Инструменты пользователя

Инструменты сайта


сервис_http_proxy

Это старая версия документа.


Сервис HTTP Proxy

Установка, настройка минимальной конфигурации, инициализация кэша и запуск пакета squid

FreeBSD

[gate:~] # pkg_add -r squid
[gate:~] # rehash

[gate:~] # cd /usr/local/etc/squid/

Ubuntu

root@gate:~# apt-get install squid

root@gate:~# /etc/init.d/squid stop

root@gate:~# cd /etc/squid/

FreeBSD/Ubuntu

gate# cat squid.conf
...
#http_access allow localnet
acl our_networks src 192.168.X.0/24
http_access allow our_networks
...
cache_dir ufs /usr/local/squid/cache 200 16 256
...

gate# squid -k parse

gate# squid -z

FreeBSD

[gate:~] # cat /etc/rc.conf
...
squid_enable=yes
...

[gate:~] # /usr/local/etc/rc.d/squid start

[gate:~] # tail -f /usr/local/squid/logs/access.log

Ubuntu

root@gate:~# /etc/init.d/squid start

root@gate:~# tail -f /var/log/squid/access.log

Обработка лог файлов сервера SQUID

Установка, настройка и использование пакета SARG

FreeBSD

[gate:~] # pkg_add -r sarg
 
[gate:~] # cd /usr/local/etc/sarg/

[gate:local/etc/sarg] # cp sarg.conf.default sarg.conf

[gate:local/etc/sarg] # cat sarg.conf
...
access_log /usr/local/squid/logs/access.log.0
...
output_dir /usr/local/www/apache22/data/squid-reports
...

[gate:~] # squid -k rotate

[gate:~] # sarg
SARG: Records in file: 23, reading: 0.00%
SARG: Successful report generated on /usr/local/www/data/squid-reports/2006Jun28-2006Jun28

Автоматизация процесса построения отчета (FreeBSD)

на постоянно работающем сервере:

[gate:~] # cat /usr/local/etc/periodic/daily/100.sarg.sh
#!/bin/sh
echo Generate Squid Access Report
/usr/bin/find /usr/local/www/data/squid-reports/ -maxdepth 1 -mtime +60 -type d -name '*-*' -exec rm -r {} \;
/usr/local/sbin/squid -k rotate
/usr/local/bin/sarg

[gate:~] # chmod +x /usr/local/etc/periodic/daily/100.sarg.sh 

на сервере работающем в течении рабочего дня:

[gate:~] # cat /usr/local/etc/rc.d/sarg.sh
#!/bin/sh
echo Generate Squid Access Report
/usr/bin/find /usr/local/www/data/squid-reports/ -maxdepth 1 -mtime +60 -type d -name '*-*' -delete
/usr/local/sbin/squid -k rotate
/usr/local/bin/sarg

[gate:~] # chmod +x /usr/local/etc/rc.d/sarg.sh 

Ubuntu

root@gate:~# apt-get install sarg

root@gate:~# /etc/cron.daily/sarg
Результаты на следующий день

Проверка: Наберите в MSIE http://gate.corpX.un/squid-reports/

Антивирусная защита web трафика

Запуск демона антивируса

FreeBSD

[gate:~] # cat /etc/rc.conf
...
clamav_clamd_enable="YES"

[gate:~] # /usr/local/etc/rc.d/clamav-clamd start

[gate:~] # ls -l /var/run/clamav/clamd.sock

Ubuntu

root@gate:~# /etc/init.d/clamav-daemon start

root@gate:~# ls -l /var/run/clamav/clamd.ctl

FreeBSD/Ubuntu

gate# clamdscan virus.zip

Установка и настройка пакета для связи squid и clamav (squidclamav)

FreeBSD

[gate:~] # pkg_add -r squidclamav

или

[gate:~] # cd /usr/ports/security/squidclamav
[gate:ports/security/squidclamav] # make install clean
[gate:~] # cat /usr/local/etc/squidclamav.conf
proxy http://127.0.0.1:3128/
logfile /var/log/squidclamav.log
redirect http://gate.corpX.un/cgi-bin/test-cgi
clamd_local /var/run/clamav/clamd.sock

[gate:~] # touch /var/log/squidclamav.log

[gate:~] # chown squid /var/log/squidclamav.log

Ubuntu

root@gate:~# apt-get install libcurl4-openssl-dev

root@gate:~# wget http://www.darold.net/projects/squidclamav/squidclamav-4.0.tar.gz

root@gate:~# tar -xvf squidclamav-4.0.tar.gz

root@gate:~# cd squidclamav-4.0

root@gate:~/squidclamav-4.0# ./configure --prefix=/usr/local/

root@gate:~/squidclamav-4.0# make && make install

root@gate:~/squidclamav-4.0# mkdir /usr/local/etc

root@gate:~/squidclamav-4.0# cp squidclamav.conf.dist /usr/local/etc/squidclamav.conf

root@gate:~# cat /usr/local/etc/squidclamav.conf
squid_ip 127.0.0.1
squid_port 3128
logfile /var/log/squidclamav.log
redirect http://gate.corpX.un/cgi-bin/test-cgi
clamd_local /var/run/clamav/clamd.ctl
content ^.*\/.*$

root@gate:~# touch /var/log/squidclamav.log

root@gate:~# chown proxy:proxy /var/log/squidclamav.log

Настройка squid на использование squidclamav

gate# cat squid.conf
...
redirector_access deny localhost
acl our_networks src 192.168.X.0/24 127.0.0.1
...
url_rewrite_program /usr/local/bin/squidclamav /usr/local/etc/squidclamav.conf
...

Отладка

gate# /usr/local/bin/squidclamav /usr/local/etc/squidclamav.conf
SquidClamav running as UID 0: writing logs to stderr
Thu Dec  4 16:06:14 2008 LOG Reading configuration from /usr/local/etc/squidclamav.conf
Thu Dec  4 16:06:14 2008 LOG SquidClamav (PID 14302) started
http://val.bmstu.ru/virus.zip 195.19.32.14 squid GET
Thu Dec  4 16:07:03 2008 LOG Redirecting URL to: http://gate.corpX.un/cgi-bin/test-cgi?url=http://val.bmstu.ru/virus.zip&source=195.19.32.14&user=squid&virus=stream:+Worm.Sober.U-3+FOUND
http://gate.corpX.un/cgi-bin/printenv?url=http://val.bmstu.ru/virus.zip&source=195.19.32.14&user=mylog&virus=stream:+Worm.Sober.U-3+FOUND 195.19.32.14 squid GET

Ограничение доступа к ресурсам

FreeBSD

[gate:~] # cd /usr/local/etc/squid/

Ubuntu

root@gate:~# cd /etc/squid/

FreeBSD/Ubuntu

gate# cat deny_hosts.txt
.*odnok.*
.*com\/.*

gate# cat squid.conf
...
acl our_networks src 192.168.100+X.0/24 
acl full_access src 192.168.100+X.100 127.0.0.1

#For FreeBSD
acl deny_hosts url_regex "/usr/local/etc/squid/deny_hosts.txt"
#For Ubuntu
acl deny_hosts url_regex "/etc/squid/deny_hosts.txt"

http_access allow full_access
http_access allow our_networks !deny_hosts
...

gate# squid -k check
gate# squid -k reconfigure

Настройка "прозрачного" (transparent) http proxy

С использованием WPAD (Web Proxy Auto-Discovery)

# cat /etc/namedb/master/corpX.un
...
wpad    A       192.168.X.1 
proxy   A       192.168.X.1
...

# cat /usr/local/www/data/wpad.dat
function FindProxyForURL(url,host)
{
        return "PROXY proxy.corpX.un:3128";
}

С использованием перенаправления пакетов

Настойка SQUID

gate# diff squid.conf.default squid.conf
...
1127c1127
< http_port 3128
---
> http_port 3128 transparent
...

gate# squid -k check

gate# squid -k reconfigure

Настойка FreeBSD (pf)

[gate:~] # cat /etc/pf.conf
...
rdr proto tcp from 192.168.X/24 to any port 80 -> 127.0.0.1 port 3128
...

[gate:~] # /etc/rc.d/pf reload

Настойка Ubuntu (iptables)

root@gate:~# iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.X.0/24 --dport 80 -j REDIRECT --to-port 3128

Мониторинг

gate# tail -f access.log

С использованием групповых политик

сервис_http_proxy.1265186737.txt.gz · Последние изменения: 2013/05/22 13:50 (внешнее изменение)