Squid : Installation et configuration de Squid
From Deimos.fr / Bloc Notes Informatique
Contents
 |
|
| Software version | 2.7 |
|---|---|
| Operating System | FreeBSD 9 Debian 6 |
| Website | Squid Website |
| Last Update | 06/06/2012 |
| Others | |
1 Introduction
Un serveur Squid est un serveur mandataire (proxy) capable d'utiliser les protocoles FTP, HTTP, Gopher, et HTTPS. Contrairement aux serveurs proxy classiques, un serveur Squid gère toutes les requêtes en un seul processus d'entrée/sortie, non bloquant.
C'est un logiciel libre distribué selon les termes de la licence GNU GPL.
Squid garde les meta-données et plus particulièrement les données les plus fréquemment utilisées en mémoire. Il conserve aussi en mémoire les requêtes DNS, ainsi que les requêtes ayant échoué. Les requêtes DNS sont non bloquantes.
Les données mémorisées peuvent être rangées en hiérarchies ou en mailles pour utiliser moins de bande passante.
Squid est inspiré du projet Harvest. Il est compatible avec IPv6 à partir de sa version 3.
2 Installation
2.1 Debian
L'installation est simple :
 aptitude
|
aptitude install squid |
2.2 FreeBSD
L'installation se fait facilement :
| pkg_add
|
pkg_add -vr squid |
Initialisez ensuite le cache :
| squid
|
> squid -z 2012/05/29 05:20:40| Creating Swap Directories |
Puis mettez Squid en démarrage au boot :
 /etc/rc.conf
|
# Squid squid_enable="YES" |
Et enfin nous allons nous faire un fichier de configuration le plus basique possible :
|
|
cp /usr/local/etc/squid/squid.conf /usr/local/etc/squid/squid.conf.default grep -v "^#" < /usr/local/etc/squid/squid.conf.default | sed '/^$/d' > /usr/local/etc/squid/squid.conf |
3 Configuration
3.1 Exemple 1
| /usr/local/etc/squid/squid.conf
|
#------------------------------------------------------------------------------- # Minimum configuration #------------------------------------------------------------------------------- acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 # Squid listening port http_port 3128 #------------------------------------------------------------------------------- # Security #------------------------------------------------------------------------------- #chroot on # Chroot Squid deamon forwarded_for off # Hide source IP visible_hostname proxy.deimos.fr # Mask proxy name httpd_suppress_version_string on # Hide squid version #------------------------------------------------------------------------------- # ACL network definition #------------------------------------------------------------------------------- acl wifi_net src x.x.x.x/24 # Wifi network acl wan_net src x.x.x.x/24 # Wan local network #------------------------------------------------------------------------------- # ACL Ports definition #------------------------------------------------------------------------------- acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method CONNECT #------------------------------------------------------------------------------- # Specific ACL #------------------------------------------------------------------------------- # Apache mod_gzip and mod_deflate known to be broken so don't trust # Apache to signal ETag correctly on such responses acl apache rep_header Server ^Apache broken_vary_encoding allow apache #We recommend you to use at least the following line hierarchy_stoplist cgi-bin ? #------------------------------------------------------------------------------- # Allow/Deny access #------------------------------------------------------------------------------- # Minimal access http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports http_access deny to_localhost # Custom access http_access allow wifi_net # And finally deny all other access to this proxy http_access deny all #------------------------------------------------------------------------------- # Internet Cache Protocol #------------------------------------------------------------------------------- icp_access allow wifi_net icp_access deny all #------------------------------------------------------------------------------- # Cache properties #------------------------------------------------------------------------------- cache_mgr root # Email contact in cache die case # cache_dir ufs Directory-Name Mbytes L1 L2 [options] cache_dir ufs /var/squid/cache 1024 16 256 maximum_object_size 10240000 KB # Set maximum file size to be cached # Cache expiration patterns refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #------------------------------------------------------------------------------- # Performances Tuning #------------------------------------------------------------------------------- pipeline_prefetch on # To boost the performance of pipelined requests #------------------------------------------------------------------------------- # Logs #------------------------------------------------------------------------------- access_log /var/squid/logs/access.log squid cache_log /var/squid/logs/cache.log cache_store_log /var/squid/logs/store.log coredump_dir /var/squid/cache buffered_logs on # Will speed up if there is not a lot of logs debug_options ALL,1 # Set log level 1 -> 9 |
3.2 Exemple 2
Pour la configuration, je ne vais pas rentrer dans les détails, mais voici un aperçu d'une configuration qui fonctionne et qui est assez restrictive :
| /etc/squid/squid.conf
|
http_port 3129 http_port 3128 icp_port 3131 # Be more anonymous # That’s three pieces of information you may not want to give away: # - The host name of your proxy server # - The version of Squid it’s running # - The IP address of the system that’s making the request via the proxy forwarded_for off visible_hostname proxy.local httpd_suppress_version_string on ####auth_param basic program /usr/lib/squid/squid_ldap_auth -b dc=openldap,dc=mycompany,dc=lan -f 'uid=%s' -s sub ldap #auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b dc=openldap,dc=mycompany,dc=lan -f "(&(objectClass=mycompanyUser)(uid=%s))" -s sub -H ldap://ldap auth_param basic credentialsttl 2 hours #auth_param basic realm Web-Proxy #acl Authentified proxy_auth REQUIRED acl all src 0.0.0.0/0 acl mycompany dstdomain mycompany.net acl mycompany dstdomain mycompany.com acl mycompany dstdomain mycompany.lan # Concurent access #url_rewrite_concurrency 20 # White and Black lists #acl url_blacklist dstdom_regex -i "/etc/squid/bidon.txt" #acl good_domains dstdom_regex -i "/etc/squid/good_domains" acl url_whitelist dstdom_regex -i "/etc/squid/url_whitelist.txt" acl url_blacklist dstdom_regex -i "/etc/squid/url_blacklist.txt" acl dst_whitelist dst "/etc/squid/dst_whitelist.txt" acl dst_blacklist dst "/etc/squid/dst_blacklist.txt" # Facebook acl facebook dstdom_regex facebook.com acl srcfacebook src 10.101.4.253/32 acl srcfacebook src 10.101.0.253/32 acl srcfacebook src 10.101.0.107/32 acl srcfacebook src 10.101.4.23/32 # SuperUser acl SuperUser src 10.101.4.253/32 # Monster acl monsternet dst 208.71.196.0/24 acl monsternet dst 63.112.169.0/24 acl monsterdom dstdom_regex newjobs.com monster.com # Bypass proxy acl binaries_ext url_regex -i \.iso$ \.zip$ \.deb$ \.rpm$ \.gz$ \.bz2$ \.exe$ \.cab$ \.bin$ \.tgz$ \.msi$ \.sh$ acl binaries_mime req_mime_type -i ^application/x-debian-package$ ^application/x-bzip2$ acl tunnelurl url_regex ^http://.*/IDLE/[0-9]+$ acl tunnelurl url_regex ^http://.*/SEND/[0-9]+$ acl tunnelmethod method POST acl videoreq req_mime_type -i ^video/x-ms-wmv$ acl audioreq req_mime_type -i ^audio/mpeg$ acl tunnelreq req_mime_type -i ^application/x-fcs$ acl videorep rep_mime_type -i ^video/x-ms-wmv$ acl audiorep rep_mime_type -i ^audio/mpeg$ acl tunnelrep rep_mime_type -i ^application/x-fcs$ acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network # SSL Ports acl SSL_ports port 443 acl SSL_ports port 5050 # yahoo # Allow outbound ports acl Safe_ports port 80 # http acl Safe_ports port 8080 # http acl Safe_ports port 11371 # gpg key acl Safe_ports port 21 # ftp acl Safe_ports port 21 # ftp acl CVS_port port 2401 # CVS acl CONNECT method CONNECT # Bypass hours acl timeok time 18:00-23:59 acl timeok time 00:00-09:00 acl timeok time 12:00-14:00 acl timeok time AS acl visio src 10.101.3.17/32 acl visio src 10.101.3.9/32 # Google talk ACL acl port_gtalk port 5222 acl gtalk_dst dstdom_regex talk.*.google.com # ulbridge and co acl port_63007 port 63007 acl port_63005 port 63005 acl port_8090 port 8090 acl port_2000 port 2000 acl snutulbrlbnuat01 dstdom_regex snutulbrlbnuat01 acl cnutulomlnprd-om01 dstdom_regex cnutulomlnprd-om01 acl cnutulbrlnprd-br01 dstdom_regex cnutulbrlnprd-br01 acl public_ip dst 62.23.35.231/32 http_access allow Superuser http_access allow timeok http_access allow url_whitelist http_access allow dst_whitelist http_access allow srcfacebook facebook http_access deny url_blacklist http_access deny dst_blacklist http_access deny tunnelurl tunnelmethod http_access deny audioreq http_access deny videoreq http_access deny tunnelreq http_reply_access allow timeok http_reply_access allow url_whitelist http_reply_access deny audiorep http_reply_access deny videorep http_reply_access deny tunnelrep http_access allow snutulbrlbnuat01 port_63005 http_access allow snutulbrlbnuat01 port_63007 http_access allow cnutulomlnprd-om01 port_63007 http_access allow cnutulbrlnprd-br01 port_63005 http_access allow stmartin port_8003 http_access allow public_ip port_2000 # Google talk http_access allow gtalk_dst port_gtalk http_access allow manager localhost http_access deny manager http_access allow localhost #http_access allow localnet Safe_ports mycompany Authentified #http_access deny localnet Safe_ports mycompany !Authentified #http_access allow localnet Authentified #http_access allow localnet CONNECT Authentified http_access allow localnet Safe_ports http_access allow localnet CVS_port #Authentified http_access allow localnet SSL_ports CONNECT http_access allow localnet CVS_port CONNECT #Authentified #http_access deny !Safe_ports #http_access deny CONNECT !SSL_ports http_access deny all icp_access deny all htcp_access deny all cache deny monsternet cache deny monsterdom deny_info http://proxy.mycompany.lan/not-allowed-new.html all deny_info http://proxy.mycompany.lan/not-allowed-new.html url_blacklist.txt deny_info http://proxy.mycompany.lan/not-allowed-new.html dst_blacklist.txt #hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY # comment it out to desactivate squidGuard url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 #refresh_pattern -i \.(gif|jpg|avi|iso|txt)$ 60 20% 120 refresh_pattern . 0 20% 4320 #refresh_pattern -i \.(gif|jpg|avi|iso|txt)$ 30 20% 60 coredump_dir /var/spool/squid access_log /var/log/squid/access.log squid cache_dir ufs /var/spool/squid 25000 16 256 maximum_object_size 1024000 KB delay_pools 3 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_class 2 3 ##delay_parameters 2 256000/256000 64000/64000 16000/48000 delay_parameters 2 256000/256000 64000/64000 -1/-1 #delay_parameters 2 -1/-1 256000/1280000 -1/-1 #delay_parameters 2 256000/256000 -1/-1 -1/-1 delay_class 3 1 delay_parameters 3 256000/256000 #delay_parameters 3 1024000/1024000 delay_access 1 deny localnet delay_access 3 allow binaries_ext delay_access 3 allow visio delay_access 2 deny binaries_ext delay_access 2 allow localnet #debug_options ALL,1 29,6 28,6 ignore_expect_100 on |
Maintenant, il ne reste plus qu'a adapter et relancer le serveur.
3.3 Vérifier ses règles
3.3.1 Get
Pour les méthodes Get, il est possible de vérifier ce qui est disponible de cette façon :
| nc
|
printf "GET http://<destination_ip>:<destination_port>\r\n" | nc -w 1 <proxy> <proxy_port> |
3.3.2 Connect
Il faut limiter au maximum les méthodes CONNECT et laisser uniquement la méthode GET. CONNECT est généralement utilisé par le port 443 et est potentiellement dangereux car il permet de faire du tunneling. Pour exploiter un tunnel, voici comment faire :
| nc
|
nc -w 1 -v -X connect -x <proxy>:<proxy_port> <destination> <destination_port> |
On peut donc voir si ça fonctionne (et qu'un port est ouvert de l'autre côté) un résultat du type :
Connection to 88.191.144.199 873 port [tcp/rsync] succeeded!
ou
nc: Proxy error: "HTTP/1.0 504 Gateway Time-out"
A ce moment là, on sait que le mode CONNECT fonctionne sur ce port. Sinon, on aura :
nc: Proxy error: "HTTP/1.0 302 Moved Temporarily"
4 FAQ
4.1 WARNING! Your cache is running out of filedescriptors
Cela arrive quand squid vient taper le max des ulimit. Cela se manifeste par de gros ralentissements sur Internet. Pour résoudre ce problème, augmentez simplement la taille des file descriptor (par défaut à 1024) :
| /etc/default/squid
|
SQUID_MAXFD=4096 |
Puis redémarrez le service
5 Ressources
http://www.squid-cache.org/
http://www.visolve.com/squid/squid27/contents.php
http://www.visolve.com/squid/squid27/accesscontrols.php
http://www.davidandrzejewski.com/2011/11/06/squid-proxy-make-outgoing-headers-anonymous/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+davidandrzejewski+%28David+Andrzejewski%29
