Total Pageviews

Monday, 6 February 2012

通过认证的方式,使用squid代理服务器联网



这里要用到squid的认证功能。squid的认证功能大类包括basic_auth,digest_auth,external_acl,negotiate_auth,ntlm_auth这5种(注:squid-2.7.STABLE9版本),每个大类下面还有具体的认证方式,如NCSA,LDAP,DB等等,具体支持哪些可以去这些目录下面看。

在这里主要介绍的是NCSA的方式,此种认证方式类似apache的auth认证方式,通过用户名密码来验证,密码文件也是通过htpasswd程序来创建。后面会给出具体配置。

隐藏代理信息,隐藏真实上网ip
这个需求很多人应该都想到使用什么配置文件了,对,就是squid的header_access这个参数。主要就是隐藏掉HTTP_VIA,VIA和X-forwarded-for。后面会给出具体配置。

安装配置

首先要做的就是下载一个squid安装包(下载地址-http://www.squid-cache.org/Versions/)。笔者这里使用的是2.7 STABLE9,操作的当前目录是/tmp,下面所有涉及到目录的都是基于此目录。squid源文件路径是/tmp/squid-2.7.STABLE9.tar.gz

安装步骤如下:

tar zxvf squid-2.7.STABLE9.tar.gz
cd squid-2.7.STABLE9
./configure --prefix=/usr/local/squid --enable-async-io=320 --enable-icmp --enable-delay-pools --enable-kill-parent-hack --enable-snmp --enable-arp-acl --enable-htcp --enable-cache-digests --enable-removal-policies=heap,lru --enable-default-err-language=Simplify_Chinese --enable-x-accelerator-vary --enable-follow-x-forwarded-for --with-aufs-threads=320 --with-pthreads --with-dl --with-maxfd=65536 --enable-basic-auth-helpers=DB,NCSA --enable-digest-auth-helpers=password --enable-large-cache-files --with-large-files
make
make install

如果以上步骤中无报错,squid就被正确安装完毕了。

接下来执行:

cd /usr/local/squid/          
#(之后的所有操作均在此目录下完成)
grep -v "^#" etc/squid.conf.default|uniq > etc/squid.conf

将创建一份未注释的配置文件。

接下来编辑此文件

vi etc/squid.conf

修改编辑的内容如下:



20  acl CONNECT method CONNECT
21
22  http_access allow manager localhost

这两行中间加入:include "/usr/local/squid/etc/auth.conf"。auth.conf文件的内容后面会有详细介绍。



32  icp_access deny all
33
34  http_port 3128

这两行中间加入:always_direct allow all,意思是对所有ip过来的请求都允许转发。

将49  broken_vary_encoding allow apache行后面的所有内容删除,加上如下内容

forwarded_for off                    
#隐藏x-forwarded-for头
header_access HTTP_VIA deny all      
#隐藏HTTP_VIA头
header_access VIA deny all                 
#隐藏VIA头
  cache_effective_group daemon     
#设置squid执行的用户组,这里使用了系统自带的daemon用户组
cache_effective_user daemon        
#设置squid执行的用户,这里使用了系统自带的daemon用户

visible_hostname test              
#设置错误页面中出现的服务器名称,可自行更改
 cache_dir aufs /usr/local/squid/cache 100 16 256             
#设置squid的缓存,可自行调整
cache_store_log none              
#关闭store.log

都修改添加完毕后,保存退出。

紧接着我们来创建auth.conf。

vi /usr/local/squid/etc/auth.conf

输入如下内容

# 设置验证相关的配置内容,指定密码文件
1  auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/passwd
2  auth_param basic children 10          #设置验证子进程数
3  auth_param basic credentialsttl 2 hours         #设置验证有效期
4  auth_param basic casesensitive off         #设置是否区分大小写
5
# 后面这三行分别定义了三个用户组。每个用户组指定了一个用户文件。
6  acl usergroup1 proxy_auth "/usr/local/squid/etc/ip1user"
7  acl usergroup2 proxy_auth "/usr/local/squid/etc/ip2user"
8  acl usergroup3 proxy_auth "/usr/local/squid/etc/ip3user"
9
# 后面三条允许这三个组的用户可以访问网络
10  http_access allow usergroup1
11  http_access allow usergroup2
12  http_access allow usergroup3

编辑完成后保存退出。

接下来是创建用户文件,vi /usr/local/squid/etc/ip1user,填入如下内容

user1
user2

保存退出。这里用户数量不限,每个用户名占用一行。

如果一开始没有那么多用户,建议使用touch命令将文件创建好,不然启动squid的时候会出错。

接下来创建用户的密码文件,第一次创建密码文件请使用下面的命令

htpasswd -cb /usr/local/squid/etc/passwd user1 111111

倒数第二个字段是用户名,最后一个字段是用户对应的密码

如果之前创建过了密码文件,使用下面的命令就可以了

htpasswd -b /usr/local/squid/etc/passwd user2 111111

命令解释同上。

到此为止,配置文件等相关工作就基本完成了。下面来说说squid的初始化工作。

首先,mkdir cache,创建cache目录

然后执行,chown -R daemon.daemon,变更当前目录及所有子目录的的属主与属组。笔者这里使用系统自有的daemon用户和组。

这些工作都做好之后呢,就来执行 sbin/squid -z对squid进行初始化,如果没有报错信息呢,初始化工作就算是做完了,下面启动squid服务即可了,启动命令为

sbin/squid -ND &

然后通过下面的命令查看一下3128端口是否启动:
netstat -ln|grep 3128

如果出现下面的内容,说明squid服务已经正常运行了
tcp        0      0 0.0.0.0:3128                0.0.0.0:*                   LISTEN

到此为止,一个支持用户身份验证的代理服务器就完全配置完毕了,赶快打开浏览器,配置好代理服务器,测试一下吧。看看浏览网页是否会弹出验证的提示。

如果想让squid在开机的时候自动启动,只需要在/etc/rc.loacl文件中加入
/usr/local/squid/sbin/squid –ND &
即可。
-----------------------------------------------------------------------

How to set up an anonymous proxy on debian vps


This document describes the steps required to install squid proxy server from http://squid-cache.org and webmin from http://webmin.com on a debian system as well as basic steps required to configure squid to listen on multiple ip addresses and use them as outgoing source address for connections. This will also show you how to configure squid from webmin to accept connections only from predefined clients based on the client's ip address.
For the steps presented below root access over ssh on the server or physical ( console ) access will be required.

Squid installation

Installing squid on a debian system is straight forward. The administrator must be logged in as root and just type: apt-get install squid. This will install squid along with all required dependencies (it may ask for the user permission to install, in that case just approve ).

Webmin installation

download the webmin .deb package from http://webmin.com/download.html and upload it on your server, then type: dpkg -i webmin_1.xyz.deb where xyz is the current webmin version.
This will look for required dependencies and will let you know if something is missing. In case anything is missing you can just install it using apt-get install command simiar to how you installed squid.
Once webmin is installed you can access it over web from your browser like https://yourdomain.com:10000

Webmin configuration

If wedmin and squid were both installed from the standard debian package then webmin should already know where squid configuration files are and be able to modify it and stop/start squid. If this is not the case then you can set the paths in the module's configuration section.

Squid Anonymous configuration

Set http_port to specify the port and ips where squid will listen for incoming connections. If you want squid to listen on any of the available ips just set it like this: http_port 3128
Make squid anonymous by specifying which headers it should allow/deny. For highly anonymous proxies here is the suggested configuration:
header_access Allow allow all
header_access Authorization allow all
header_access WWW-Authenticate allow all
header_access Proxy-Authorization allow all
header_access Proxy-Authenticate allow all
header_access Cache-Control allow all
header_access Content-Encoding allow all
header_access Content-Length allow all
header_access Content-Type allow all
header_access Date allow all
header_access Expires allow all
header_access Host allow all
header_access If-Modified-Since allow all
header_access Last-Modified allow all
header_access Location allow all
header_access Pragma allow all
header_access Accept allow all
header_access Accept-Charset allow all
header_access Accept-Encoding allow all
header_access Accept-Language allow all
header_access Content-Language allow all
header_access Mime-Version allow all
header_access Retry-After allow all
header_access Title allow all
header_access Connection allow all
header_access Proxy-Connection allow all
header_access Cookie allow all
header_access Set-Cookie allow all
header_access All deny all
Some may want to remove the lines that contain Cookie and Set-Cookie headers but if you do that most sites will not work anymore cause most require cookie / session support.

Squid multiple ip configuration

We want connections that come from one ip to go out on the same ip. First set acls to identify the ips where squid listens for incoming connections. Let's say we have 3 ips : 10.0.0.1 , 10.0.1.1 and 10.0.2.1 . The acls would look like this:
acl in_10_0_0_1 myip 10.0.0.1/32
acl in_10_0_1_1 myip 10.0.1.1/32
acl in_10_0_2_1 myip 10.0.2.1/32
Now you can set up tcp_outgoing address using the above acls:
tcp_outgoing_address 10.0.0.1 in_10_0_0_1
tcp_outgoing_address 10.0.1.1 in_10_0_1_1
tcp_outgoing_address 10.0.2.1 in_10_0_2_1

Set up access rules based on client ip

You will have to set up acls similar to the above but they identify the client's ip ( not proxy server's ip). The the acls will be used in the http_access directive. This can be done directly from the configuration file.
Here is a sample that shows how to allow access for a client with the ip 10.0.0.10 :
acl cli_10_0_0_10 src 10.0.0.0.10
http_access allow cli_10_0_0_10
Just put those two lines in squid.conf before the http_access deny All line.
You can also add an ACL from webmin -> Servers -> Squid Proxy Server -> Access Control ->> Edit Acl . The acl type has to be Client address. You just have to set a name and a From address ( the address you want to allow access to squid ) for it and then save it. After you set the ACL you have to go to "Add proxy restriction" , set the Action on Allow , select your acl from the "Match ACLs" box and click save. After the save you should be redirected on the main acls page where you should see your acl in the Proxy restrictions list, right at the bottom.
You will have to make sure your acl goes before the Deny all entry or else it will have no effect. You can put it one row up by clicking the Up arrow.
Now you can Start/Restart squid from command line /etc/init.d/squid start/restart or from webmin -> squid proxy server
You can test your squid configuration by setting any of the available ips as a HTTP proxy in your browser ( port 3128 ) and then go to http://spotip.com . That site should show you the exact ip you have set up as proxy in your browser.

from http://patchlog.com/general/how-to-set-up-an-anonymous-proxy-on-debian/
-----------------------------------------------------------------------------
squid digest authentication

If you use authentication in squid you have several mechanisms ( authenticators ) to chose from. The Basic authenticator is the easiest to set up and the most insecure because the client sends the username and password in plain text to the proxy server.
Instead of using the basic you would consider using the digest authenticator. This authenticator does not require the client to send the user and password in plain text but encoded in an MD5 hash so that an attacker that captures the data between the client and proxy server will not be able to use the user and password.
To use the digest authenticator you have to specifically compile it if you are compiling squid from sources. Before you compile just add --enable-auth="basic digest" to the ./configure line or after you compile squid, go to helpers/digest_auth/ and do :
make
make install
If you are using Fedora then the digest authenticator is already compiled and the program is located at /usr/lib/squid/digest_pw_auth
If you are using squid from ports on freebsd then the program will be compiled by default and installed at /usr/local/libexec/squid/digest_pw_auth
If you emerge squid on gentoo the program will be compiled by default and installed at /usr/libexec/squid/digest_pw_auth
Now for the configuration part the default squid.conf gives almost all the info we need. I say almost because it does not say much about the format of the file where you have to store the passwords:
#"program" cmdline
# Specify the command for the external authenticator. Such a program
# reads a line containing "username":"realm" and replies with the
# appropriate H(A1) value hex encoded or ERR if the user (or his H(A1)
# hash) does not exists. See RFC 2616 for the definition of H(A1).
# "ERR" responses may optionally be followed by a error description
# available as %m in the returned error page.
I did not want to read the whole RFC 2616 just to find the definition of H(A1) so I looked in squid source at digest_pw_auth.c right in the header :
* To avoid storing a plaintext
* password you can calculate MD5(username:realm:password) when the
* user changes their password, and store the tuple username:realm:HA1.
* then find the matching username:realm when squid asks for the
* HA1.
Storing encrypted ( hashed ) passwords will not really help the security that much, the part that helps security is that plain text passwords are not sent over the net, but we will store encrypted passwords anyway. HA1 is really just MD5(username:realm:password) and you have to pass the "-c" parameter to digest_pw_auth if you want to not store the plain text passwords in the file and the format to be username:realm:HA1.
The final configuration for the digest authenticator :
auth_param digest program /usr/lib/squid/digest_pw_auth -c /etc/squid/digest_passwd
auth_param digest children 5
auth_param digest realm Squid proxy-caching web server
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50
I created a small script to help me add users to /etc/squid/digest_passwd :
cat digest_user.sh
 
#!/bin/sh
 
user=$1
pass=$2
realm=$3
 
if [ -z "$1" -o -z "$2" -o -z "$3" ] ; then
        echo "Usage: $0 user password 'realm'";
        exit 1
fi
 
ha1=$(echo -n "$user:$realm:$pass"|md5sum |cut -f1 -d' ')
echo "$user:$realm:$ha1"
To add a user named test with the password 1234 to the file specified in our config I would just do :
./digest_user.sh test 1234 'Squid proxy-caching web server' >>/etc/squid/digest_passwd
Now all that's left to do is to set up the proper acls and http_access directives to allow the authenticated users to use the proxy server. I'm using this acl to match any user that can authenticate:
acl authenticated proxy_auth REQUIRED
And then this http_access directive before any other http_access directive:
http_access allow authenticated
from http://patchlog.com/security/squid-digest-authentication/

No comments:

Post a Comment