We all know that using proxy is a method to connect to Internet for the LAN user. But do you know how to make a proxy server in your PC? There are many proxy server softwares in Windows such as WinGate and SyGate. However I will introduce you a Linux software today, it names Squid. You can find it in most versions Linux OS.
I will give you a little basic knowledge first. A proxy server software is based on the TCP/IP protocol. It monitors a special port such as 3128. A computer who runs a proxy server software is called a proxy server. If other computer want to connect to Internet through the proxy server, it should know the proxy server's IP address and proxy port such as 3128, which is used to config the communication software such as IE and ICQ.
The main function of proxy server is:
- The proxy server can cache the website content that the clients visited, which can speed up the second visit.
- The proxy server can give you access to the forbidden site. For example, the LAN administrator forbid your access to my-proxy.com, but you can also visit it through a proxy.
- The proxy server can control the accesses of its clients. I will tell you more about it below.
Maybe you know another Linux software IPchains, which can also used as a access control tool. But the problem is that IPchains doesn't support DNS parsing. You have to list all the IP address of the websites you want to control. However it's different for Squid, you can simply forbid the access to the domain whose suffix is .tw or .cn by Squid while the DNS parsing is the work of ISP.
Now I will give you a example. We use a PC which has two network cards as our proxy server. The first network (eth0) connects to local area network (LAN) and the second one (eth1) connects to Internet. We use the RedHat Linux 8.0 and Squid (which comes with the OS).
Just like other Linux software, Squid works according to its config files. Its default config file is /etc /squid /squid.conf. It is more than ten pages and contains the config specification. However there are only a small part of them we will use, I list the most important options below. Most of them are open-and-shut.
http_port 3128
#the port that the proxy server monitors
cache_dir /var/cache/squid 100 16 32
#cache dir size(MB), the number of first level subdir, the number of second level subdir
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
acl all src 0.0.0.0/0.0.0.0
acl head src 192.168.0.2/255.255.255.255 192.168.0.3/255.255.255.255
acl normal src 192.168.0.21-192.168.0.99/255.255.255.255
acl denysite dstdomain tw cn
acl denyip dst 61.136.135.04/255.255.255.255
acl dnsport port 53
http_access allow head
http_access deny denysite
http_access deny denyip
http_access allow normal
http_access deny dnsport
We can know from the config file that:
- Squid will monitor the port 3128
- The cache dir is /var/cache/squid and its size is 100MB
- The users 192.168.0.2 and 192.168.0.3 can access all the websites
- The users 192.168.0.21-192.168.0.99 can't visit the website whose domain suffix is .tw or .cn
- The users 192.168.0.21-192.168.0.99 can not visit the website whose IP is 61.136.135.4
- Other users can not connect to server whose port is 53
It's obvious that the config file use keyword "acl" to define user groups & destination groups and use "http_access" to control the access of the groups. There different keywords after "acl" such as "src","dst","proto","port" and "dstdomain". You can also use "acl
Notice that the execution order is from the top down. The judgement (allow or deny) is made when the
If a user is not included in any of the acl groups, the default control of its access is the reverse of the last "http_access" case. For example, the user 192.168.0.5 is allowed to use the Internet though it is not defined in any group. So you had best add "http_access deny all" at the end of the config file.
No comments:
Post a Comment