2017.5.10

Debian プロキシサーバー Squid くコ:くコ:くコ:彡。゜゜。。

Squidでインターネットへのアクセス制限を試してみる [ProxyⅠ]

### First,please visit -----------
Introduction & INDEX コチラから
------------------------------ ###

インターネットへのアクセス制限を、ドメイン・URL振り分けで設定したい。
そんな訳で、試しにプロキシを立てて通してみた。

■ INDEX
• Squidでインターネットへのアクセス制限を試してみる: ProxyⅠ
• クライアント側のプロキシ設定: ProxyⅡ
• 透過プロキシ&iptablesで凹む: ProxyⅢ
• HTTPS透過プロシキで折れる: ProxyⅣ

< 環境 >
ika  ROUTER: 192.168.1.1
 PROXY_SERVER: 192.168.1.101:8080
 CLIENT: 192.168.1.31
 netmask: 255.255.255.0
 gateway: $ROUTER


■ Squidインストール
$ aptitude search squid
# apt-get install squid3

■ ドメイン・フィルターリストを作成
ホワイトリスト方式で許可するドメインだけ指定する。
# vi /etc/squid3/whitelist

## Debian security Update File: /etc/apt/sources.list
ftp.jp.debian.org
security.debian.org
## Windows Update Domain  *注
.update.microsoft.com
.download.windowsupdate.com
## Allow Domain
.green-pen.jp
.example.com

*注: 参考サイト//Microsoftサポート
  https://support.microsoft.com/ja-jp/help/3175743
  https://support.microsoft.com/ja-jp/help/3084568
  https://support.microsoft.com/ja-jp/help/2894304

■ squid設定ファイル編集
# vi /etc/squid3/squid.conf

754 # TAG: acl
1038 # should be allowed
1039 #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
1040 #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
1041 #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
1042 #acl localnet src fc00::/7 # RFC 4193 local private network range
1043 #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
1044 acl localnet src 192.168.1.0/24
1045 #acl localhost src 127.0.0.1
1046 acl whitelist dstdomain "/etc/squid3/whitelist"
1047
1048 acl SSL_ports port 443
1049 acl Safe_ports port 80 # http
1050 #acl Safe_ports port 21 # ftp
1051 acl Safe_ports port 443 # https
1052 #acl Safe_ports port 70 # gopher
1053 #acl Safe_ports port 210 # wais
1054 #acl Safe_ports port 1025-65535 # unregistered ports
1055 #acl Safe_ports port 280 # http-mgmt
1056 #acl Safe_ports port 488 # gss-http
1057 #acl Safe_ports port 591 # filemaker
1058 #acl Safe_ports port 777 # multiling http
1059 acl CONNECT method CONNECT
1060
1163 # TAG: http_access
1189 # Recommended minimum Access Permission configuration:
1190 #
1191 # Deny requests to certain unsafe ports
1192 http_access deny !Safe_ports
1193
1194 # Deny CONNECT to other than secure SSL ports
1195 http_access deny CONNECT !SSL_ports
1196
1197 # Only allow cachemgr access from localhost
1198 http_access allow localhost manager
1199 http_access deny manager
1200
1201 # We strongly recommend the following be uncommented to protect innocent
1202 # web applications running on the proxy server who think the only
1203 # one who can access services on "localhost" is a local user
1204 http_access deny to_localhost
1205
1206 #
1207 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
1208 #
1209
1210 # Example rule allowing access from your local networks.
1211 # Adapt localnet in the ACL section to list your (internal) IP networks
1212 # from where browsing should be allowed
1213 http_access allow localhost
1214 http_access deny !whitelist
1215 http_access allow localnet
1216
1217 # And finally deny all other access to this proxy
1218 http_access deny all
1219
1394 # TAG; http_port
1618 # Squid normally listens to port 3128
1619 http_port 8080
1620 http_port 58080 transparent
1621
3070 # TAG: cache_dir
3236 #Default:
3237 # No disk cache. Store cache ojects only in memory.
3238 #
3239
3240 # Uncomment and adjust the following to add a disk cache directory.
3241 cache_dir ufs /var/spool/squid3 100 16 256
3242
3332 # TAG: logformat
3558 #logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
3559 logformat squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
3560 #logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
3564 #
3944 # TAG: cache_log
3950 #Default:
3951 cache_log /var/log/squid3/cache.log
3952
4799 # TAG: request_header_access
4862 #Default:
4863 # No limits.
4864 request_header_access Referer deny all
4865 request_header_access X-FORWARDED-FOR deny all
4866 request_header_access Via deny all
4867 request_header_access Cache-Control deny all
4868 request_header_access User_Agent deny all
4869
5187 # TAG: visible_hostname
5193 #Default:
5194 # Automatically detect the system host name
5195 visible_hostname unknown
5196
7189 # TAG: dns_nameservers
7190 # Use this if you want to specify a list of DNS name servers
7191 # (IP addresses) to use instead of those given your
7192 # /etc/resolv.conf file.
7200 Default:
7201 # Use operating system definitions
7202
7347 # TAG: forwarded_for on|off|transparent|truncate|delete
7365 #Default:
7366 forwarded_for off
7367
▼ 各TAGの解説を展開

■ squid.confのチェックと再起動
# squid3 -k parse
# systemctl status -l squid3.service
# systemctl restart squid3.service

■ ログ・キャッシュのローテーション
# squid3 -k rotate
---log,cache,swapを削除する
---crontabで定期実行すると良い

■ アクセスログの監視
# tail -f /var/log/squid3/access.log
---HIER_NONE: アクセス拒否の意

■ キャシュディレクトリの作成と削除
手順
 1.初回squid設定時に、先にディレクトリを作成しておく
 2.キャッシュをディレクトリごと削除する
 3.新たにキャシュディレクトリを作成する
# systemctl stop squid3.service
---まず、サービスを停止
# squid3 -z
---キャシュディレクトリ作成
# rm -rf /var/spool/squid3/*
---キャシュディレクトリごと全削除


Copyright(C) green-pen miyagi