 # the port DansGuardian connects to proxy on proxyport = 3128 . This has the advantage of stopping unacceptable content before the user has access and preventing harmful file access.main configuration file is dansguardain. 3128 so that Dansguardian can talk to Squid and port 8080 so the client can talk to Dansguardian.e.0. evaluate images and types of file extensions before the client has access. The main concept behind content filtering is that the application will read the text.0.conf. As you can see below.Dansguardian Content Filter by mike on April 13. authplugins dansguardian.conf languages The . The illustration shows how this works.conf downloadmanagers lists contentscanners dansguardianf1. 2010 · 3 comments in Proxy Server Dansguardian is a content filter that is easy to set up and configure with your preferences including the ability to scan http access with clamav. This file needs to be modified so that this line is either commented out or removed. this server) proxyip = 127. #UNCONFIGURED – Please remove this line after configuration You do not need to make any other adjustments to this configuration file to get it to work. sudo apt-get install dansguardian clamav-daemon Once Dansguardian is installed you will have a directory /etc/dansguardian that shows this content. The important implication is that you now need to alter the client so it listens on port 8080 not 3128. filterport = 8080 # the ip of the proxy (default is the loopback – i. filterip = # the port that DansGuardian listens to. once you implement Dansguardian you will be using two ports.

0:8080 0. adjust your client to listen on the correct port.0.0.0:3128 tcp 0 0 0.0:* 0. .0. Next.conf you must restart squid and Dansguardian. netstat -aunt tcp 0 0 0.0:* LISTEN LISTEN Once you have commented out the necessary line in the dansguardian.0.0.You should see that the server is listening on two ports with netstat.0.0.0. Here is the client adjusted to listen on port 8080.

conf you will find these options that are commonly adjusted.You also have the ability to scan files for virus activity with clamav. dansguardain. You can either block all downloads or follow the lists and select specific file types you will not all ow to be downloaded.conf and dansguardianf1. Check to see if clamav is available with this command. In the dansguardian. blockdownloads = off exceptionextensionlist = „/etc/dansguardian/lists/exceptionextensionlist‟ exceptionmimetypelist = „/etc/dansguardian/lists/exceptionmimetypelist‟ . ps -ef | grep clamav clamav 14054 1 0 07:00 ? clamav 14978 1 0 14:27 ? 00:00:00 /usr/bin/freshclam -d –quiet 00:00:00 /usr/sbin/clamd Content Management The configuration files in /etc/dansguardian.conf are both well commented and provide a lot of options.

etc. naughtynesslimit = 50 The lists directory contains a list of files that can be adjusted to your requirements. increase the number for greater access. banned. file types. These files include text files that are easy to adjust in terms of ratings for terms.bannedextensionlist = „/etc/dansguardian/lists/bannedextensionlist‟ bannedmimetypelist = „/etc/dansguardian/lists/bannedmimetypelist‟ The content is rated using a numbering system. These should be easy enough to modify as they are heavily comments. squid proxy . which you can adjust. The files are one of three types. exceptions or lists of terms and weights for those terms. Proxy Server. and once content is evaluated and goes over the “naughtynesslimit” the content is denied. Tagged as: proxy content management. So you can adjust the number which is that top limit with this setting.

2008 · 1 comment in Proxy Server The hardware requirements are not as large as you would think. Usually it is a good idea to consider SCSI for disks on a proxy server just because of speed. plan for growth and estimate high for concurrent users so you do not need to come back later and upgrade. 32 MB of RAM are required for every GB of disk space. If you are using ATA drives and have multiple drives on one channel you will find the system has to wait as it can only access one drive at a time. the more memory is required per object so this may increase memory requirements. The other major consideration for Squid is disks. The second variable is the number of users that are on the system concurrently. However. The point is. This is a large variable in that the difference between 5 users and 105 users is considerable. SATA drives or even some ATA drives are increasing in speeds and are much cheaper.Hardware Requirements for Squid by mike on November 7. The larger the object. Generally. RAM is important because each object in the cache requires a small amount of memory. If you run out of memory there will be a significant reduction in speed. . The faster the disk read and write the faster Squid will operate. The other advantage that SCSI has is that it can access 7 different drives allowing for multiple reads and writes without a slowdown in access. The most important aspect to consider is the RAM that is available for Squid. One variable is object size. There are a number of variables that impact the speed of Squid and the hardware that is required.