User Tools

Site Tools


сервис_http_proxy

This is an old revision of the document!


Сервис HTTP Proxy

Установка, настройка минимальной конфигурации, инициализация кэша и запуск пакета squid

FreeBSD

[gX:~] # pkg_add -r squid
[gX:~] # rehash

[gX:~] # cd /usr/local/etc/squid/

Ubuntu

root@gX:~# apt-get install squid

root@gX:~# /etc/init.d/squid stop

root@gX:~# cd /etc/squid/

FreeBSD/Ubuntu

gX# cat squid.conf
...
#http_access allow localnet
acl our_networks src 192.168.X.0/24
http_access allow our_networks
...
cache_dir ufs /usr/local/squid/cache 200 16 256
...

gX# squid -k parse

gX# squid -z

FreeBSD

[gX:~] # cat /etc/rc.conf
...
squid_enable=yes
...

[gX:~] # /usr/local/etc/rc.d/squid start

[gX:~] # tail -f /usr/local/squid/logs/access.log

Ubuntu

root@gX:~# /etc/init.d/squid start

root@gX:~# tail -f /var/log/squid/access.log

Обработка лог файлов сервера SQUID

Установка, настройка и использование пакета SARG

FreeBSD

[gX:~] # pkg_add -r sarg
 
[gX:~] # cd /usr/local/etc/sarg/

[gX:local/etc/sarg] # cp sarg.conf.default sarg.conf

[gX:local/etc/sarg] # cat sarg.conf
...
access_log /usr/local/squid/logs/access.log.0
...
output_dir /usr/local/www/data/squid-reports
...

[gX:~] # squid -k rotate

[gX:~] # sarg
SARG: Records in file: 23, reading: 0.00%
SARG: Successful report generated on /usr/local/www/data/squid-reports/2006Jun28-2006Jun28

Ubuntu

root@g13:~# apt-get install sarg

root@g13:~# /etc/cron.daily/sarg
Результаты на следующий день

Проверка: Наберите в MSIE http://gX.dX.class/squid-reports/

Антивирусная защита web трафика

Запуск демона антивируса

FreeBSD

[gX:~] # cat /etc/rc.conf
...
clamav_clamd_enable="YES"

[gX:~] # /usr/local/etc/rc.d/clamav-clamd start

[gX:~] # ls -l /var/run/clamav/clamd.sock

Ubuntu

root@gX:~# /etc/init.d/clamav-daemon start

root@gX:~# ls -l /var/run/clamav/clamd.ctl

FreeBSD/Ubuntu

gX# clamdscan virus.zip

Установка и настройка пакета для связи squid и clamav (squidclamav)

FreeBSD

[gX:~] # pkg_add -r squidclamav

или

[gate:~] # cd /usr/ports/security/squidclamav
[gate:ports/security/squidclamav] # make install clean
[gX:~] # cat /usr/local/etc/squidclamav.conf
proxy http://127.0.0.1:3128/
logfile /var/log/squidclamav.log
redirect http://gX.dX.class/cgi-bin/test-cgi
clamd_local /var/run/clamav/clamd.sock

[gX:~] # touch /var/log/squidclamav.log

[gX:~] # chown squid /var/log/squidclamav.log

Ubuntu

root@gX:~# apt-get install libcurl4-openssl-dev

root@gX:~# wget http://www.darold.net/projects/squidclamav/squidclamav-4.0.tar.gz

root@gX:~# tar -xvf squidclamav-4.0.tar.gz

root@gX:~# cd squidclamav-4.0

root@gX:~/squidclamav-4.0# ./configure --prefix=/usr/local/

root@gX:~/squidclamav-4.0# make && make install

root@gX:~/squidclamav-4.0# mkdir /usr/local/etc

root@gX:~/squidclamav-4.0# cp squidclamav.conf.dist /usr/local/etc/squidclamav.conf

root@gX:~# cat /usr/local/etc/squidclamav.conf
squid_ip 127.0.0.1
squid_port 3128
logfile /var/log/squidclamav.log
redirect http://gX.dX.class/cgi-bin/test-cgi
clamd_local /var/run/clamav/clamd.ctl
content ^.*\/.*$

root@gX:~# touch /var/log/squidclamav.log

root@gX:~# chown proxy:proxy /var/log/squidclamav.log

Настройка squid на использование squidclamav

gX# cat squid.conf
...
redirector_access deny localhost
acl our_networks src 192.168.X.0/24 127.0.0.1
...
url_rewrite_program /usr/local/bin/squidclamav /usr/local/etc/squidclamav.conf
...

Отладка

gX# /usr/local/bin/squidclamav /usr/local/etc/squidclamav.conf
SquidClamav running as UID 0: writing logs to stderr
Thu Dec  4 16:06:14 2008 LOG Reading configuration from /usr/local/etc/squidclamav.conf
Thu Dec  4 16:06:14 2008 LOG SquidClamav (PID 14302) started
http://val.bmstu.ru/virus.zip 195.19.32.14 squid GET
Thu Dec  4 16:07:03 2008 LOG Redirecting URL to: http://gate.corpX.un/cgi-bin/test-cgi?url=http://val.bmstu.ru/virus.zip&source=195.19.32.14&user=squid&virus=stream:+Worm.Sober.U-3+FOUND
http://gate.corpX.un/cgi-bin/printenv?url=http://val.bmstu.ru/virus.zip&source=195.19.32.14&user=mylog&virus=stream:+Worm.Sober.U-3+FOUND 195.19.32.14 squid GET

Ограничение доступа к ресурсам

FreeBSD

[gX:~] # cd /usr/local/etc/squid/

Ubuntu

root@gX:~# cd /etc/squid/

FreeBSD/Ubuntu

gX# cat deny_hosts.txt
.*odnok.*
.*com\/.*

gX# cat squid.conf
...
acl our_networks src 192.168.100+X.0/24 
acl full_access src 192.168.100+X.2 127.0.0.1

#For FreeBSD
acl deny_hosts url_regex "/usr/local/etc/squid/deny_hosts.txt"
#For Ubuntu
acl deny_hosts url_regex "/etc/squid/deny_hosts.txt"

http_access allow full_access
http_access allow our_networks !deny_hosts
...

[gX:local/etc/squid] # squid -k check
[gX:local/etc/squid] # squid -k reconfigure

Автоматизация процесса построения отчета (FreeBSD)

на постоянно работающем сервере:

[gX:~] # cat /usr/local/etc/periodic/daily/100.sarg.sh
#!/bin/sh
echo Generate Squid Access Report
/usr/bin/find /usr/local/www/data/squid-reports/ -maxdepth 1 -mtime +60 -type d -name '*-*' -exec rm -r {} \;
/usr/local/sbin/squid -k rotate
/usr/local/bin/sarg

[gX:~] # chmod +x /usr/local/etc/periodic/daily/100.sarg.sh 

на сервере работающем в течении рабочего дня:

[gX:~] # cat /usr/local/etc/rc.d/sarg.sh
#!/bin/sh
echo Generate Squid Access Report
/usr/bin/find /usr/local/www/data/squid-reports/ -maxdepth 1 -mtime +60 -type d -name '*-*' -delete
/usr/local/sbin/squid -k rotate
/usr/local/bin/sarg

[gX:~] # chmod +x /usr/local/etc/rc.d/sarg.sh 

Настройка "прозрачного" (transparent) http proxy

Настойка SQUID

[gX:local/etc/squid] # diff squid.conf.default squid.conf
...
938c938
< http_port 3128
---
> http_port 3128 transparent
...

[gX:local/etc/squid] # squid -k check

[gX:local/etc/squid] # squid -k reconfigure

Настойка FreeBSD (pf)

[gX:~] # cat /etc/pf.conf
...
rdr proto tcp from 192.168.X/24 to any port 80 -> 127.0.0.1 port 3128
...

[gX:~] # /etc/rc.d/pf reload

Настойка Ubuntu (iptables)

root@gX:~# iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.X.0/24 --dport 80 -j REDIRECT --to-port 3128

Мониторинг

gX# tail -f access.log
сервис_http_proxy.1245663381.txt.gz · Last modified: 2013/05/22 13:50 (external edit)