Windows system >> Computer software Tutorial >> Server technology  >> Proxy server

Squid security policy analysis

  
        

The function of the proxy server is to obtain network information from the proxy network user, which is a relay station for network information. With the widespread use of proxy servers, a series of security issues have followed. Since there is no comprehensive and detailed configuration of the access control policy of the proxy server, the user can access many pornographic and reactionary illegal websites through the proxy server at will, and these behaviors are often difficult to track, which brings great inconvenience to the management work. . The following is a brief introduction to the security policy of the Squid proxy server commonly used under Linux. It is hoped that it will help you in your work.

Controlling Client Access

Using the Access Control feature, you can control caching, access to specific sites or a group of sites, etc., based on specific time intervals during access. Squid access control has two elements: ACL elements and access lists. By using these methods, the system administrator can define the access control policy of the proxy server strictly and clearly. Here are some examples:

◆ Allow private IP addresses of a network segment to be forwarded

acl me src 172.16.0.0/255.255.0.0

http_access allow all

The above rule allows the IP of the network segment 172.16.0.0 to be forwarded, but note that you should add "ld_;http_access deny all" to the end of the configuration file, indicating that all the above rules do not match and reject all packets. ?/p>

◆ Allow machines in the list to access the Internet

acl clients src 10.0.0.124/24 192.168.10.15/24

acl guests src “/etc /squid/guest”

acl all src 0.0.0.0/0.0.0.0

http_access allow clients

http_access allow guests

http_access deny all

If you allow all clients in the network segment 10.0.0.124/24 and 192.168.10.15/24 to access the proxy server and allow the clients listed in the file /etc/squid/guest to access the proxy server, except this Clients outside will deny access to the local proxy server. The contents of the file “/etc/squid/guest” are:

172.168.10.3/24

210.113.24.8/16

10.0.1.24/25

◆ Limit access period

acl allclient src 0.0.0.0/0.0.0.0

acl administrator 192.168.10.0/24

acl common_time time MTWH 8 :30-20:30

acl manage_time time F 13:00-18:00

The above rules allow all users to be within the specified time (Monday to Thursday at 8:30) By 20:30) access to the proxy server, only allow specific users (system administrator, its network segment: 192.168.10.0/24) to access the proxy server on Friday afternoon, and the other will refuse access to the proxy server on Friday afternoon.

◆ Site Blocking

Squid can block certain sites or sites with certain words. Use the following rules:

acl sexip src "/usr/local/squid/etc/sexip"

acl sexdn dstdomain "/usr/local/squid/etc/sexdn"

acl sexurl url_regex "/usr/local/squid/etc/sexurl"

acl sextag urlpath_regex "/usr/local/squid/etc/sextag"

Http_access deny sexdn

http_access deny sexip

http_access deny sexurl

http_access deny sextag

The above code has two parts, which respectively indicate: sexip record is illegal IP address 133.3.103.6; sexdn records illegal domain sex.abc.com; exurl records illegal URLs; sextag records illegal words & mdash; erotic. In practice, you don't need to list all the sites or words that need to be blocked, you can save them in a file first. The ACL will read the required information from the file to block the prohibited sites.

◆ CONNECT Settings

There are some users who access some unhealthy sites through the secondary agent software, which can be rejected by SCONNECT in the CONNECT item. First set the secure port:

acl SSL_ports port 443 563

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 563 # https, snews

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

Acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

There is then a rejection of the non-secure port via CONNECT, using the following command:

http_access deny CONNECT !SSL_ports

Last re-squid Edit:

#/squid/bin/squid -k reconfigure

by“tail/squid/logs/access.log -f

Proxy server
Windows system
How to use a proxy server? A small tutorial for the simple setup of the proxy server

proxy, proxy server. I believe that everyone who is constantly in contact with the computer will nev
  • DNS server
  • FTP server
  • Web server
  • Proxy server
  • Mail server
  • Server synthesis
  • About the server

    • How does win10 display this computer and control panel on the desktop?

    How to restore Win8 desktop icons

    Shorten system startup wait time under Vista

    Set up your own eye-catching beauty in Win 7

    How to find broadband dial-up connection under Win8 system

    How to switch the multi-language interface of Win7 system

    How to uninstall Windows 7 NIC device driver

    Microsoft pushes Win7/8 users to keep a free copy of Win10

    Why can't I install Windows XP in DOS mode

    How to quickly switch tasks in Windows 10 system

  • Windows XP System Tutorial
  • Windows 7 System Tutorial
  • Windows 8 System Tutorial
  • Windows 10 System Tutorial
  • Windows 2003 System Tutorial
  • Windows 2008 System Tutorial
  • Windows Vista System Tutorial
  • Windows tutorial synthesis
  • Windows Server System Tutorial
  • Linux system Tutorial
  • Computer software Tutorial
  • Windows NT Tutorial
    • Copyright © Windows knowledge All Rights Reserved