SlideShare une entreprise Scribd logo

17) 11 (may, 2003) squid master this proxy server

S
swarup1435
Technologie
1  sur  8
Télécharger pour lire hors ligne
EXPERT c a s e s t u d y EXPERT BY: BISWAJIT BANERJEE Squid: Master this Proxy Server Squid is an excellent and mature open source Web caching proxy package, but it requires plenty of tuning to achieve the kind of performance seen in commercial proxies. Here are some useful ideas for tuning a Web caching system, and effectively using the server in a corporate environment. W hile implementing the Squid proxy to use threads as documented below, consider server in a real-life scenario, we need to using a rather fast processor. have a server-end machine with a good While choosing the flavour of Linux, the amount of RAM and a high-end hard disk. kernel version plays an important role. As our Typically, an SCSI hard drive (if possible with implementation of the Squid will be threaded in Raid) is preferred. This is because Squid can be nature, the minimum kernel version should be easily crippled by disks that are not performing 2.4x. We can do with 2.2.x also, but we need to up to the specifications. Web caching is an ‘I/O- patch the kernel a lot and the procedure becomes bound’ application, meaning that it can only go complicated. as fast as it gets the data onto and off the storage media. So the first thing necessary is to ensure SIMPLE CONFIGURATION OF SQUID you have the right hardware for caching. Squid PROXY SERVER in its default configuration, as found in RPMs or Get Squid from your distribution CD or search it in a standard compile, does not need a very fast in http://www.rpmfind.net/. I am using Red Hat CPU to support one or two disks. However, a Linux 7.1 here. large performance boost can be achieved by Install squid by using using a threaded version of Squid. The threads [root@linux /root]# rpm -ivh squid-2.3.STABLE4- will use a lot of CPU power. So, if you are going 10.i386.rpm The configuration files for squid are in the /etc/squid directory. To configure Squid, edit the squid.conf configuration file. I will go here with a basic configuration. I have removed the comments included in the configuration file. Backup your original Squid configuration file and make a new one if you are new to it. Add these entries on this new squid.conf file for a basic setup. maximum_object_size 200 KB #This creates 100 MB disk space with 16 #first level sub-directories and 256 second #level subdirectories. cache_dir ufs /var/spool/squid 100 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log MAY 2003 LINUX FOR YOU 55 CMYK
EXPERT partitions. You can find ReiserFS at <http://devlinux.com/ acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object projects/reiserfs/>. An added benefit of a journalled FS is acl localhost src 127.0.0.1/255.255.255.255 that in the event of an abnormal shutdown, your system will acl lan src 192.168.0.0/255.255.255.0 #specify a name for your recover faster and without as many lost files as ext2. network acl SSL_ports port 443 563 We’ve chosen to use a somewhat older version of Squid, acl Safe_ports port 80 21 443 563 70 210 1025-65535 version 2.2.STABLE5, plus the latest patch snapshot from acl Safe_ports port 280 # http-mgmt Henrik Nordstrom. There are two reasons for this. First, acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker squid-2.3.STABLE2 is not as stable as 2.2.STABLE5+Henrik’s acl Safe_ports port 777 # multiling http patches. Second, squid-2.3.STABLE2 is not as fast as squid- acl CONNECT method CONNECT 2.2.STABLE5+Henrik’s patches. http_access allow manager localhost Download the Squid version 2.2.STABLE5 from http_access deny manager http://www.squid-cache.org/Versions/ v2/2.2/squid- http_access deny !Safe_ports 2.2.STABLE5-src.tar.gz or from http://www.linuxforu.com/ http_access deny CONNECT !SSL_ports http_access allow lan editorial/may03.htm. http_access deny all So you’ll need Henrik’s patch snapshot. This can be icp_access allow all found at this address: miss_access allow all cache_mgr root@yourdomain.com http://squid.sourceforge.net/hno/ or from visible_hostname you.yourdomain.com http://www.linuxforu.com/editorial/may03.htm. The file unique_hostname you.yourdomain.com name is squid-2.2.STABLE5-hno.20000202.snapshot. #We will run squid with accelerator on Untar the source package httpd_accel_host virtual httpd_accel_port 80 [root@mail misc]# tar xvfz squid-2.2.STABLE5-src.tar.gz httpd_accel_with_proxy on [root@mail misc]# zcat squid-2.2.STABLE5-hno.20000202.snapshot httpd_accel_uses_host_header on > hnopatch [root@mail misc]# cd squid-2.2.STABLE5 http_port 3128 [root@mail squid-2.2.STABLE5]# patch -p1 < ../hnopatch Now you can start the squid proxy server One more thing you need to do before compiling Squid is raise the number of file descriptors on your system. First you [root@mail /root]# /etc/rc.d/init.d/squid start need to edit this line in the /usr/include/bits/types.h file: Squid, when started for the first time, will create the #define __FD_SETSIZE 8192 cache directories by itself and start the proxy server on port 3128, which can only be accessed by the local network It is 1024 by default. 1024 is not quite enough for even a segment 192.168.0.0/255.255.255.0 without any restrictions. single disk cache after all of these optimisations. Next, you Now open your browser on the internal network and need to raise the limit in the shell so the configure script will modify the LAN connection settings and set it to the server’s see the added descriptors: IP address and the port as 3128. Try browsing. ulimit -HSn 8192 This is the simple way of making Squid work. Let us now try and configure Squid to do some complicated tasks, and This raises the hard and soft limits to 8192. Now you are tune it to have the desired or high performance. ready to compile Squid in a high-load environment. Squid TUNING SQUID PROXY FOR HIGH PERFORMANCE wants to be compiled with the async-io configure option enabled. Further, if you want to increase the number of For a high performance, as discussed earlier, the following threads Squid is given, the default is 16. This number are needed: depends heavily on the speed of your processor and the 1. Server platform with good processing speed, good number of disks. amount of memory, and a fast hard drive 2. Latest kernel or minimum 2.4x [root@mail squid-2.2.STABLE5]# CFLAGS=”-DNUMTHREADS=30" ./ 3. ReiserFS file system configure —prefix=/usr/local/squid > —enable-async-io —enable-async-io —enable-delay-pools 4. Squid version 2.2.STABLE5 [root@mail squid-2.2.STABLE5]# make Simply switching your cache directories to ReiserFS will [root@mail squid-2.2.STABLE5]# make install increase Squid performance by about 20 per cent. ReiserFS is significantly faster than ext2 when dealing with thousands of Once you have the complete build, you need to define the small files. Since small files are pretty much all that a Web cache structure or the file system to be used by the cache. cache deals with, we’re going to use ReiserFS on our cache Earlier, we have mentioned ReiserFS is to be incorporated so 56 LINUX FOR YOU MAY 2003 CMYK
EXPERT as to have a faster cache. In our installation we have directory partitions, so you’ll have an easy time deciding the dedicated a partition of 10 GB for the cache. Fortunately, values here. First, you will want to use about 60 per cent or under kernel 2.4x, we have the ReiserFS module in-built. It less of each cache directory for the Web cache. If you use any can be checked out at more than that you will begin to see a slight degradation in performance. Remember that cache size is not as important [root@mail /root]# modprobe -l | grep reiserfs /lib/modules/2.4.2-2smp/kernel/fs/reiserfs/reiserfs.o as cache speed, since for maximum effectiveness your cache needs only to store about a week’s worth of traffic. You’ll Now you can convert your Squid directories to ReiserFS also need to define the number of directories and sub- in this way (X is your planned cache partition): directories. The formula for deciding that is this: [root@mail /root]# mkreiserfs /dev/hdaX x=Size of cache dir in KB (i.e. 10GB=~10,000,000KB) y=Average object size (just use 13KB z=Number of directories per first level Add the following line to your /etc/fstab: directory /dev/hdaX /cache reiserfs notail,noatime 0 0 (((x / y) / 256) / 256) * 2 = # of directories You can then mount your new cache directory: As an example, I use 10 GB of cache size [root@mail /root]# mount /cache 10,000,000 / 13 = 769230.7 / 256 = 3004.8 / 256 =11 * 2 = 22 The no-tail option above tells ReiserFS not to pack tails, So my cache_dir line would look like this: which is a way for the FS to save file space. Since we need cache_dir /cache 10000 22 256 speed much more than a few megabytes of saved space, we’ll disable it. And the no-time option should be used Those are really the two important ones. You may wish regardless of what file system you use for a Web cache. It to turn off the store log since there isn’t much one can do disables access time updates on files, saving one write for with it anyway: every read. cache_store_log none Now, after all of these things, you will have a Squid that is capable of handling a much higher load than the default If, after all this, you still find your Squid being compile. But, there are a few more things we need to do overloaded at times, try setting the max_open_disk_fds to before we have a Web cache running full tilt. Thankfully, some low number. For a single disk cache, 900 is a good there will be no more patching or compiling. The first choice. For a dual disk cache, try 1400. To get the perfect thing to do is configure the squid.conf file located in number for your cache you’ll need to keep an eye on the /usr/local/squid/etc info page from the Cache Manager during a particularly The important configuration options for performance are heavy load period. Watch the file descriptor usage, and then given below: set this number about 10 per cent below it. This can help cache_mem32: This is one of the top two options as far as your cache ride out the heaviest loads without getting too performance impact goes. The default value here is 8 MB, bogged down. which is a safe option for just about any system size. But Also, the following may be set to improve performance since your box is not lacking in memory, it can safely be marginally: raised to 32 MB, and even 48 MB, if you have stripped all other services off of your server. If your box is lacking in half_closed_clients off maximum_object_size 1024 KB memory, go back to the hardware section and re-read the part about memory... you need a portion of memory for a fast Ok, that’s all for Squid configuration. Now there’s one Web cache. last thing to do to complete the picture. You need to edit your You should be aware that cache_mem does not limit the Squid startup script to include the following two lines: process size of Squid. This sets how much memory Squid is ulimit -HSn 8192 echo 1024 32768 > /proc/sys/net/ipv4/ allowed to set aside for ‘hot objects’, which are the most ip_local_port_range recently used objects. Having said all that, keep in mind that the buffer cache in Linux is also quite good, so the This will raise the file descriptor limit for the Squid gains you’ll see by raising this are very small, but still process, and will open up a ton of IP ports for use by Squid. measurable. It won’t need quite this many, but better safe than sorry. cache_dir: This is where you set the directories you will be That’s it! You now have the fastest Squid proxy server on using. You should have already mkreiserfs’d your cache your block. MAY 2003 LINUX FOR YOU 57 CMYK
EXPERT l You want clients to use a proxy, but don’t want them TIPS AND TRICKS to know they’re being proxied. 1. Specifying which port to listen on: l You want clients to be proxied, but don’t want to go Edit the file: /etc/squid/squid.conf to all the work of updating the settings in hundreds or The control of external access to the local LAN should be thousands of Web browsers. managed by the Firewall. This is where transparent proxying comes in. A Web To be safer, set the restriction given below on where the request can be intercepted by the proxy, transparently. That Squid server is listening. is, as far as the client software knows, it is talking to the original server itself, when it is really talking to the proxy # http_port 3128 server. (Note that the transparency only applies to the client.) http_port internal_nic1:3128 http_port internal_nic2:3128 Once you have kernel 2.4x on Red Hat 7.x or 8.x up and running, you may need to enable IP forwarding. IP Normally, Squid starts up and listens to 3128 on all forwarding allows your computer to act as a router. network devices. The above just ensures that it is listening on To check, do cat /proc/sys/net/ipv4/ip_forward’. If you see port 3128 only for the internal network. Our firewall can ‘1’, you’re doing well. Otherwise, do echo ‘1’ > /proc/sys/ further block port 3128 requests from coming through from net/ipv4/ip_forward. You will then want to add that the outside (but our ACLs should be handling any further command to your appropriate boot-up scripts like problems.) /etc/rc.d/rc.local. 2. Timing restrictions: In case of transparent proxy, rebuild the Squid with – This sample discusses how the LAN network can be enable-linux-netfilter additionally. Now, we need to edit the denied use of the proxy server during non-office hours. default squid.conf file (installed to /usr/local/squid/etc/ squid.conf). Find the following directives, uncomment them, # After Hours Settings and change them to the appropriate values as below: acl TIMEafterhoursMORN time MTWHF 00:00-08:00 acl TIMEafterhoursAFT time MTWHF 16:30-24:00 l httpd_accel_host virtual l httpd_accel_port 80 http_access deny lan TIMEafterhoursMORN TIMEafterhoursAFT l httpd_accel_with_proxy on l httpd_accel_uses_host_header on 3. Blocking sites or the pre-defined URL: The rest of the directive can be according to the policies acl block_advertisers url_regex -i “/etc/squid/ of the corporate. To activate the transparent nature of the block_advertisers.txt” proxy, you need to know two things — the interface that the acl block_entertainment url_regex -i “/etc/squid/ block_entertainment.txt” to-be-proxied requests are coming in on (I’ll use eth0 as an acl block_webmail url_regex -i “/etc/squid/ example) and the port Squid is running on (I’ll use the block_webmail.txt” default of 3128 as an example). acl block_porn url_regex -i “/etc/squid/ block_porn.txt” Now, the magic words for transparent proxying: l iptables -t nat -A PREROUTING -i eth0 -p tcp —dport 80 -j In the specified file, mention the URL of the relevant REDIRECT —to-port 3128 topic. It should be one line per URL. Then define the access methods Please make sure Iptables is activated (as in case of most Red Hat distributions, ipchains is activated) by http_access deny block_advertisers http_access deny block_entertainment [root@mail /root]#modprobe –r ipchains http_access deny block_porn [root@mail /root]# modprobe ip_tables http_access deny block_webmail You will want to add the above commands to your TRANSPARENT PROXYING appropriate boot-up script under /etc/rc.d/rc.local. The main In ‘ordinary’ proxying, the client specifies the hostname and drawback of using transparent proxy is that there is no port number of a proxy in his Web browsing software. The support for authentication and HTTPS proxy. browser then makes requests to the proxy, and the proxy forwards them to the origin servers. This is all fine AUTHENTICATION AND MANAGEMENT OF USERS and good, but sometimes one of several situations can The Squid source code comes with a few authentication arise. Either processes. These include: l You want to force clients on your network to use the l LDAP: Uses the Lightweight Directory Access Protocol proxy, whether they want to or not. l NCSA: Uses an NCSA-style user name and password 58 LINUX FOR YOU MAY 2003 CMYK
EXPERT file users with the same command without –c option; the file will l MSNT: Uses a Windows NT authentication domain look like l PAM: Uses the Linux Pluggable Authentication biswajit:P0z0V4lZY4xZI Modules scheme tetra:hszXF.aO2Bomc l SMB: Uses a SMB server like Windows NT or Samba l getpwam: Uses the old-fashioned Unix password file [root@mail /root]# chmod 755 /usr/local/squid/etc/passwd In order to authenticate users, you need to compile and install one of the supplied authentication modules. In our Restart your Squid proxy server with /usr/local/squid- implementation, we will be using NCSA-based authentication 2.2stable5/bin/squid –k reconfigure and point your browser to modules to demonstrate. The basic procedure is to first any external site. You will be asked to authenticate as shown compile the NSCA source module and make an executable in Figure 1. file. Then integrate this feature in the squid.conf file to have Once the correct user name and password is the client first authenticate on to the proxy. given, the user will be allowed to pass through and to browse. Compile NSCA by If the list of users is long enough to manage, we can [root@mail squid-2.2.STABLE5]# cd auth_modules/NCSA/ have some sort of Web interface to control these users in [root@mail NCSA]# make; make install terms of creation, deactivation, modification, etc, by the This will generate nsca_auth in /usr/local/squid/bin system administrators. In our next section we are going to directory. discuss how to implement and manage users of proxy Now you have to tell Squid to check for user by a Web interface. Please note this interface is authentication. You need to modify /usr/local/squid/etc/ user-centric and not for tuning any of the Squid proxy squid.conf file... parameters. Administrators can use webmin (www.webmin.org) as a tool to define parameters # authenticate_program example of proxy. But the more you are familiar with the authenticate_program /usr/local/squid/bin/ncsa_auth /usr/ local/squid/etc/passwd text environment, the better it is for the administrator. I personally believe the easy interfaces are meant authenticate_ttl 900 for repetitive and manual work as the user management, authenticate_ip_ttl 60 acl name proxy_auth REQUIRED but tuning of Squid proxy is more or less a one-time http_access allow lan name job, which needs clear understanding. We will http_access deny all use an Admuser package to do so. With Admuser, you can handle your Squid or Web users and passwords Where lan is the acl defined earlier. Now create a file using your browser. Admuser allows you to create, /usr/local/squid/etc/passwd to store user names and the change, remove, disable and enable users online. passwords. htpasswd is the utility that comes along with You can download the file (admuser-2.1.tar.gz) from Apache and will do the required action for us. http://web.onda.com.br/orso/ or [root@mail /root]# htpasswd –c /usr/local/squid/etc/passwd http://www.linuxforu.com/editorial/may03.htm. biswajit Enter password: [root@mail misc]# tar xvfz admuser-2.1.tar.gz [root@mail misc]# cd admuser-2.1 This will create a file /usr/local/squid/etc/passwd with [root@mail admuser-2.1]# ./configure —enable-cgidir=/var/www/ user name Biswajit and an encrypted password. Create other cgi-bin Our httpd’s cgi-bin directory is /var/www/cgi-bin Create a file /usr/local/etc/admuser/pwd_files with entry Figure 1 Figure 2 MAY 2003 LINUX FOR YOU 59 CMYK
EXPERT /usr/local/squid/etc/passwd;Squid Password file CONTROL PANEL FOR USER MANAGEMENT WITH [root@mail admuser-2.1]# htpasswd -c /usr/local/etc/admuser/ DATABASE INTEGRATION pwauth admuser Let us try to see how we can integrate a database like MySQL New password: to authenticate users and manage them with the following Re-type new password: Adding password for user admuser features: 1. Authentication for Squid users via MySQL database. Remember, /usr/local/squid/etc/passwd file must be 2. Traffic limitations, by setting maximum daily, owned by httpd user, or chmod 777(dangerous) weekly and monthly downloads for each user. Make sure your http service is up, point your browser to 3. Monthly-generated detailed statistics, with cache http://server_ip/cgi-bin /admuser.cgi and give user name as and real online time used. Admuser and a respective password. Thrown on a screen 4. Reports of current month statistics for each user in (Figure 2) where the admin can create, modify and disable any time. users. 5. Users properties management, including real name, In a certain scenario, the administrator would like to phone, e-mail, and password. provide the password changing facility to the user itself. In We will use Squid2MySQL to do so which requires pre- our next implementation, we will like to do so. This is done installed Linux (any version), squid (version 2.x and higher), by implementing a Web-based interface given to the user, so Apache with PHP and MySQL support and PERL with DBI that the user can change his own password as per his module, which shipped with Squid2MySQL. requirement. Download squid2mysql-1.0.0.tar.gz from We choose to implement CHPASSWD. This utility allows http://evc.fromru.com/squid2mysql/ download.html or your users to change his/her Squid or Web password using http://www.linuxforu.com/editorial/may03.htm the browser. This was adapted from htpasswd for use with [root@mail misc]# tar xvfz squid2mysql-1.0.0.tar.gz Squid Cache Proxy. [root@mail misc]# cd squid2mysql-1.0.0 Download chpasswd utility (chpasswd-2.2.tar.gz) from Make sure Mysql server is started. Modify the squid2mysql.sql http://web.onda.com.br/orso/ or Replace INSERT INTO usernames VALUES(‘squidroot’,’’,’’,’’,’’,’’); to http://www.linuxforu.com/editorial/may03.htm. INSERT INTO usernames VALUES(‘squidroot’,’’,’’,’’,’’,’’,’’); And comment all lines containing “DROP”. bash# tar xvfz chpasswd-2.2.tar.gz [root@mail squid2mysql-1.0.0]# ./install_squid2mysql bash# cd chpasswd-2.2 bash# ./configure —enable-cgidir=/var/www/cgi-bin bash# make; make install Now the admins are ready to give the URL http://server_ip/cgi-bin/chpasswd.cgi and users can now change their passwords as shown in Figure 3. Figure 3 Figure 4 60 LINUX FOR YOU MAY 2003 CMYK
EXPERT Figure 5 This will run and make the relevant links and files. Remove Squid log file and create named pipe file with name of Squid log file (“mknod /var/log/squid/access.log p”). Put squid2mysql perl script and sqauth sh script into Squid directory with the ownership of Squid. Configure squid.conf file as... Figure 6 authenticate_program /usr/local/squid/bin/sqauth performance of the Squid server, and so on. There are many authenticate_children 5 tools that are available to analyse the traffic in graphical as authenticate_ttl 900 well as detailed reports. authenticate_ip_ttl 60 For our analysis we will implement a Squid Graph. Connect to the MySQL server This is a powerful log file analysis tool for native Squid version 2 log files. It generates HTML reports and graphs of #mysql –p accesses, transfers and transfer durations, somewhat similar Welcome to the MySQL monitor. Commands end with ; or g. Your MySQL connection id is 331 to server version: 3.23.36 to MRTG. Download squid graph from http://squid- Type ‘help;’ or ‘h’ for help. Type ‘c’ to clear the buffer graph.securlogic.com/files/stable/squid-graph-3.0.tar or mysql> connect squidlog http://www.linuxforu.com/editorial/may03.htm. Extract the Squid Graph tarball file after you have Reading table information for completion of table and column downloaded it. Those with Red Hat Linux (or other similar names You can turn off this feature to get a quicker startup with -A Connection id: 332 Current database: squidlog mysql> GRANT Select, Insert, Update, Delete, Index, Alter, Create, Drop, -> References ON *.* TO ‘squidroot’@’localhost’ IDENTIFIED BY ‘sqroot’ -> ; Query OK, 0 rows affected (0.01 sec) Modify /var/www/html/squid/include.php to have English as language from “tconst.koi8r.php” to “tconst.eng.php” Point your browser to http://serverip/squid/ and authenticate with user name as ‘squidroot’ and password ‘sqroot’ as defined earlier. Figures 4, 5 and 6 give the screen shot of the interface. SQUID GRAPHS AND PERFORMANCE MONITORING For larger sites, it is mandatory to have graphical analytic tools that identify the kind of traffic getting through, the Figure 7 MAY 2003 LINUX FOR YOU 61 CMYK
EXPERT distributions) can do this: DansGuardian is a Web content filtering proxy that uses As of version 3.0, Squid Graph requires the GD perl Squid to do all the fetching. It filters using multiple methods module. You can download it from http://stein.cshl.org/ including, but not limited to, phrase matching, file extension WWW/software/GD/ or you can use the included matching, MIME type matching, PICS filtering, and GD-1.3.3.tar.gz file in the extras/ directory. Follow the URL/domain blocking. It has the ability to switch off filtering instructions in the GD perl module to get it installed correctly by certain criteria, including username, domain name, source before you proceed. IP, etc. The configurable logging produces a log in an easy-to- read format. It has the option to only log text-based pages, [root@mail misc]# tar xvf squid-graph-3.0.tar [root@mail misc]# cd squid-graph-3.0 thus significantly reducing redundant information (such as [root@mail misc]# mv ../squid-graph-3.0 /usr/local/squid-graph every image on a page). [root@mail squid-graph-3.0]# cd /usr/local/squid-graph/bin Download the source package DansGuardian-2.2.5- [root@mail squid-graph-3.0]# mkdir /var/www/html/reports/ [root@mail squid-graph-3.0]# ./squid-graph —output-dir=/var/ 1.source.tar.gz from http://www.linuxforu.com/editorial/ www/html/reports may03.htm < /usr/local/squid/logs/access.log [root@mail]# tar xvfz DansGuardian-2.2.5-1.source.tar.gz [root@mail]# cd DansGuardian-2.2.5 Point your browser to http://serverip/reports/index.html. [root@mail DansGuardian-2.2.5]# ./configure —cgidir=/var/www/ It will display the comprehensive graph shown in Figure 7. cgi-bin To implement the graph facility on a regular basis [root@mail DansGuardian-2.2.5]# make; make install (realtime) create a cron job as: Modify the /etc/dansguardian/dansguardianconf to suit your configurations #crontab –e accessdeniedaddress = ‘http://YOURSERVER.YOURDOMAIN/cgi-bin/ */5 * * * * /usr/local/squid-graph/bin/squid-graph —output- dansguardian.pl’ dir=/var/www/html/reports < /usr/local/squid/logs/access.log Change YOURSERVER.YOURDOMAIN to your server ip or the name You can manage log files by editing the /etc/cron.daily/ Also note that our Squid, by default, runs on 3128, which squid.rotate file and add the file lines: needs to be pointed in the dansguardian.conf and if [ -x /usr/local/squid/bin/squid -a -f /usr/local/squid/logs/ dansguardian run on 8080. Therefore, the port 3128 needs to squid.pid ]; then be blocked by a firewall rule so that users cannot bypass and /usr/local/bin/squid -k rotate go to 3128. Also, note now the user’s browser must point to fi the proxy port 8080 instead of 3128. #/sbin/iptables -t filter -A INPUT -p tcp -d 0/0 -i lo — CONTENT MANAGEMENT THROUGH A PROXY destination-port 3128 -j ACCEPT SERVER #/sbin/iptables -t filter -A INPUT -p tcp -d 0/0 — destination-port 3128 -j DROP To have maximum productivity, Web content needs to be #/sbin/iptables -t filter -A INPUT -p tcp -d 0/0 —destination- analysed and passed to the users. URL filtering can sort out port 8080 -j ACCEPT the issues to a certain extent, but content filtering is the right solution. The Squid-guard or DansGuardian does the job for This means the lo interface will accept on 3128 requested us. I found DansGuardian to be more effective and faster than by the DansGuardian module and reject any request on port Squid-guard. 3128. So the user will not be allowed to access Squid proxy server directly but will be allowed access only through the content filter. Squid is so flexible in nature that you can practically implement any kind of corporate policies without losing on performance. There is so much to talk about Squid that you actually cannot cover everything in a single go. But I sincerely feel that this article should be able to give an idea of how Squid can help your organisation to have a high- performance, stable and flexible Web content management proxy. The article is written by Mr Biswajit Banerjee, Director, Tetra Information Services Pvt. Ltd, who are into Linux corporate Figure 8 solutions. He can be contacted at biswajit@tetrain.com 62 LINUX FOR YOU MAY 2003 CMYK

Recommandé

Ansible ex407 and EX 294
Ansible ex407 and EX 294Ansible ex407 and EX 294
Ansible ex407 and EX 294
IkiArif1
 
Component pack 6006 install guide
Component pack 6006 install guideComponent pack 6006 install guide
Component pack 6006 install guide
Roberto Boccadoro
 
Installing and Configuring Domino 10 on CentOS 7
Installing and Configuring Domino 10 on CentOS 7Installing and Configuring Domino 10 on CentOS 7
Installing and Configuring Domino 10 on CentOS 7
Devin Olson
 
Installation of Subversion on Ubuntu,...
Installation of Subversion on Ubuntu,...Installation of Subversion on Ubuntu,...
Installation of Subversion on Ubuntu,...
wensheng wei
 
Freeradius edir
Freeradius edirFreeradius edir
Freeradius edir
Jonas Segovia Velazquez
 
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA ArchitectureRed Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Etsuji Nakai
 
Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016
StackIQ
 
Introduction to Stacki at Atlanta Meetup February 2016
Introduction to Stacki at Atlanta Meetup February 2016Introduction to Stacki at Atlanta Meetup February 2016
Introduction to Stacki at Atlanta Meetup February 2016
StackIQ
 

Recommandé

Ansible ex407 and EX 294
Ansible ex407 and EX 294Ansible ex407 and EX 294
Ansible ex407 and EX 294
IkiArif1
 
Component pack 6006 install guide
Component pack 6006 install guideComponent pack 6006 install guide
Component pack 6006 install guide
Roberto Boccadoro
 
Installing and Configuring Domino 10 on CentOS 7
Installing and Configuring Domino 10 on CentOS 7Installing and Configuring Domino 10 on CentOS 7
Installing and Configuring Domino 10 on CentOS 7
Devin Olson
 
Installation of Subversion on Ubuntu,...
Installation of Subversion on Ubuntu,...Installation of Subversion on Ubuntu,...
Installation of Subversion on Ubuntu,...
wensheng wei
 
Freeradius edir
Freeradius edirFreeradius edir
Freeradius edir
Jonas Segovia Velazquez
 
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA ArchitectureRed Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Etsuji Nakai
 
Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016
StackIQ
 
Introduction to Stacki at Atlanta Meetup February 2016
Introduction to Stacki at Atlanta Meetup February 2016Introduction to Stacki at Atlanta Meetup February 2016
Introduction to Stacki at Atlanta Meetup February 2016
StackIQ
 
Kdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisKdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysis
Buland Singh
 
RHCE Training
RHCE TrainingRHCE Training
RHCE Training
ajeet yadav
 
Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guide
jasembo
 
Docker on openstack by OpenSource Consulting
Docker on openstack by OpenSource ConsultingDocker on openstack by OpenSource Consulting
Docker on openstack by OpenSource Consulting
Open Source Consulting
 
VMWare VSphere4 Documentation Notes
VMWare VSphere4 Documentation NotesVMWare VSphere4 Documentation Notes
VMWare VSphere4 Documentation Notes
Grit Suwa
 
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
Tommy Lee
 
Alta disponibilidad en GNU/Linux
Alta disponibilidad en GNU/LinuxAlta disponibilidad en GNU/Linux
Alta disponibilidad en GNU/Linux
Guillermo Salas Macias
 
Hadoop 2.2.0 Multi-node cluster Installation on Ubuntu
Hadoop 2.2.0 Multi-node cluster Installation on Ubuntu Hadoop 2.2.0 Multi-node cluster Installation on Ubuntu
Hadoop 2.2.0 Multi-node cluster Installation on Ubuntu
康志強 大人
 
Hadoop Cluster - Basic OS Setup Insights
Hadoop Cluster - Basic OS Setup InsightsHadoop Cluster - Basic OS Setup Insights
Hadoop Cluster - Basic OS Setup Insights
Sruthi Kumar Annamnidu
 
Domino9on centos6
Domino9on centos6Domino9on centos6
Domino9on centos6
a8us
 
kdump: usage and_internals
kdump: usage and_internalskdump: usage and_internals
kdump: usage and_internals
LinuxCon ContainerCon CloudOpen China
 
Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...
Boden Russell
 
Open stack day 2014 havana from grizzly
Open stack day 2014 havana from grizzlyOpen stack day 2014 havana from grizzly
Open stack day 2014 havana from grizzly
Choe Cheng-Dae
 
Hadoop 3.1.1 single node
Hadoop 3.1.1 single nodeHadoop 3.1.1 single node
Hadoop 3.1.1 single node
康志強 大人
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting
Open Source Consulting
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and Answers
Radien software
 
Server hardening methedologies
Server hardening methedologies Server hardening methedologies
Server hardening methedologies
Shreya Pohekar
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
Buland Singh
 
Docker Setting for Static IP allocation
Docker Setting for Static IP allocationDocker Setting for Static IP allocation
Docker Setting for Static IP allocation
Ji-Woong Choi
 
Vbox virtual box在oracle linux 5 - shoug 梁洪响
Vbox virtual box在oracle linux 5 - shoug 梁洪响Vbox virtual box在oracle linux 5 - shoug 梁洪响
Vbox virtual box在oracle linux 5 - shoug 梁洪响
maclean liu
 
Squid proxy server
Squid proxy serverSquid proxy server
Squid proxy server
Green Jb
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next Frontier
Carlos Sanchez
 

Contenu connexe

Tendances

Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guide
jasembo
 
VMWare VSphere4 Documentation Notes
VMWare VSphere4 Documentation NotesVMWare VSphere4 Documentation Notes
VMWare VSphere4 Documentation Notes
Grit Suwa
 
Hadoop 2.2.0 Multi-node cluster Installation on Ubuntu
Hadoop 2.2.0 Multi-node cluster Installation on Ubuntu Hadoop 2.2.0 Multi-node cluster Installation on Ubuntu
Hadoop 2.2.0 Multi-node cluster Installation on Ubuntu
康志強 大人
 
Domino9on centos6
Domino9on centos6Domino9on centos6
Domino9on centos6
a8us
 
Open stack day 2014 havana from grizzly
Open stack day 2014 havana from grizzlyOpen stack day 2014 havana from grizzly
Open stack day 2014 havana from grizzly
Choe Cheng-Dae
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
Buland Singh
 

Tendances (20)

Kdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisKdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysis
 
RHCE Training
RHCE TrainingRHCE Training
RHCE Training
 
Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guide
 
Docker on openstack by OpenSource Consulting
Docker on openstack by OpenSource ConsultingDocker on openstack by OpenSource Consulting
Docker on openstack by OpenSource Consulting
 
VMWare VSphere4 Documentation Notes
VMWare VSphere4 Documentation NotesVMWare VSphere4 Documentation Notes
VMWare VSphere4 Documentation Notes
 
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
 
Alta disponibilidad en GNU/Linux
Alta disponibilidad en GNU/LinuxAlta disponibilidad en GNU/Linux
Alta disponibilidad en GNU/Linux
 
Hadoop 2.2.0 Multi-node cluster Installation on Ubuntu
Hadoop 2.2.0 Multi-node cluster Installation on Ubuntu Hadoop 2.2.0 Multi-node cluster Installation on Ubuntu
Hadoop 2.2.0 Multi-node cluster Installation on Ubuntu
 
Hadoop Cluster - Basic OS Setup Insights
Hadoop Cluster - Basic OS Setup InsightsHadoop Cluster - Basic OS Setup Insights
Hadoop Cluster - Basic OS Setup Insights
 
Domino9on centos6
Domino9on centos6Domino9on centos6
Domino9on centos6
 
kdump: usage and_internals
kdump: usage and_internalskdump: usage and_internals
kdump: usage and_internals
 
Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...
 
Open stack day 2014 havana from grizzly
Open stack day 2014 havana from grizzlyOpen stack day 2014 havana from grizzly
Open stack day 2014 havana from grizzly
 
Hadoop 3.1.1 single node
Hadoop 3.1.1 single nodeHadoop 3.1.1 single node
Hadoop 3.1.1 single node
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and Answers
 
Server hardening methedologies
Server hardening methedologies Server hardening methedologies
Server hardening methedologies
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
 
Docker Setting for Static IP allocation
Docker Setting for Static IP allocationDocker Setting for Static IP allocation
Docker Setting for Static IP allocation
 
Vbox virtual box在oracle linux 5 - shoug 梁洪响
Vbox virtual box在oracle linux 5 - shoug 梁洪响Vbox virtual box在oracle linux 5 - shoug 梁洪响
Vbox virtual box在oracle linux 5 - shoug 梁洪响
 

Similaire à 17) 11 (may, 2003) squid master this proxy server

Squid proxy server
Squid proxy serverSquid proxy server
Squid proxy server
Green Jb
 
CERN OpenStack Cloud Control Plane - From VMs to K8s
CERN OpenStack Cloud Control Plane - From VMs to K8sCERN OpenStack Cloud Control Plane - From VMs to K8s
CERN OpenStack Cloud Control Plane - From VMs to K8s
Belmiro Moreira
 
在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5
maclean liu
 
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
maclean liu
 
A Detailed Look At cassandra.yaml (Edward Capriolo, The Last Pickle) | Cassan...
A Detailed Look At cassandra.yaml (Edward Capriolo, The Last Pickle) | Cassan...A Detailed Look At cassandra.yaml (Edward Capriolo, The Last Pickle) | Cassan...
A Detailed Look At cassandra.yaml (Edward Capriolo, The Last Pickle) | Cassan...
DataStax
 

Similaire à 17) 11 (may, 2003) squid master this proxy server (20)

Squid proxy server
Squid proxy serverSquid proxy server
Squid proxy server
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next Frontier
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
 
Docker container management
Docker container managementDocker container management
Docker container management
 
What is this "docker"
What is this "docker" What is this "docker"
What is this "docker"
 
Puppet
PuppetPuppet
Puppet
 
Oracle 11g R2 RAC setup on rhel 5.0
Oracle 11g R2 RAC setup on rhel 5.0Oracle 11g R2 RAC setup on rhel 5.0
Oracle 11g R2 RAC setup on rhel 5.0
 
Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1
 
DevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopDevOpsDays InSpec Workshop
DevOpsDays InSpec Workshop
 
Linux configer
Linux configerLinux configer
Linux configer
 
Rac on NFS
Rac on NFSRac on NFS
Rac on NFS
 
Network Manual
Network ManualNetwork Manual
Network Manual
 
Using filesystem capabilities with rsync
Using filesystem capabilities with rsyncUsing filesystem capabilities with rsync
Using filesystem capabilities with rsync
 
Jfrog artifactory as private docker registry
Jfrog artifactory as private docker registryJfrog artifactory as private docker registry
Jfrog artifactory as private docker registry
 
CERN OpenStack Cloud Control Plane - From VMs to K8s
CERN OpenStack Cloud Control Plane - From VMs to K8sCERN OpenStack Cloud Control Plane - From VMs to K8s
CERN OpenStack Cloud Control Plane - From VMs to K8s
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5
 
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
 
A Detailed Look At cassandra.yaml (Edward Capriolo, The Last Pickle) | Cassan...
A Detailed Look At cassandra.yaml (Edward Capriolo, The Last Pickle) | Cassan...A Detailed Look At cassandra.yaml (Edward Capriolo, The Last Pickle) | Cassan...
A Detailed Look At cassandra.yaml (Edward Capriolo, The Last Pickle) | Cassan...
 

Dernier

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Dernier (20)

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

17) 11 (may, 2003) squid master this proxy server

  • 1. EXPERT c a s e s t u d y EXPERT BY: BISWAJIT BANERJEE Squid: Master this Proxy Server Squid is an excellent and mature open source Web caching proxy package, but it requires plenty of tuning to achieve the kind of performance seen in commercial proxies. Here are some useful ideas for tuning a Web caching system, and effectively using the server in a corporate environment. W hile implementing the Squid proxy to use threads as documented below, consider server in a real-life scenario, we need to using a rather fast processor. have a server-end machine with a good While choosing the flavour of Linux, the amount of RAM and a high-end hard disk. kernel version plays an important role. As our Typically, an SCSI hard drive (if possible with implementation of the Squid will be threaded in Raid) is preferred. This is because Squid can be nature, the minimum kernel version should be easily crippled by disks that are not performing 2.4x. We can do with 2.2.x also, but we need to up to the specifications. Web caching is an ‘I/O- patch the kernel a lot and the procedure becomes bound’ application, meaning that it can only go complicated. as fast as it gets the data onto and off the storage media. So the first thing necessary is to ensure SIMPLE CONFIGURATION OF SQUID you have the right hardware for caching. Squid PROXY SERVER in its default configuration, as found in RPMs or Get Squid from your distribution CD or search it in a standard compile, does not need a very fast in http://www.rpmfind.net/. I am using Red Hat CPU to support one or two disks. However, a Linux 7.1 here. large performance boost can be achieved by Install squid by using using a threaded version of Squid. The threads [root@linux /root]# rpm -ivh squid-2.3.STABLE4- will use a lot of CPU power. So, if you are going 10.i386.rpm The configuration files for squid are in the /etc/squid directory. To configure Squid, edit the squid.conf configuration file. I will go here with a basic configuration. I have removed the comments included in the configuration file. Backup your original Squid configuration file and make a new one if you are new to it. Add these entries on this new squid.conf file for a basic setup. maximum_object_size 200 KB #This creates 100 MB disk space with 16 #first level sub-directories and 256 second #level subdirectories. cache_dir ufs /var/spool/squid 100 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log MAY 2003 LINUX FOR YOU 55 CMYK
  • 2. EXPERT partitions. You can find ReiserFS at <http://devlinux.com/ acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object projects/reiserfs/>. An added benefit of a journalled FS is acl localhost src 127.0.0.1/255.255.255.255 that in the event of an abnormal shutdown, your system will acl lan src 192.168.0.0/255.255.255.0 #specify a name for your recover faster and without as many lost files as ext2. network acl SSL_ports port 443 563 We’ve chosen to use a somewhat older version of Squid, acl Safe_ports port 80 21 443 563 70 210 1025-65535 version 2.2.STABLE5, plus the latest patch snapshot from acl Safe_ports port 280 # http-mgmt Henrik Nordstrom. There are two reasons for this. First, acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker squid-2.3.STABLE2 is not as stable as 2.2.STABLE5+Henrik’s acl Safe_ports port 777 # multiling http patches. Second, squid-2.3.STABLE2 is not as fast as squid- acl CONNECT method CONNECT 2.2.STABLE5+Henrik’s patches. http_access allow manager localhost Download the Squid version 2.2.STABLE5 from http_access deny manager http://www.squid-cache.org/Versions/ v2/2.2/squid- http_access deny !Safe_ports 2.2.STABLE5-src.tar.gz or from http://www.linuxforu.com/ http_access deny CONNECT !SSL_ports http_access allow lan editorial/may03.htm. http_access deny all So you’ll need Henrik’s patch snapshot. This can be icp_access allow all found at this address: miss_access allow all cache_mgr root@yourdomain.com http://squid.sourceforge.net/hno/ or from visible_hostname you.yourdomain.com http://www.linuxforu.com/editorial/may03.htm. The file unique_hostname you.yourdomain.com name is squid-2.2.STABLE5-hno.20000202.snapshot. #We will run squid with accelerator on Untar the source package httpd_accel_host virtual httpd_accel_port 80 [root@mail misc]# tar xvfz squid-2.2.STABLE5-src.tar.gz httpd_accel_with_proxy on [root@mail misc]# zcat squid-2.2.STABLE5-hno.20000202.snapshot httpd_accel_uses_host_header on > hnopatch [root@mail misc]# cd squid-2.2.STABLE5 http_port 3128 [root@mail squid-2.2.STABLE5]# patch -p1 < ../hnopatch Now you can start the squid proxy server One more thing you need to do before compiling Squid is raise the number of file descriptors on your system. First you [root@mail /root]# /etc/rc.d/init.d/squid start need to edit this line in the /usr/include/bits/types.h file: Squid, when started for the first time, will create the #define __FD_SETSIZE 8192 cache directories by itself and start the proxy server on port 3128, which can only be accessed by the local network It is 1024 by default. 1024 is not quite enough for even a segment 192.168.0.0/255.255.255.0 without any restrictions. single disk cache after all of these optimisations. Next, you Now open your browser on the internal network and need to raise the limit in the shell so the configure script will modify the LAN connection settings and set it to the server’s see the added descriptors: IP address and the port as 3128. Try browsing. ulimit -HSn 8192 This is the simple way of making Squid work. Let us now try and configure Squid to do some complicated tasks, and This raises the hard and soft limits to 8192. Now you are tune it to have the desired or high performance. ready to compile Squid in a high-load environment. Squid TUNING SQUID PROXY FOR HIGH PERFORMANCE wants to be compiled with the async-io configure option enabled. Further, if you want to increase the number of For a high performance, as discussed earlier, the following threads Squid is given, the default is 16. This number are needed: depends heavily on the speed of your processor and the 1. Server platform with good processing speed, good number of disks. amount of memory, and a fast hard drive 2. Latest kernel or minimum 2.4x [root@mail squid-2.2.STABLE5]# CFLAGS=”-DNUMTHREADS=30" ./ 3. ReiserFS file system configure —prefix=/usr/local/squid > —enable-async-io —enable-async-io —enable-delay-pools 4. Squid version 2.2.STABLE5 [root@mail squid-2.2.STABLE5]# make Simply switching your cache directories to ReiserFS will [root@mail squid-2.2.STABLE5]# make install increase Squid performance by about 20 per cent. ReiserFS is significantly faster than ext2 when dealing with thousands of Once you have the complete build, you need to define the small files. Since small files are pretty much all that a Web cache structure or the file system to be used by the cache. cache deals with, we’re going to use ReiserFS on our cache Earlier, we have mentioned ReiserFS is to be incorporated so 56 LINUX FOR YOU MAY 2003 CMYK
  • 3. EXPERT as to have a faster cache. In our installation we have directory partitions, so you’ll have an easy time deciding the dedicated a partition of 10 GB for the cache. Fortunately, values here. First, you will want to use about 60 per cent or under kernel 2.4x, we have the ReiserFS module in-built. It less of each cache directory for the Web cache. If you use any can be checked out at more than that you will begin to see a slight degradation in performance. Remember that cache size is not as important [root@mail /root]# modprobe -l | grep reiserfs /lib/modules/2.4.2-2smp/kernel/fs/reiserfs/reiserfs.o as cache speed, since for maximum effectiveness your cache needs only to store about a week’s worth of traffic. You’ll Now you can convert your Squid directories to ReiserFS also need to define the number of directories and sub- in this way (X is your planned cache partition): directories. The formula for deciding that is this: [root@mail /root]# mkreiserfs /dev/hdaX x=Size of cache dir in KB (i.e. 10GB=~10,000,000KB) y=Average object size (just use 13KB z=Number of directories per first level Add the following line to your /etc/fstab: directory /dev/hdaX /cache reiserfs notail,noatime 0 0 (((x / y) / 256) / 256) * 2 = # of directories You can then mount your new cache directory: As an example, I use 10 GB of cache size [root@mail /root]# mount /cache 10,000,000 / 13 = 769230.7 / 256 = 3004.8 / 256 =11 * 2 = 22 The no-tail option above tells ReiserFS not to pack tails, So my cache_dir line would look like this: which is a way for the FS to save file space. Since we need cache_dir /cache 10000 22 256 speed much more than a few megabytes of saved space, we’ll disable it. And the no-time option should be used Those are really the two important ones. You may wish regardless of what file system you use for a Web cache. It to turn off the store log since there isn’t much one can do disables access time updates on files, saving one write for with it anyway: every read. cache_store_log none Now, after all of these things, you will have a Squid that is capable of handling a much higher load than the default If, after all this, you still find your Squid being compile. But, there are a few more things we need to do overloaded at times, try setting the max_open_disk_fds to before we have a Web cache running full tilt. Thankfully, some low number. For a single disk cache, 900 is a good there will be no more patching or compiling. The first choice. For a dual disk cache, try 1400. To get the perfect thing to do is configure the squid.conf file located in number for your cache you’ll need to keep an eye on the /usr/local/squid/etc info page from the Cache Manager during a particularly The important configuration options for performance are heavy load period. Watch the file descriptor usage, and then given below: set this number about 10 per cent below it. This can help cache_mem32: This is one of the top two options as far as your cache ride out the heaviest loads without getting too performance impact goes. The default value here is 8 MB, bogged down. which is a safe option for just about any system size. But Also, the following may be set to improve performance since your box is not lacking in memory, it can safely be marginally: raised to 32 MB, and even 48 MB, if you have stripped all other services off of your server. If your box is lacking in half_closed_clients off maximum_object_size 1024 KB memory, go back to the hardware section and re-read the part about memory... you need a portion of memory for a fast Ok, that’s all for Squid configuration. Now there’s one Web cache. last thing to do to complete the picture. You need to edit your You should be aware that cache_mem does not limit the Squid startup script to include the following two lines: process size of Squid. This sets how much memory Squid is ulimit -HSn 8192 echo 1024 32768 > /proc/sys/net/ipv4/ allowed to set aside for ‘hot objects’, which are the most ip_local_port_range recently used objects. Having said all that, keep in mind that the buffer cache in Linux is also quite good, so the This will raise the file descriptor limit for the Squid gains you’ll see by raising this are very small, but still process, and will open up a ton of IP ports for use by Squid. measurable. It won’t need quite this many, but better safe than sorry. cache_dir: This is where you set the directories you will be That’s it! You now have the fastest Squid proxy server on using. You should have already mkreiserfs’d your cache your block. MAY 2003 LINUX FOR YOU 57 CMYK
  • 4. EXPERT l You want clients to use a proxy, but don’t want them TIPS AND TRICKS to know they’re being proxied. 1. Specifying which port to listen on: l You want clients to be proxied, but don’t want to go Edit the file: /etc/squid/squid.conf to all the work of updating the settings in hundreds or The control of external access to the local LAN should be thousands of Web browsers. managed by the Firewall. This is where transparent proxying comes in. A Web To be safer, set the restriction given below on where the request can be intercepted by the proxy, transparently. That Squid server is listening. is, as far as the client software knows, it is talking to the original server itself, when it is really talking to the proxy # http_port 3128 server. (Note that the transparency only applies to the client.) http_port internal_nic1:3128 http_port internal_nic2:3128 Once you have kernel 2.4x on Red Hat 7.x or 8.x up and running, you may need to enable IP forwarding. IP Normally, Squid starts up and listens to 3128 on all forwarding allows your computer to act as a router. network devices. The above just ensures that it is listening on To check, do cat /proc/sys/net/ipv4/ip_forward’. If you see port 3128 only for the internal network. Our firewall can ‘1’, you’re doing well. Otherwise, do echo ‘1’ > /proc/sys/ further block port 3128 requests from coming through from net/ipv4/ip_forward. You will then want to add that the outside (but our ACLs should be handling any further command to your appropriate boot-up scripts like problems.) /etc/rc.d/rc.local. 2. Timing restrictions: In case of transparent proxy, rebuild the Squid with – This sample discusses how the LAN network can be enable-linux-netfilter additionally. Now, we need to edit the denied use of the proxy server during non-office hours. default squid.conf file (installed to /usr/local/squid/etc/ squid.conf). Find the following directives, uncomment them, # After Hours Settings and change them to the appropriate values as below: acl TIMEafterhoursMORN time MTWHF 00:00-08:00 acl TIMEafterhoursAFT time MTWHF 16:30-24:00 l httpd_accel_host virtual l httpd_accel_port 80 http_access deny lan TIMEafterhoursMORN TIMEafterhoursAFT l httpd_accel_with_proxy on l httpd_accel_uses_host_header on 3. Blocking sites or the pre-defined URL: The rest of the directive can be according to the policies acl block_advertisers url_regex -i “/etc/squid/ of the corporate. To activate the transparent nature of the block_advertisers.txt” proxy, you need to know two things — the interface that the acl block_entertainment url_regex -i “/etc/squid/ block_entertainment.txt” to-be-proxied requests are coming in on (I’ll use eth0 as an acl block_webmail url_regex -i “/etc/squid/ example) and the port Squid is running on (I’ll use the block_webmail.txt” default of 3128 as an example). acl block_porn url_regex -i “/etc/squid/ block_porn.txt” Now, the magic words for transparent proxying: l iptables -t nat -A PREROUTING -i eth0 -p tcp —dport 80 -j In the specified file, mention the URL of the relevant REDIRECT —to-port 3128 topic. It should be one line per URL. Then define the access methods Please make sure Iptables is activated (as in case of most Red Hat distributions, ipchains is activated) by http_access deny block_advertisers http_access deny block_entertainment [root@mail /root]#modprobe –r ipchains http_access deny block_porn [root@mail /root]# modprobe ip_tables http_access deny block_webmail You will want to add the above commands to your TRANSPARENT PROXYING appropriate boot-up script under /etc/rc.d/rc.local. The main In ‘ordinary’ proxying, the client specifies the hostname and drawback of using transparent proxy is that there is no port number of a proxy in his Web browsing software. The support for authentication and HTTPS proxy. browser then makes requests to the proxy, and the proxy forwards them to the origin servers. This is all fine AUTHENTICATION AND MANAGEMENT OF USERS and good, but sometimes one of several situations can The Squid source code comes with a few authentication arise. Either processes. These include: l You want to force clients on your network to use the l LDAP: Uses the Lightweight Directory Access Protocol proxy, whether they want to or not. l NCSA: Uses an NCSA-style user name and password 58 LINUX FOR YOU MAY 2003 CMYK
  • 5. EXPERT file users with the same command without –c option; the file will l MSNT: Uses a Windows NT authentication domain look like l PAM: Uses the Linux Pluggable Authentication biswajit:P0z0V4lZY4xZI Modules scheme tetra:hszXF.aO2Bomc l SMB: Uses a SMB server like Windows NT or Samba l getpwam: Uses the old-fashioned Unix password file [root@mail /root]# chmod 755 /usr/local/squid/etc/passwd In order to authenticate users, you need to compile and install one of the supplied authentication modules. In our Restart your Squid proxy server with /usr/local/squid- implementation, we will be using NCSA-based authentication 2.2stable5/bin/squid –k reconfigure and point your browser to modules to demonstrate. The basic procedure is to first any external site. You will be asked to authenticate as shown compile the NSCA source module and make an executable in Figure 1. file. Then integrate this feature in the squid.conf file to have Once the correct user name and password is the client first authenticate on to the proxy. given, the user will be allowed to pass through and to browse. Compile NSCA by If the list of users is long enough to manage, we can [root@mail squid-2.2.STABLE5]# cd auth_modules/NCSA/ have some sort of Web interface to control these users in [root@mail NCSA]# make; make install terms of creation, deactivation, modification, etc, by the This will generate nsca_auth in /usr/local/squid/bin system administrators. In our next section we are going to directory. discuss how to implement and manage users of proxy Now you have to tell Squid to check for user by a Web interface. Please note this interface is authentication. You need to modify /usr/local/squid/etc/ user-centric and not for tuning any of the Squid proxy squid.conf file... parameters. Administrators can use webmin (www.webmin.org) as a tool to define parameters # authenticate_program example of proxy. But the more you are familiar with the authenticate_program /usr/local/squid/bin/ncsa_auth /usr/ local/squid/etc/passwd text environment, the better it is for the administrator. I personally believe the easy interfaces are meant authenticate_ttl 900 for repetitive and manual work as the user management, authenticate_ip_ttl 60 acl name proxy_auth REQUIRED but tuning of Squid proxy is more or less a one-time http_access allow lan name job, which needs clear understanding. We will http_access deny all use an Admuser package to do so. With Admuser, you can handle your Squid or Web users and passwords Where lan is the acl defined earlier. Now create a file using your browser. Admuser allows you to create, /usr/local/squid/etc/passwd to store user names and the change, remove, disable and enable users online. passwords. htpasswd is the utility that comes along with You can download the file (admuser-2.1.tar.gz) from Apache and will do the required action for us. http://web.onda.com.br/orso/ or [root@mail /root]# htpasswd –c /usr/local/squid/etc/passwd http://www.linuxforu.com/editorial/may03.htm. biswajit Enter password: [root@mail misc]# tar xvfz admuser-2.1.tar.gz [root@mail misc]# cd admuser-2.1 This will create a file /usr/local/squid/etc/passwd with [root@mail admuser-2.1]# ./configure —enable-cgidir=/var/www/ user name Biswajit and an encrypted password. Create other cgi-bin Our httpd’s cgi-bin directory is /var/www/cgi-bin Create a file /usr/local/etc/admuser/pwd_files with entry Figure 1 Figure 2 MAY 2003 LINUX FOR YOU 59 CMYK
  • 6. EXPERT /usr/local/squid/etc/passwd;Squid Password file CONTROL PANEL FOR USER MANAGEMENT WITH [root@mail admuser-2.1]# htpasswd -c /usr/local/etc/admuser/ DATABASE INTEGRATION pwauth admuser Let us try to see how we can integrate a database like MySQL New password: to authenticate users and manage them with the following Re-type new password: Adding password for user admuser features: 1. Authentication for Squid users via MySQL database. Remember, /usr/local/squid/etc/passwd file must be 2. Traffic limitations, by setting maximum daily, owned by httpd user, or chmod 777(dangerous) weekly and monthly downloads for each user. Make sure your http service is up, point your browser to 3. Monthly-generated detailed statistics, with cache http://server_ip/cgi-bin /admuser.cgi and give user name as and real online time used. Admuser and a respective password. Thrown on a screen 4. Reports of current month statistics for each user in (Figure 2) where the admin can create, modify and disable any time. users. 5. Users properties management, including real name, In a certain scenario, the administrator would like to phone, e-mail, and password. provide the password changing facility to the user itself. In We will use Squid2MySQL to do so which requires pre- our next implementation, we will like to do so. This is done installed Linux (any version), squid (version 2.x and higher), by implementing a Web-based interface given to the user, so Apache with PHP and MySQL support and PERL with DBI that the user can change his own password as per his module, which shipped with Squid2MySQL. requirement. Download squid2mysql-1.0.0.tar.gz from We choose to implement CHPASSWD. This utility allows http://evc.fromru.com/squid2mysql/ download.html or your users to change his/her Squid or Web password using http://www.linuxforu.com/editorial/may03.htm the browser. This was adapted from htpasswd for use with [root@mail misc]# tar xvfz squid2mysql-1.0.0.tar.gz Squid Cache Proxy. [root@mail misc]# cd squid2mysql-1.0.0 Download chpasswd utility (chpasswd-2.2.tar.gz) from Make sure Mysql server is started. Modify the squid2mysql.sql http://web.onda.com.br/orso/ or Replace INSERT INTO usernames VALUES(‘squidroot’,’’,’’,’’,’’,’’); to http://www.linuxforu.com/editorial/may03.htm. INSERT INTO usernames VALUES(‘squidroot’,’’,’’,’’,’’,’’,’’); And comment all lines containing “DROP”. bash# tar xvfz chpasswd-2.2.tar.gz [root@mail squid2mysql-1.0.0]# ./install_squid2mysql bash# cd chpasswd-2.2 bash# ./configure —enable-cgidir=/var/www/cgi-bin bash# make; make install Now the admins are ready to give the URL http://server_ip/cgi-bin/chpasswd.cgi and users can now change their passwords as shown in Figure 3. Figure 3 Figure 4 60 LINUX FOR YOU MAY 2003 CMYK
  • 7. EXPERT Figure 5 This will run and make the relevant links and files. Remove Squid log file and create named pipe file with name of Squid log file (“mknod /var/log/squid/access.log p”). Put squid2mysql perl script and sqauth sh script into Squid directory with the ownership of Squid. Configure squid.conf file as... Figure 6 authenticate_program /usr/local/squid/bin/sqauth performance of the Squid server, and so on. There are many authenticate_children 5 tools that are available to analyse the traffic in graphical as authenticate_ttl 900 well as detailed reports. authenticate_ip_ttl 60 For our analysis we will implement a Squid Graph. Connect to the MySQL server This is a powerful log file analysis tool for native Squid version 2 log files. It generates HTML reports and graphs of #mysql –p accesses, transfers and transfer durations, somewhat similar Welcome to the MySQL monitor. Commands end with ; or g. Your MySQL connection id is 331 to server version: 3.23.36 to MRTG. Download squid graph from http://squid- Type ‘help;’ or ‘h’ for help. Type ‘c’ to clear the buffer graph.securlogic.com/files/stable/squid-graph-3.0.tar or mysql> connect squidlog http://www.linuxforu.com/editorial/may03.htm. Extract the Squid Graph tarball file after you have Reading table information for completion of table and column downloaded it. Those with Red Hat Linux (or other similar names You can turn off this feature to get a quicker startup with -A Connection id: 332 Current database: squidlog mysql> GRANT Select, Insert, Update, Delete, Index, Alter, Create, Drop, -> References ON *.* TO ‘squidroot’@’localhost’ IDENTIFIED BY ‘sqroot’ -> ; Query OK, 0 rows affected (0.01 sec) Modify /var/www/html/squid/include.php to have English as language from “tconst.koi8r.php” to “tconst.eng.php” Point your browser to http://serverip/squid/ and authenticate with user name as ‘squidroot’ and password ‘sqroot’ as defined earlier. Figures 4, 5 and 6 give the screen shot of the interface. SQUID GRAPHS AND PERFORMANCE MONITORING For larger sites, it is mandatory to have graphical analytic tools that identify the kind of traffic getting through, the Figure 7 MAY 2003 LINUX FOR YOU 61 CMYK
  • 8. EXPERT distributions) can do this: DansGuardian is a Web content filtering proxy that uses As of version 3.0, Squid Graph requires the GD perl Squid to do all the fetching. It filters using multiple methods module. You can download it from http://stein.cshl.org/ including, but not limited to, phrase matching, file extension WWW/software/GD/ or you can use the included matching, MIME type matching, PICS filtering, and GD-1.3.3.tar.gz file in the extras/ directory. Follow the URL/domain blocking. It has the ability to switch off filtering instructions in the GD perl module to get it installed correctly by certain criteria, including username, domain name, source before you proceed. IP, etc. The configurable logging produces a log in an easy-to- read format. It has the option to only log text-based pages, [root@mail misc]# tar xvf squid-graph-3.0.tar [root@mail misc]# cd squid-graph-3.0 thus significantly reducing redundant information (such as [root@mail misc]# mv ../squid-graph-3.0 /usr/local/squid-graph every image on a page). [root@mail squid-graph-3.0]# cd /usr/local/squid-graph/bin Download the source package DansGuardian-2.2.5- [root@mail squid-graph-3.0]# mkdir /var/www/html/reports/ [root@mail squid-graph-3.0]# ./squid-graph —output-dir=/var/ 1.source.tar.gz from http://www.linuxforu.com/editorial/ www/html/reports may03.htm < /usr/local/squid/logs/access.log [root@mail]# tar xvfz DansGuardian-2.2.5-1.source.tar.gz [root@mail]# cd DansGuardian-2.2.5 Point your browser to http://serverip/reports/index.html. [root@mail DansGuardian-2.2.5]# ./configure —cgidir=/var/www/ It will display the comprehensive graph shown in Figure 7. cgi-bin To implement the graph facility on a regular basis [root@mail DansGuardian-2.2.5]# make; make install (realtime) create a cron job as: Modify the /etc/dansguardian/dansguardianconf to suit your configurations #crontab –e accessdeniedaddress = ‘http://YOURSERVER.YOURDOMAIN/cgi-bin/ */5 * * * * /usr/local/squid-graph/bin/squid-graph —output- dansguardian.pl’ dir=/var/www/html/reports < /usr/local/squid/logs/access.log Change YOURSERVER.YOURDOMAIN to your server ip or the name You can manage log files by editing the /etc/cron.daily/ Also note that our Squid, by default, runs on 3128, which squid.rotate file and add the file lines: needs to be pointed in the dansguardian.conf and if [ -x /usr/local/squid/bin/squid -a -f /usr/local/squid/logs/ dansguardian run on 8080. Therefore, the port 3128 needs to squid.pid ]; then be blocked by a firewall rule so that users cannot bypass and /usr/local/bin/squid -k rotate go to 3128. Also, note now the user’s browser must point to fi the proxy port 8080 instead of 3128. #/sbin/iptables -t filter -A INPUT -p tcp -d 0/0 -i lo — CONTENT MANAGEMENT THROUGH A PROXY destination-port 3128 -j ACCEPT SERVER #/sbin/iptables -t filter -A INPUT -p tcp -d 0/0 — destination-port 3128 -j DROP To have maximum productivity, Web content needs to be #/sbin/iptables -t filter -A INPUT -p tcp -d 0/0 —destination- analysed and passed to the users. URL filtering can sort out port 8080 -j ACCEPT the issues to a certain extent, but content filtering is the right solution. The Squid-guard or DansGuardian does the job for This means the lo interface will accept on 3128 requested us. I found DansGuardian to be more effective and faster than by the DansGuardian module and reject any request on port Squid-guard. 3128. So the user will not be allowed to access Squid proxy server directly but will be allowed access only through the content filter. Squid is so flexible in nature that you can practically implement any kind of corporate policies without losing on performance. There is so much to talk about Squid that you actually cannot cover everything in a single go. But I sincerely feel that this article should be able to give an idea of how Squid can help your organisation to have a high- performance, stable and flexible Web content management proxy. The article is written by Mr Biswajit Banerjee, Director, Tetra Information Services Pvt. Ltd, who are into Linux corporate Figure 8 solutions. He can be contacted at biswajit@tetrain.com 62 LINUX FOR YOU MAY 2003 CMYK