Redirect users by rules to Squid
At work, I encountered such a problem: there are a dozen proxy servers (squid) in different countries and not one dozen users. Each of them decides through which server to work - there is a chrome extension in which they can make a choice.
But all the servers are at different distances from the user and the user from Russia, using a server in Canada, is faced with good brakes. On the other hand, all the servers in the data centers are connected to highways and there is much less delay between them.
It was decided to send each user to the server nearest to him, and from there to the selected one.
The first point is to configure the proxy to work with each other. The easiest way was to specify:
But it turned out that not everyone allows the inverse transformation to the domain specified by you. I had to register all ip servers:
If someone prompts another solution, I will be happy to correct. While the servers do not change often and in case of changes, they are quickly corrected using puppet.
')
The next step is to configure acl for server redirection:
At the same time, user1, user2 and user3 are acl users.
The company has already configured a radius server for these cases. In centos 5, I went through configuration via pam, since I didn’t collect squid itself, but then I had to go the way of self-assembly (ssl was not included in the standard one) and I used the key - enable-basic-auth-helpers = squid_radius_auth. Also, for those who don’t want to bother with pam, I would recommend a separate library:
In any installation option, the squid configuration does not change, only the path to the file in the first line:
Sample radius_config file:
The rules were pretty simple. First, we specify which user will be controlled by which rule:
And, of course, we allow them to use a proxy:
That's all. When a user selects a server, a separate program removes the user from the files in the userlist and adds it to the selected one. But that's another story.
The basic information was taken from wiki squid, but there are not enough examples:
But all the servers are at different distances from the user and the user from Russia, using a server in Canada, is faced with good brakes. On the other hand, all the servers in the data centers are connected to highways and there is much less delay between them.
It was decided to send each user to the server nearest to him, and from there to the selected one.
Proxy proxy
The first point is to configure the proxy to work with each other. The easiest way was to specify:
acl localnet srcdomain .com But it turned out that not everyone allows the inverse transformation to the domain specified by you. I had to register all ip servers:
acl localnet srcdomain IP a 1 acl localnet srcdomain IP a 2 acl localnet srcdomain IP a 3 If someone prompts another solution, I will be happy to correct. While the servers do not change often and in case of changes, they are quickly corrected using puppet.
')
Redirect Management
The next step is to configure acl for server redirection:
cache_peer { 1} parent 3128 3130 name=peer1 cache_peer { 2} parent 3128 3130 name=peer2 cache_peer { 3} parent 3128 3130 name=peer3 cache_peer_access peer1 allow user1 cache_peer_access peer2 allow user2 cache_peer_access peer3 allow user3 At the same time, user1, user2 and user3 are acl users.
Authorization
The company has already configured a radius server for these cases. In centos 5, I went through configuration via pam, since I didn’t collect squid itself, but then I had to go the way of self-assembly (ssl was not included in the standard one) and I used the key - enable-basic-auth-helpers = squid_radius_auth. Also, for those who don’t want to bother with pam, I would recommend a separate library:
wget http://www.squid-cache.org/contrib/squid_radius_auth/squid_radius_auth-1.10.tar.gz tar xvzf squid_radius_auth-1.10.tar.gz cd squid_radius_auth-1.10 cp Makefile.default Makefile make make install In any installation option, the squid configuration does not change, only the path to the file in the first line:
auth_param basic program /usr/local/squid/libexec/basic_radius_auth -f /usr/local/squid/etc/radius_config auth_param basic children 5 auth_param basic realm { } // auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl radius proxy_auth REQUIRED Sample radius_config file:
server { radius } password { radius} Each server of its user
The rules were pretty simple. First, we specify which user will be controlled by which rule:
acl user1 proxy_auth "/usr/local/squid/userlist/user1" no_cache acl user2 proxy_auth "/usr/local/squid/userlist/user2" no_cache acl user3 proxy_auth "/usr/local/squid/userlist/user3" no_cache And, of course, we allow them to use a proxy:
http_access allow localnet // proxy-proxy http_access allow radius // , - http_access allow user1 http_access allow user2 http_access allow user3 http_access deny all // That's all. When a user selects a server, a separate program removes the user from the files in the userlist and adds it to the selected one. But that's another story.
Sources
The basic information was taken from wiki squid, but there are not enough examples:
- The main site is wiki.squid-cache.org . Without translation into Russian. I do not indicate individual pages, as I used them a lot.
- Configuring Radius Setup Squid and FreeRADIUS on CentOS 5 and CentOS 6
- This is Acl Reference - ACL elements
The article does not describe the entire service, but only the squid configuration. But not written refers only to the dynamics, and all of them can have their own. I noted only the right moments. Do not try to customize everything using copy-paste - missing lines that have nothing to do with the topic of the article.
Source: https://habr.com/ru/post/244133/
All Articles