Red Hat [Electronic resources] : The Complete Reference Enterprise Linux Fedora Edition؛ The Complete Reference نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Red Hat [Electronic resources] : The Complete Reference Enterprise Linux Fedora Edition؛ The Complete Reference - نسخه متنی

Richard L. Petersen

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید








Security



Squid can use its role as an intermediary between Web clients and a Web server to implement access controls, determining who can access the Web server and how. Squid does this by checking access control lists (ACLs) of hosts and domains that have had controls placed on them. When it finds a Web client from one of those hosts attempting to connect to the Web server, it executes the control. Squid supports a number of controls with which it can deny or allow access to the Web server by the remote host's Web client (see Table 23-1). In effect, Squid sets up a firewall just for the Web server.

The first step in configuring Squid security is to create ACLs. These are lists of hosts and domains for which you want to set up controls. You define ACLs using the

acl command, in which you create a label for the systems on which you are setting controls. You then use commands such as

http_access to define these controls. You can define a system, or a group of systems, by use of several

acl options, such as the source IP address, the domain name, or even the time and date. For example, the

src option is used to define a system or group of systems with a certain source address. To define a

mylan

acl entry for systems in a local network with the addresses 192.168.0.0 through 192.168.0.255, use the following ACL definition:

acl mylan src 192.168.0.0/255.255.255.0

Once it is defined, you can use an ACL definition in a Squid option to specify a control you want to place on those systems. For example, to allow access by the mylan group of local systems to the Web through the proxy, use an

http_access option with the

allow action specifying

mylan as the

acl definition to use, as shown here:

http_access allow mylan

By defining ACLs and using them in Squid options, you can tailor your Web site with the kind of security you want. The following example allows access to the Web through the proxy by only the mylan group of local systems, denying access to all others. Two

acl entries are set up: one for the local system and one for all others.

http_access options first allow access to the local system and then deny access to all others.

acl mylan src 192.168.0.0/255.255.255.0
acl all src 0.0.0.0/0.0.0.0
http_access allow mylan
http_access deny all

The default entries you will find in your squid.conf file, along with an entry for the mylan sample network, are shown here. You will find these entries in the ACCESS CONTROLS section of the squid.conf file.

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl mylan src 192.168.0.0/255.255.255.0
acl SSL_ports port 443 563

The order of the

http_access options is important. Squid starts from the first and works its way down, stopping at the first

http_access option with an ACL entry that matches. In the preceding example, local systems that match the first

http_access command are allowed, whereas others fall through to the second

http_access command and are denied.

For systems using the proxy, you can also control what sites they can access. For a destination address, you create an

acl entry with the

dst qualifier. The

dst qualifier takes as its argument the site address. Then you can create an

http_access option to control access to that address. The following example denies access by anyone using the proxy to the destination site rabbit.mytrek.com. If you have a local network accessing the Web through the proxy, you can use such commands to restrict access to certain sites.

acl myrabbit dst rabbit.mytrek.com
http_access deny myrabbit

The

http_access entries already defined in the squid.conf file, along with an entry for the mylan network, are shown here. Access to outside users is denied, whereas access by hosts on the local network and the local host (Squid server host) is allowed.

http_access allow localhost
http_access allow mylan
http_access deny all

You can also qualify addresses by domain. Often, Web sites can be referenced using only the domain. For example, a site called www.mybeach.com can be referenced using just the domain mybeach.com. To create an

acl entry to reference a domain, use either the dstdomain or

srcdomain option for destination and source domains, respectively. Remember, such a reference refers to all hosts in that domain. An

acl entry with the

dstdomain option for mybeach.com restricts access to www.mybeach.com, ftp.mybeach.com, surf.mybeach.com, and so on. The following example restricts access to the www.mybeach.com site along with all other .mybeach.com sites and any hosts in the mybeach.com domain:

acl thebeach dstdomain .mybeach.com
http_access deny thebeach

You can list several domains or addresses in an

acl entry to reference them as a group, but you cannot have one domain that is a subdomain of another. For example, if mybeachblanket.com is a subdomain of mybeach.com, you cannot list both in the same

acl list. The following example restricts access to both mybeach.com and mysurf.com:

acl beaches dstdomain .mybeach.com .mysurf.com
http_access deny beaches

An

acl entry can also use a pattern to specify certain addresses and domains. In the following example, access is denied to any URL with the pattern "chocolate" but allowed to all others:

acl Choc1 url_regex chocolate
http_access deny Choc1
http_access allow all

Squid also supports ident and proxy authentication methods to control user access. The following example allows only the users dylan and chris to use the Squid cache:

ident_lookup on
acl goodusers user chris dylan
http_access allow goodusers
http_access deny all








































































Table 23-1: Squid ACL Options


Options


Description


src

ip-address/netmask


Client's IP address


src

addr1-addr2/netmask


Range of addresses


dst

ip-address/netmask


Destination IP address


myip

ip-address/netmask


Local socket IP address


srcdomain

domain


Reverse lookup, client IP


dstdomain

domain


Destination server from URL; for

dstdomain and

dstdom_regex , a reverse lookup is tried if an IP-based URL is used


srcdom_regex

[-i]

expression


Regular expression matching client name


dstdom_regex

[-i]

expression


Regular expression matching destination


time

[day-abbrevs]

[h1:m1-h2:m2]


Time as specified by day, hour, and minutes. Day abbreviations: S = Sunday, M = Monday, T = Tuesday, W = Wednesday, H = Thursday, F = Friday, A = Saturday


url_regex

[-i]

expression


Regular expression matching on whole URL


urlpath_regex

[-i]

expression


Regular expression matching on URL path


port

ports


Specify a port or range of ports


proto

protocol


Specify a protocol, such as HTTP or FTP


method

method


Specify methods, such as GET and POST


browser

[-i]

regexp


Pattern match on user-agent header


ident

username


String match on

ident output


src_as

number


Used for routing of requests to specific caches


dst_as

number


Used for routing of requests to specific caches


proxy_auth

username


List of valid usernames


snmp_community

string


A community string to limit access to your SNMP agent



/ 328