This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
сервис_http_proxy [2009/06/22 14:32] val |
сервис_http_proxy [2010/09/15 12:45] val |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Сервис HTTP Proxy ====== | ====== Сервис HTTP Proxy ====== | ||
- | ===== Установка, настройка минимальной конфигурации, инициализация кэша и запуск пакета squid ===== | + | [[Установка, настройка минимальной конфигурации, инициализация кэша и запуск пакета SQUID]] |
- | ==== FreeBSD ==== | + | [[Обработка лог файлов сервера SQUID]] |
- | <code> | + | |
- | [gate:~] # pkg_add -r squid | + | |
- | [gate:~] # rehash | + | |
- | [gate:~] # cd /usr/local/etc/squid/ | + | [[Антивирусная защита web трафика SQUID]] |
- | </code> | + | |
- | ==== Ubuntu ==== | + | [[Авторизация доступа к ресурсам через SQUID]] |
- | <code> | + | |
- | root@gate:~# apt-get install squid | + | |
- | + | ||
- | root@gate:~# /etc/init.d/squid stop | + | |
- | + | ||
- | root@gate:~# cd /etc/squid/ | + | |
- | </code> | + | |
- | + | ||
- | ==== FreeBSD/Ubuntu ==== | + | |
- | <code> | + | |
- | gate# cat squid.conf | + | |
- | ... | + | |
- | #http_access allow localnet | + | |
- | acl our_networks src 192.168.X.0/24 | + | |
- | http_access allow our_networks | + | |
- | ... | + | |
- | cache_dir ufs /usr/local/squid/cache 200 16 256 | + | |
- | ... | + | |
- | + | ||
- | gate# squid -k parse | + | |
- | + | ||
- | gate# squid -z | + | |
- | </code> | + | |
- | + | ||
- | ==== FreeBSD ==== | + | |
- | <code> | + | |
- | [gate:~] # cat /etc/rc.conf | + | |
- | ... | + | |
- | squid_enable=yes | + | |
- | ... | + | |
- | + | ||
- | [gate:~] # /usr/local/etc/rc.d/squid start | + | |
- | + | ||
- | [gate:~] # tail -f /usr/local/squid/logs/access.log | + | |
- | </code> | + | |
- | + | ||
- | ==== Ubuntu ==== | + | |
- | <code> | + | |
- | root@gate:~# /etc/init.d/squid start | + | |
- | + | ||
- | root@gate:~# tail -f /var/log/squid/access.log | + | |
- | </code> | + | |
- | + | ||
- | ===== Обработка лог файлов сервера SQUID ===== | + | |
- | + | ||
- | ==== Установка, настройка и использование пакета SARG ==== | + | |
- | + | ||
- | === FreeBSD === | + | |
- | <code> | + | |
- | [gate:~] # pkg_add -r sarg | + | |
- | + | ||
- | [gate:~] # cd /usr/local/etc/sarg/ | + | |
- | + | ||
- | [gate:local/etc/sarg] # cp sarg.conf.default sarg.conf | + | |
- | + | ||
- | [gate:local/etc/sarg] # cat sarg.conf | + | |
- | ... | + | |
- | access_log /usr/local/squid/logs/access.log.0 | + | |
- | ... | + | |
- | output_dir /usr/local/www/apache22/data/squid-reports | + | |
- | ... | + | |
- | + | ||
- | [gate:~] # squid -k rotate | + | |
- | + | ||
- | [gate:~] # sarg | + | |
- | SARG: Records in file: 23, reading: 0.00% | + | |
- | SARG: Successful report generated on /usr/local/www/data/squid-reports/2006Jun28-2006Jun28 | + | |
- | </code> | + | |
- | + | ||
- | === Ubuntu === | + | |
- | <code> | + | |
- | root@gate:~# apt-get install sarg | + | |
- | + | ||
- | root@gate:~# /etc/cron.daily/sarg | + | |
- | Результаты на следующий день | + | |
- | </code> | + | |
- | + | ||
- | Проверка: | + | |
- | Наберите в MSIE http://gate.corpX.un/squid-reports/ | + | |
- | + | ||
- | ===== Антивирусная защита web трафика ===== | + | |
- | + | ||
- | ==== Запуск демона антивируса ==== | + | |
- | + | ||
- | === FreeBSD === | + | |
- | <code> | + | |
- | [gate:~] # cat /etc/rc.conf | + | |
- | ... | + | |
- | clamav_clamd_enable="YES" | + | |
- | + | ||
- | [gate:~] # /usr/local/etc/rc.d/clamav-clamd start | + | |
- | + | ||
- | [gate:~] # ls -l /var/run/clamav/clamd.sock | + | |
- | </code> | + | |
- | + | ||
- | === Ubuntu === | + | |
- | <code> | + | |
- | root@gate:~# /etc/init.d/clamav-daemon start | + | |
- | + | ||
- | root@gate:~# ls -l /var/run/clamav/clamd.ctl | + | |
- | </code> | + | |
- | + | ||
- | === FreeBSD/Ubuntu === | + | |
- | <code> | + | |
- | gate# clamdscan virus.zip | + | |
- | </code> | + | |
- | + | ||
- | ==== Установка и настройка пакета для связи squid и clamav (squidclamav) ==== | + | |
- | + | ||
- | === FreeBSD === | + | |
- | <code> | + | |
- | [gate:~] # pkg_add -r squidclamav | + | |
- | </code> | + | |
- | или | + | |
- | <code> | + | |
- | [gate:~] # cd /usr/ports/security/squidclamav | + | |
- | [gate:ports/security/squidclamav] # make install clean | + | |
- | </code> | + | |
- | + | ||
- | <code> | + | |
- | [gate:~] # cat /usr/local/etc/squidclamav.conf | + | |
- | proxy http://127.0.0.1:3128/ | + | |
- | logfile /var/log/squidclamav.log | + | |
- | redirect http://gate.corpX.un/cgi-bin/test-cgi | + | |
- | clamd_local /var/run/clamav/clamd.sock | + | |
- | + | ||
- | [gate:~] # touch /var/log/squidclamav.log | + | |
- | + | ||
- | [gate:~] # chown squid /var/log/squidclamav.log | + | |
- | </code> | + | |
- | + | ||
- | === Ubuntu === | + | |
- | <code> | + | |
- | root@gate:~# apt-get install libcurl4-openssl-dev | + | |
- | + | ||
- | root@gate:~# wget http://www.darold.net/projects/squidclamav/squidclamav-4.0.tar.gz | + | |
- | + | ||
- | root@gate:~# tar -xvf squidclamav-4.0.tar.gz | + | |
- | + | ||
- | root@gate:~# cd squidclamav-4.0 | + | |
- | + | ||
- | root@gate:~/squidclamav-4.0# ./configure --prefix=/usr/local/ | + | |
- | + | ||
- | root@gate:~/squidclamav-4.0# make && make install | + | |
- | + | ||
- | root@gate:~/squidclamav-4.0# mkdir /usr/local/etc | + | |
- | + | ||
- | root@gate:~/squidclamav-4.0# cp squidclamav.conf.dist /usr/local/etc/squidclamav.conf | + | |
- | + | ||
- | root@gate:~# cat /usr/local/etc/squidclamav.conf | + | |
- | squid_ip 127.0.0.1 | + | |
- | squid_port 3128 | + | |
- | logfile /var/log/squidclamav.log | + | |
- | redirect http://gate.corpX.un/cgi-bin/test-cgi | + | |
- | clamd_local /var/run/clamav/clamd.ctl | + | |
- | content ^.*\/.*$ | + | |
- | + | ||
- | root@gate:~# touch /var/log/squidclamav.log | + | |
- | + | ||
- | root@gate:~# chown proxy:proxy /var/log/squidclamav.log | + | |
- | </code> | + | |
- | + | ||
- | ==== Настройка squid на использование squidclamav ==== | + | |
- | <code> | + | |
- | gate# cat squid.conf | + | |
- | ... | + | |
- | redirector_access deny localhost | + | |
- | acl our_networks src 192.168.X.0/24 127.0.0.1 | + | |
- | ... | + | |
- | url_rewrite_program /usr/local/bin/squidclamav /usr/local/etc/squidclamav.conf | + | |
- | ... | + | |
- | </code> | + | |
- | + | ||
- | ==== Отладка ==== | + | |
- | <code> | + | |
- | gate# /usr/local/bin/squidclamav /usr/local/etc/squidclamav.conf | + | |
- | SquidClamav running as UID 0: writing logs to stderr | + | |
- | Thu Dec 4 16:06:14 2008 LOG Reading configuration from /usr/local/etc/squidclamav.conf | + | |
- | Thu Dec 4 16:06:14 2008 LOG SquidClamav (PID 14302) started | + | |
- | </code><code>http://val.bmstu.ru/virus.zip 195.19.32.14 squid GET</code><code> | + | |
- | Thu Dec 4 16:07:03 2008 LOG Redirecting URL to: http://gate.corpX.un/cgi-bin/test-cgi?url=http://val.bmstu.ru/virus.zip&source=195.19.32.14&user=squid&virus=stream:+Worm.Sober.U-3+FOUND | + | |
- | http://gate.corpX.un/cgi-bin/printenv?url=http://val.bmstu.ru/virus.zip&source=195.19.32.14&user=mylog&virus=stream:+Worm.Sober.U-3+FOUND 195.19.32.14 squid GET | + | |
- | </code> | + | |
- | + | ||
- | ===== Ограничение доступа к ресурсам ===== | + | |
- | + | ||
- | ==== FreeBSD ==== | + | |
- | <code> | + | |
- | [gate:~] # cd /usr/local/etc/squid/ | + | |
- | </code> | + | |
- | + | ||
- | ==== Ubuntu ==== | + | |
- | <code> | + | |
- | root@gate:~# cd /etc/squid/ | + | |
- | </code> | + | |
- | + | ||
- | ==== FreeBSD/Ubuntu ==== | + | |
- | <code> | + | |
- | gate# cat deny_hosts.txt | + | |
- | .*odnok.* | + | |
- | .*com\/.* | + | |
- | + | ||
- | gate# cat squid.conf | + | |
- | ... | + | |
- | acl our_networks src 192.168.100+X.0/24 | + | |
- | acl full_access src 192.168.100+X.2 127.0.0.1 | + | |
- | + | ||
- | #For FreeBSD | + | |
- | acl deny_hosts url_regex "/usr/local/etc/squid/deny_hosts.txt" | + | |
- | #For Ubuntu | + | |
- | acl deny_hosts url_regex "/etc/squid/deny_hosts.txt" | + | |
- | + | ||
- | http_access allow full_access | + | |
- | http_access allow our_networks !deny_hosts | + | |
- | ... | + | |
- | + | ||
- | [gate:local/etc/squid] # squid -k check | + | |
- | [gate:local/etc/squid] # squid -k reconfigure | + | |
- | </code> | + | |
- | + | ||
- | ==== Автоматизация процесса построения отчета (FreeBSD) ==== | + | |
- | + | ||
- | на постоянно работающем сервере: | + | |
- | <code> | + | |
- | [gate:~] # cat /usr/local/etc/periodic/daily/100.sarg.sh | + | |
- | #!/bin/sh | + | |
- | echo Generate Squid Access Report | + | |
- | /usr/bin/find /usr/local/www/data/squid-reports/ -maxdepth 1 -mtime +60 -type d -name '*-*' -exec rm -r {} \; | + | |
- | /usr/local/sbin/squid -k rotate | + | |
- | /usr/local/bin/sarg | + | |
- | + | ||
- | [gate:~] # chmod +x /usr/local/etc/periodic/daily/100.sarg.sh | + | |
- | </code> | + | |
- | + | ||
- | на сервере работающем в течении рабочего дня: | + | |
- | <code> | + | |
- | [gate:~] # cat /usr/local/etc/rc.d/sarg.sh | + | |
- | #!/bin/sh | + | |
- | echo Generate Squid Access Report | + | |
- | /usr/bin/find /usr/local/www/data/squid-reports/ -maxdepth 1 -mtime +60 -type d -name '*-*' -delete | + | |
- | /usr/local/sbin/squid -k rotate | + | |
- | /usr/local/bin/sarg | + | |
- | + | ||
- | [gate:~] # chmod +x /usr/local/etc/rc.d/sarg.sh | + | |
- | </code> | + | |
- | + | ||
- | ===== Настройка "прозрачного" (transparent) http proxy ===== | + | |
- | + | ||
- | ==== Настойка SQUID ==== | + | |
- | <code> | + | |
- | gate# diff squid.conf.default squid.conf | + | |
- | ... | + | |
- | 938c938 | + | |
- | < http_port 3128 | + | |
- | --- | + | |
- | > http_port 3128 transparent | + | |
- | ... | + | |
- | + | ||
- | gate# squid -k check | + | |
- | + | ||
- | gate# squid -k reconfigure | + | |
- | </code> | + | |
- | + | ||
- | ==== Настойка FreeBSD (pf) ==== | + | |
- | <code> | + | |
- | [gate:~] # cat /etc/pf.conf | + | |
- | ... | + | |
- | rdr proto tcp from 192.168.X/24 to any port 80 -> 127.0.0.1 port 3128 | + | |
- | ... | + | |
- | + | ||
- | [gate:~] # /etc/rc.d/pf reload | + | |
- | </code> | + | |
- | + | ||
- | ==== Настойка Ubuntu (iptables) ==== | + | |
- | <code> | + | |
- | root@gate:~# iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.X.0/24 --dport 80 -j REDIRECT --to-port 3128 | + | |
- | </code> | + | |
- | + | ||
- | ==== Мониторинг ==== | + | |
- | <code> | + | |
- | gate# tail -f access.log | + | |
- | </code> | + | |
+ | [[Автоматизация использования SQUID]] |