SQUID for the lazy. Make life easier
Good afternoon, dear Habrapho users, in connection with the current tendency to study the well-known proxy server SQUID, I would like to suggest a variant of some typical configuration of a small bundle that will be useful for novice system administrators of small offices, or just for those who are too lazy to understand. This article in no way claims to be a global manual for all occasions - as I have already said, this is just a generalized special case.
Well, let's discuss where we start, we have a server in my case, this is a freshly installed Ubuntu Server with the selected LAMP and SSH parameters (specifically for the purpose of writing this article):
But with these parameters, I deliberately prepared 2 network interfaces, do not be surprised that both interfaces are from local ranges, just the machine is installed inside xen.
Here the Internet will go from eth1, local network, i.e. I will be on the eth0 side.
It is naturally recommended to hold:
The next step is to install additional packages for our proxy server, as you probably guessed, we will use the SQUID + SAMS bundle, but we will configure a typical case, IP authorization, and to facilitate our lives, turn all users to the proxy port. This bundle can then be easily configured to authorize by login / password, and even associate with AD.
We will install the necessary packages for our case as follows:
')
If suddenly it is not enough yet. The next step will be downloading and installing SAMS itself, downloading the stable version 1.0.5, there is still SAMS 2.0, but somehow I tried, there were still too many bugs.
Next, unpack and install it:
After that, in principle, there should be no errors, and you can safely continue, if there are any errors, then you should read it carefully, and install what is missing.
Next, copy the sams startup script to our server
Next, let's tweak MySQL slightly. You need to load the tables and organize access to them:
Next, edit the file a bit, /etc/sams.conf:
MYSQLPASSWORD = maxim
I hope everyone guessed that this is the password that we inserted into the Mysql commands.
Finally, the turn has come and the settings of the SQUID itself, but do not think that it will be very difficult, get ready that in the future SAMS will do all the dirty work for you.
Open the configuration file, and change there a few lines:
Now we set up access.log processing
Open crontab, it’s better to do this with crontab -e, and add the following line there:
* / 1 * * * * / usr / local / bin / sams
Next, create directories for the Squid cache:
root @ testgateway: ~ / sams-1.0.5 / mysql # squid -z
2011/10/13 12: 40: 12 | Creating Swap Directories
and start squid.
root @ testgateway: ~ / sams-1.0.5 / mysql # /etc/init.d/squid start
Checking:
If the picture is identical, then it all started well.
Next we go to configure our SAMS, this is already done through the web interface, we type in the browser address of our proxy, we had it 192.168.0.237/sams, and we see an invitation page for entering both a user and a password.
But before we do this, we need to fix a small bug of this system, namely due to the release of PHP5.3, the settings pages are displayed a little incorrectly, or rather, they are not displayed at all. But this operation is not complicated, just edit two files:
/usr/local/share/sams/src/configtray.php
/usr/local/share/sams/src/webconfigtray.php
We rename GetHostName into GetHostNameSams and it all worked.
Next, I will use the example of small screenshots to show what and where you need to edit, so that everything works as we need. Invitation, default login: Admin, password: qwerty
The next step, setting up the web interface, set the following parameters:
The SAMS administration window does not fit the width of the screen, so I will describe with text, authorization, set the IP, request redirection file 192.168.0.237/sams/icon/classic/blank.gif , path to the directory where the request ban files are 192.168.0.237/sams/messages , the redirector built SAMS, and the last to save data on traffic in the database for the last 12 months.
Next, we proceed to setting up the templates, delete everything so that nothing prevents us and create a new one.
Next we add the user and associate it with our template.
Next, run the samsd daemon: /etc/init.d/samsd start. And reconfigure SQUID.
After that, if the user enters a proxy in the browser, everything starts to work fine, but since it is not convenient for us to do this for all users, so apply the classic admin trick, turning HTTP traffic to the proxy port of the server.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128
This is how we got a proxy, with a user-friendly web interface, maybe someone will accuse me of plagiarism, they say it was all 100 times, but I just want to note that, as I said at the very beginning of the article, this proxy setting option for the lazy, because almost all SQUID goodies, such as traffic restrictions, creation of access lists, allowed domains, a ban on downloading, can be obtained from the web settings. And also we easily get a system for viewing statistics, which can be used by any user of your organization by accessing the page under your login. Of course, there remains the difficulty with regard to the traffic of torrents, mail and another non-80 port, and this too has its own solution, which will fit very well into the big picture.
If questions will be formed, you are welcome, we will discuss all the other subtleties of customization
Well, let's discuss where we start, we have a server in my case, this is a freshly installed Ubuntu Server with the selected LAMP and SSH parameters (specifically for the purpose of writing this article):
root @ testgateway: ~ # uname -a Linux testgateway 2.6.32-33-generic-pae # 70-Ubuntu SMP Thu Jul 7 22:51:12 UTC 2011 i686 GNU / Linux root @ testgateway: ~ # lsb_release -a Distributor ID: Ubuntu Description: Ubuntu 10.04.3 LTS Release: 10.04 Codename: lucid root @ testgateway: ~ # df -h Filesystem Size Used Avail Use% Mounted on / dev / sda6 5.5G 723M 4.6G 14% / none 190M 172K 189M 1% / dev none 194M 0 194M 0% / dev / shm none 194M 44K 194M 1% / var / run none 194M 0 194M 0% / var / lock none 194M 0 194M 0% / lib / init / rw / dev / sda7 7.3G 189M 6.7G 3% / var / dev / sda1 92M 21M 66M 25% / boot
But with these parameters, I deliberately prepared 2 network interfaces, do not be surprised that both interfaces are from local ranges, just the machine is installed inside xen.
root @ testgateway: ~ # ifconfig
eth0 Link encap: Ethernet HWaddr 00: 16: 36: 73: 84: 48
inet addr: 192.168.0.237 Bcast: 192.168.0.255 Mask: 255.255.255.0
inet6 addr: fe80 :: 216: 36ff: fe73: 8448/64 Scope: Link
UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1
RX packets: 1361 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 720 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 1000
RX bytes: 111090 (111.0 KB) TX bytes: 107285 (107.2 KB)
Interrupt: 32 Base address: 0xa000
eth1 Link encap: Ethernet HWaddr 00: 16: 36: 64: 1c: bd
inet addr: 192.168.122.51 Bcast: 192.168.122.255 Mask: 255.255.255.0
inet6 addr: fe80 :: 216: 36ff: fe64: 1cbd / 64 Scope: Link
UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1
RX packets: 68 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 82 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 1000
RX bytes: 8170 (8.1 KB) TX bytes: 10923 (10.9 KB)
Interrupt: 36 Base address: 0xe100
lo Link encap: Local Loopback
inet addr: 127.0.0.1 Mask: 255.0.0.0
inet6 addr: :: 1/128 Scope: Host
UP LOOPBACK RUNNING MTU: 16436 Metric: 1
RX packets: 0 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 0 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 0
RX bytes: 0 (0.0 B) TX bytes: 0 (0.0 B)
Here the Internet will go from eth1, local network, i.e. I will be on the eth0 side.
It is naturally recommended to hold:
root @ testgateway: ~ # apt-get update root @ testgateway: ~ # apt-get upgrade
The next step is to install additional packages for our proxy server, as you probably guessed, we will use the SQUID + SAMS bundle, but we will configure a typical case, IP authorization, and to facilitate our lives, turn all users to the proxy port. This bundle can then be easily configured to authorize by login / password, and even associate with AD.
We will install the necessary packages for our case as follows:
')
root @ testgateway: ~ # apt-get install libpcre3 libpcre3-dev libmysqlclient15-dev php5-ldap php-fpdf squid squidguard gcc make php5-gd
If suddenly it is not enough yet. The next step will be downloading and installing SAMS itself, downloading the stable version 1.0.5, there is still SAMS 2.0, but somehow I tried, there were still too many bugs.
root @ testgateway: ~ # wget http://sams.perm.ru/download/sams-1.0.5.tar.bz2
Next, unpack and install it:
root @ testgateway: ~ # bunzip2 sams-1.0.5.tar.bz2 && tar -xpf sams-1.0.5.tar && rm sams-1.0.5.tar root @ testgateway: ~ # cd sams-1.0.5 / root @ testgateway: ~ # ./configure - -with-httpd-locations = / var / www root @ testgateway: ~ # make root @ testgateway: ~ # make install
After that, in principle, there should be no errors, and you can safely continue, if there are any errors, then you should read it carefully, and install what is missing.
Next, copy the sams startup script to our server
root @ testgateway: ~ / sams-1.0.5 # cp ./etc/sams.debian /etc/init.d/samsd
root @ testgateway: ~ / sams-1.0.5 # update-rc.d samsd defaults
Adding system startup for /etc/init.d/samsd ...
/etc/rc0.d/K20samsd -> ../init.d/samsd
/etc/rc1.d/K20samsd -> ../init.d/samsd
/etc/rc6.d/K20samsd -> ../init.d/samsd
/etc/rc2.d/S20samsd -> ../init.d/samsd
/etc/rc3.d/S20samsd -> ../init.d/samsd
/etc/rc4.d/S20samsd -> ../init.d/samsd
/etc/rc5.d/S20samsd -> ../init.d/samsd
Next, let's tweak MySQL slightly. You need to load the tables and organize access to them:
root @ testgateway: ~ / sams-1.0.5 # mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with; or \ g. Your MySQL connection id is 39 Server version: 5.1.41-3ubuntu12.10 (Ubuntu) Type 'help;' or '\ h' for help. Type '\ c' to clear the current input statement. mysql> GRANT ALL ON squidctrl. * TO sams @ localhost IDENTIFIED BY "maxim"; Query OK, 0 rows affected (0.02 sec) mysql> GRANT ALL ON squidlog. * TO sams @ localhost IDENTIFIED BY "maxim"; Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; mysql> exit root @ testgateway: ~ / sams-1.0.5 # cd ./mysql root @ testgateway: ~ / sams-1.0.5 / mysql # mysql -u root -p <sams_db.sql root @ testgateway: ~ / sams-1.0.5 / mysql # mysql -u root -p <squid_db.sql
Next, edit the file a bit, /etc/sams.conf:
MYSQLPASSWORD = maxim
I hope everyone guessed that this is the password that we inserted into the Mysql commands.
Finally, the turn has come and the settings of the SQUID itself, but do not think that it will be very difficult, get ready that in the future SAMS will do all the dirty work for you.
Open the configuration file, and change there a few lines:
# Squid normally listens to port 3128 http_port 192.168.0.237天128 transparent maximum_object_size_in_memory 50 MB cache_dir ufs / var / spool / squid 3000 32 512 Cache parameters are selected individually for each case. maximum_object_size 50 MB url_rewrite_program / usr / local / bin / samsredir
Now we set up access.log processing
Open crontab, it’s better to do this with crontab -e, and add the following line there:
* / 1 * * * * / usr / local / bin / sams
Next, create directories for the Squid cache:
root @ testgateway: ~ / sams-1.0.5 / mysql # squid -z
2011/10/13 12: 40: 12 | Creating Swap Directories
and start squid.
root @ testgateway: ~ / sams-1.0.5 / mysql # /etc/init.d/squid start
Checking:
root @ testgateway: ~ / sams-1.0.5 / mysql # ps aux | grep proxy proxy 19158 0.2 1.2 7696 4876? Ss 12:40 0:00 / usr / sbin / squid -N -D proxy 19159 0.0 0.4 5080 1636? Ss 12:40 0:00 (samsredir) proxy 19160 0.0 0.4 5080 1640? Ss 12:40 0:00 (samsredir) proxy 19161 0.0 0.4 5080 1636? Ss 12:40 0:00 (samsredir) proxy 19162 0.0 0.4 5080 1636? Ss 12:40 0:00 (samsredir) proxy 19163 0.0 0.4 5080 1640? Ss 12:40 0:00 (samsredir) proxy 19164 0.0 0.0 1616 316? Ss 12:40 0:00 (unlinkd)
If the picture is identical, then it all started well.
Next we go to configure our SAMS, this is already done through the web interface, we type in the browser address of our proxy, we had it 192.168.0.237/sams, and we see an invitation page for entering both a user and a password.
But before we do this, we need to fix a small bug of this system, namely due to the release of PHP5.3, the settings pages are displayed a little incorrectly, or rather, they are not displayed at all. But this operation is not complicated, just edit two files:
/usr/local/share/sams/src/configtray.php
/usr/local/share/sams/src/webconfigtray.php
We rename GetHostName into GetHostNameSams and it all worked.
Next, I will use the example of small screenshots to show what and where you need to edit, so that everything works as we need. Invitation, default login: Admin, password: qwerty
The next step, setting up the web interface, set the following parameters:
The SAMS administration window does not fit the width of the screen, so I will describe with text, authorization, set the IP, request redirection file 192.168.0.237/sams/icon/classic/blank.gif , path to the directory where the request ban files are 192.168.0.237/sams/messages , the redirector built SAMS, and the last to save data on traffic in the database for the last 12 months.
Next, we proceed to setting up the templates, delete everything so that nothing prevents us and create a new one.
Next we add the user and associate it with our template.
Next, run the samsd daemon: /etc/init.d/samsd start. And reconfigure SQUID.
After that, if the user enters a proxy in the browser, everything starts to work fine, but since it is not convenient for us to do this for all users, so apply the classic admin trick, turning HTTP traffic to the proxy port of the server.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128
This is how we got a proxy, with a user-friendly web interface, maybe someone will accuse me of plagiarism, they say it was all 100 times, but I just want to note that, as I said at the very beginning of the article, this proxy setting option for the lazy, because almost all SQUID goodies, such as traffic restrictions, creation of access lists, allowed domains, a ban on downloading, can be obtained from the web settings. And also we easily get a system for viewing statistics, which can be used by any user of your organization by accessing the page under your login. Of course, there remains the difficulty with regard to the traffic of torrents, mail and another non-80 port, and this too has its own solution, which will fit very well into the big picture.
If questions will be formed, you are welcome, we will discuss all the other subtleties of customization
Source: https://habr.com/ru/post/130335/
All Articles