Squid : Installation et configuration de Squid

From Deimos.fr / Bloc Notes Informatique
Jump to: navigation, search
Squid

Software version 2.7
Operating System FreeBSD 9
Debian 6
Website Squid Website
Last Update 06/06/2012
Others

1 Introduction

Un serveur Squid est un serveur mandataire (proxy) capable d'utiliser les protocoles FTP, HTTP, Gopher, et HTTPS. Contrairement aux serveurs proxy classiques, un serveur Squid gère toutes les requêtes en un seul processus d'entrée/sortie, non bloquant.

C'est un logiciel libre distribué selon les termes de la licence GNU GPL.

Squid garde les meta-données et plus particulièrement les données les plus fréquemment utilisées en mémoire. Il conserve aussi en mémoire les requêtes DNS, ainsi que les requêtes ayant échoué. Les requêtes DNS sont non bloquantes.

Les données mémorisées peuvent être rangées en hiérarchies ou en mailles pour utiliser moins de bande passante.

Squid est inspiré du projet Harvest. Il est compatible avec IPv6 à partir de sa version 3.

2 Installation

2.1 Debian

L'installation est simple :

Command aptitude
aptitude install squid

2.2 FreeBSD

L'installation se fait facilement :

Command pkg_add
pkg_add -vr squid

Initialisez ensuite le cache :

Command squid
> squid -z
2012/05/29 05:20:40| Creating Swap Directories

Puis mettez Squid en démarrage au boot :

Configuration File /etc/rc.conf
# Squid
squid_enable="YES"

Et enfin nous allons nous faire un fichier de configuration le plus basique possible :

Command
cp /usr/local/etc/squid/squid.conf /usr/local/etc/squid/squid.conf.default
grep -v "^#" < /usr/local/etc/squid/squid.conf.default | sed '/^$/d' > /usr/local/etc/squid/squid.conf

3 Configuration

3.1 Exemple 1

Configuration File /usr/local/etc/squid/squid.conf
#-------------------------------------------------------------------------------
# Minimum configuration
#-------------------------------------------------------------------------------
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
# Squid listening port
http_port 3128
 
#-------------------------------------------------------------------------------
# Security
#-------------------------------------------------------------------------------
#chroot on                            # Chroot Squid deamon
forwarded_for off                    # Hide source IP
visible_hostname proxy.deimos.fr     # Mask proxy name
httpd_suppress_version_string on     # Hide squid version
 
#-------------------------------------------------------------------------------
# ACL network definition
#-------------------------------------------------------------------------------
acl wifi_net src x.x.x.x/24  	# Wifi network
acl wan_net src x.x.x.x/24	# Wan local network
 
#-------------------------------------------------------------------------------
# ACL Ports definition
#-------------------------------------------------------------------------------
acl SSL_ports port 443
acl Safe_ports port 80		    # http
acl Safe_ports port 21		    # ftp
acl Safe_ports port 443		    # https
acl Safe_ports port 70		    # gopher
acl Safe_ports port 210		    # wais
acl Safe_ports port 1025-65535	# unregistered ports
acl CONNECT method CONNECT
 
#-------------------------------------------------------------------------------
# Specific ACL
#-------------------------------------------------------------------------------
# Apache mod_gzip and mod_deflate known to be broken so don't trust
# Apache to signal ETag correctly on such responses
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
#We recommend you to use at least the following line
hierarchy_stoplist cgi-bin ? 
 
#-------------------------------------------------------------------------------
# Allow/Deny access
#-------------------------------------------------------------------------------
# Minimal access
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
# Custom access
http_access allow wifi_net
# And finally deny all other access to this proxy
http_access deny all
 
#-------------------------------------------------------------------------------
# Internet Cache Protocol
#-------------------------------------------------------------------------------
icp_access allow wifi_net
icp_access deny all
 
#-------------------------------------------------------------------------------
# Cache properties
#-------------------------------------------------------------------------------
cache_mgr root                     # Email contact in cache die case
# cache_dir ufs Directory-Name Mbytes L1 L2 [options]
cache_dir ufs /var/squid/cache 1024 16 256
maximum_object_size 10240000 KB    # Set maximum file size to be cached
# Cache expiration patterns
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320
 
#-------------------------------------------------------------------------------
# Performances Tuning
#-------------------------------------------------------------------------------
pipeline_prefetch on    # To boost the performance of pipelined requests
 
#-------------------------------------------------------------------------------
# Logs
#-------------------------------------------------------------------------------
access_log /var/squid/logs/access.log squid
cache_log /var/squid/logs/cache.log
cache_store_log /var/squid/logs/store.log
coredump_dir /var/squid/cache
buffered_logs on            # Will speed up if there is not a lot of logs
debug_options ALL,1         # Set log level 1 -> 9

3.2 Exemple 2

Pour la configuration, je ne vais pas rentrer dans les détails, mais voici un aperçu d'une configuration qui fonctionne et qui est assez restrictive :

Configuration File /etc/squid/squid.conf
http_port 3129 
http_port 3128 
icp_port 3131
 
# Be more anonymous
# That’s three pieces of information you may not want to give away:
# - The host name of your proxy server
# - The version of Squid it’s running
# - The IP address of the system that’s making the request via the proxy
forwarded_for off
visible_hostname proxy.local
httpd_suppress_version_string on
 
####auth_param basic program /usr/lib/squid/squid_ldap_auth -b dc=openldap,dc=mycompany,dc=lan -f 'uid=%s' -s sub ldap
#auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b dc=openldap,dc=mycompany,dc=lan -f "(&(objectClass=mycompanyUser)(uid=%s))" -s sub -H ldap://ldap
auth_param basic credentialsttl 2 hours
#auth_param basic realm Web-Proxy
 
#acl Authentified proxy_auth REQUIRED
acl all	src 0.0.0.0/0
acl mycompany dstdomain mycompany.net
acl mycompany dstdomain mycompany.com
acl mycompany dstdomain mycompany.lan
 
# Concurent access
#url_rewrite_concurrency 20
 
# White and Black lists
#acl url_blacklist dstdom_regex -i "/etc/squid/bidon.txt" 
#acl good_domains dstdom_regex -i "/etc/squid/good_domains"
acl url_whitelist dstdom_regex -i "/etc/squid/url_whitelist.txt" 
acl url_blacklist dstdom_regex -i "/etc/squid/url_blacklist.txt" 
acl dst_whitelist dst "/etc/squid/dst_whitelist.txt"
acl dst_blacklist dst "/etc/squid/dst_blacklist.txt" 
 
# Facebook
acl facebook dstdom_regex facebook.com
acl srcfacebook src 10.101.4.253/32
acl srcfacebook src 10.101.0.253/32 
acl srcfacebook src 10.101.0.107/32
acl srcfacebook src 10.101.4.23/32 
 
# SuperUser
acl SuperUser src 10.101.4.253/32
 
# Monster
acl monsternet	dst 208.71.196.0/24
acl monsternet	dst 63.112.169.0/24
acl monsterdom  dstdom_regex newjobs.com monster.com
 
# Bypass proxy
acl binaries_ext  url_regex -i \.iso$ \.zip$ \.deb$ \.rpm$ \.gz$ \.bz2$ \.exe$ \.cab$ \.bin$ \.tgz$ \.msi$ \.sh$
acl binaries_mime req_mime_type -i ^application/x-debian-package$ ^application/x-bzip2$
 
acl tunnelurl     url_regex ^http://.*/IDLE/[0-9]+$
acl tunnelurl     url_regex ^http://.*/SEND/[0-9]+$
acl tunnelmethod  method POST
acl videoreq req_mime_type -i ^video/x-ms-wmv$
acl audioreq req_mime_type -i ^audio/mpeg$
acl tunnelreq req_mime_type -i ^application/x-fcs$
acl videorep rep_mime_type -i ^video/x-ms-wmv$
acl audiorep rep_mime_type -i ^audio/mpeg$
acl tunnelrep rep_mime_type -i ^application/x-fcs$
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
 
# SSL Ports
acl SSL_ports port 443
acl SSL_ports port 5050	# yahoo
 
# Allow outbound ports
acl Safe_ports port 80		# http
acl Safe_ports port 8080	# http
acl Safe_ports port 11371	# gpg key
acl Safe_ports port 21		# ftp
acl Safe_ports port 21		# ftp
 
acl CVS_port port 2401		# CVS
acl CONNECT method CONNECT
 
# Bypass hours
acl timeok time 18:00-23:59
acl timeok time 00:00-09:00
acl timeok time 12:00-14:00
acl timeok time AS
 
acl visio src 10.101.3.17/32
acl visio src 10.101.3.9/32
 
# Google talk ACL
acl	port_gtalk	port 5222
acl gtalk_dst dstdom_regex talk.*.google.com
 
# ulbridge and co
acl	port_63007	port 63007
acl	port_63005	port 63005
acl	port_8090	port 8090
acl	port_2000	port 2000
acl	snutulbrlbnuat01 dstdom_regex 	snutulbrlbnuat01
acl	cnutulomlnprd-om01 dstdom_regex cnutulomlnprd-om01
acl cnutulbrlnprd-br01 dstdom_regex cnutulbrlnprd-br01
acl	public_ip	dst 62.23.35.231/32
 
http_access allow Superuser
http_access allow timeok
http_access allow url_whitelist
http_access allow dst_whitelist
http_access allow srcfacebook facebook
http_access deny url_blacklist
http_access deny dst_blacklist
http_access deny tunnelurl tunnelmethod
http_access deny audioreq
http_access deny videoreq
http_access deny tunnelreq
 
http_reply_access allow timeok
http_reply_access allow url_whitelist
http_reply_access deny audiorep
http_reply_access deny videorep
http_reply_access deny tunnelrep
 
http_access allow snutulbrlbnuat01 port_63005
http_access allow snutulbrlbnuat01 port_63007
http_access allow cnutulomlnprd-om01 port_63007
http_access allow cnutulbrlnprd-br01 port_63005
http_access allow stmartin port_8003
http_access allow public_ip port_2000
 
# Google talk
http_access allow gtalk_dst port_gtalk
 
http_access allow manager localhost
http_access deny manager
http_access allow localhost
#http_access allow localnet Safe_ports mycompany Authentified
#http_access deny localnet Safe_ports mycompany !Authentified
#http_access allow localnet Authentified
#http_access allow localnet CONNECT Authentified
http_access allow localnet Safe_ports 
http_access allow localnet CVS_port
#Authentified
http_access allow localnet SSL_ports CONNECT 
http_access allow localnet CVS_port CONNECT 
#Authentified
#http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access deny all
 
icp_access deny all
htcp_access deny all
 
cache deny monsternet
cache deny monsterdom
 
deny_info http://proxy.mycompany.lan/not-allowed-new.html all
deny_info http://proxy.mycompany.lan/not-allowed-new.html url_blacklist.txt
deny_info http://proxy.mycompany.lan/not-allowed-new.html dst_blacklist.txt
 
#hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
 
# comment it out to desactivate squidGuard
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
 
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern (cgi-bin|\?)	0	0%	0
#refresh_pattern -i \.(gif|jpg|avi|iso|txt)$ 60 20% 120
refresh_pattern .		0	20%	4320
#refresh_pattern -i \.(gif|jpg|avi|iso|txt)$ 30 20% 60
 
coredump_dir /var/spool/squid
access_log /var/log/squid/access.log squid
 
cache_dir ufs /var/spool/squid 25000 16 256
maximum_object_size 1024000 KB
 
delay_pools 3
 
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
 
delay_class 2 3
##delay_parameters 2 256000/256000 64000/64000 16000/48000
delay_parameters 2 256000/256000 64000/64000 -1/-1
#delay_parameters 2 -1/-1 256000/1280000 -1/-1
#delay_parameters 2 256000/256000 -1/-1 -1/-1
 
delay_class 3 1
delay_parameters 3 256000/256000
#delay_parameters 3 1024000/1024000
 
 
delay_access 1 deny localnet
delay_access 3 allow binaries_ext
delay_access 3 allow visio
delay_access 2 deny  binaries_ext
delay_access 2 allow localnet
 
 
#debug_options ALL,1 29,6 28,6
ignore_expect_100 on

Maintenant, il ne reste plus qu'a adapter et relancer le serveur.

3.3 Vérifier ses règles

3.3.1 Get

Pour les méthodes Get, il est possible de vérifier ce qui est disponible de cette façon :

Command nc
printf "GET http://<destination_ip>:<destination_port>\r\n" |  nc -w 1 <proxy> <proxy_port>

3.3.2 Connect

Il faut limiter au maximum les méthodes CONNECT et laisser uniquement la méthode GET. CONNECT est généralement utilisé par le port 443 et est potentiellement dangereux car il permet de faire du tunneling. Pour exploiter un tunnel, voici comment faire :

Command nc
nc -w 1 -v -X connect -x <proxy>:<proxy_port> <destination> <destination_port>

On peut donc voir si ça fonctionne (et qu'un port est ouvert de l'autre côté) un résultat du type :

Connection to 88.191.144.199 873 port [tcp/rsync] succeeded!

ou

nc: Proxy error: "HTTP/1.0 504 Gateway Time-out"

A ce moment là, on sait que le mode CONNECT fonctionne sur ce port. Sinon, on aura :

nc: Proxy error: "HTTP/1.0 302 Moved Temporarily"

4 FAQ

4.1 WARNING! Your cache is running out of filedescriptors

Cela arrive quand squid vient taper le max des ulimit. Cela se manifeste par de gros ralentissements sur Internet. Pour résoudre ce problème, augmentez simplement la taille des file descriptor (par défaut à 1024) :

Configuration File /etc/default/squid
SQUID_MAXFD=4096

Puis redémarrez le service

5 Ressources

http://www.squid-cache.org/
http://www.visolve.com/squid/squid27/contents.php
http://www.visolve.com/squid/squid27/accesscontrols.php
http://www.davidandrzejewski.com/2011/11/06/squid-proxy-make-outgoing-headers-anonymous/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+davidandrzejewski+%28David+Andrzejewski%29