Saita Squid Proxy Server tare da Ƙuntataccen Dama da Saita Abokai don Amfani da Wakilci - Sashe na 5


A Linux Foundation Certified Engineer ƙwararren ƙwararren ƙwararren ne wanda ke da ƙwarewa don shigarwa, sarrafawa, da magance ayyukan cibiyar sadarwa a cikin tsarin Linux, kuma shine ke kula da ƙira, aiwatarwa da ci gaba da kiyaye tsarin- m gine-gine.

Gabatar da Shirin Takaddar Gidauniyar Linux.

A cikin Sashe na 1 na wannan silsilar, mun nuna yadda ake girka squid, uwar garken caching na masu amfani da yanar gizo. Da fatan za a koma zuwa wancan sakon (mahaɗin da aka bayar a ƙasa) kafin ci gaba idan ba ku shigar da squid akan tsarin ku ba tukuna.

  1. Sashe na 1 - Shigar da Sabis na Yanar Gizo da Tsabtace Farawa ta atomatik a Boot

A cikin wannan labarin, za mu nuna maka yadda ake saita uwar garken wakili na Squid don ba da izini ko ƙuntata damar Intanet, da kuma yadda ake saita abokin ciniki na http, ko mai binciken gidan yanar gizo, don amfani da waccan uwar garken wakili.

Operating System :	Debian Wheezy 7.5
IP Address 	 :	192.168.0.15
Hostname	 :	dev2.gabrielcanepa.com.ar
Operating System :	Ubuntu 12.04
IP Address 	 :	192.168.0.104 
Hostname	 :	ubuntuOS.gabrielcanepa.com.ar
Operating System :	CentOS-7.0-1406
IP Address 	 :	192.168.0.17 
Hostname	 :	dev1.gabrielcanepa.com.ar

Mu tuna cewa, a cikin sassauƙan kalmomi, uwar garken wakili na gidan yanar gizo matsakanci ne tsakanin ɗaya (ko fiye) kwamfutocin abokin ciniki da wata hanyar hanyar sadarwa, mafi yawanci shine samun damar Intanet. Ma’ana, ana haxa proxy uwar garken ne a gefe guda kai tsaye zuwa Intanet (ko zuwa na’ura mai ba da hanya tsakanin hanyoyin sadarwa da ke da alaƙa da Intanet) sannan a gefe guda kuma zuwa hanyar sadarwar kwamfutoci masu amfani waɗanda za su shiga yanar gizo ta duniya ta hanyarsa.

Kuna iya yin mamaki, me yasa zan so in ƙara wani ɓangaren software zuwa kayan aikin cibiyar sadarwa ta?

1. Squid yana adana fayiloli daga buƙatun da suka gabata don hanzarta canja wurin nan gaba. Misali, a ce abokin ciniki1 ya zazzage CentOS-7.0-1406-x86_64-DVD.iso daga Intanet. Lokacin da client2 ya buƙaci samun dama ga fayil iri ɗaya, squid na iya canja wurin fayil ɗin daga ma'ajin sa maimakon sake zazzage shi daga Intanet. Kamar yadda zaku iya tsammani, zaku iya amfani da wannan fasalin don hanzarta canja wurin bayanai a cikin hanyar sadarwar kwamfutoci masu buƙatar sabuntawa akai-akai na wani nau'in.

2. ACLs (Jess Sarrafa Shiga) suna ba mu damar taƙaita damar shiga gidan yanar gizon, da/ko saka idanu akan hanyar kowane mai amfani. Kuna iya ƙuntata isa ga ranar mako ko lokacin rana, ko yanki, misali.

3. Yin wuce gona da iri na gidan yanar gizo yana yiwuwa ta hanyar amfani da wakili na yanar gizo wanda ake buƙata da kuma mayar da abubuwan da aka buƙata ga abokin ciniki, maimakon sa abokin ciniki ya buƙace shi kai tsaye zuwa Intanet.

Misali, a ce kun shiga cikin client1 kuma kuna son shiga www.facebook.com ta hanyar hanyar sadarwar kamfanin ku. Tun da manufofin kamfanin ku na iya toshe rukunin yanar gizon, maimakon haka kuna iya haɗawa da sabar wakili na yanar gizo kuma ku nemi hanyar shiga www.facebook.com. Ana dawo da abun ciki mai nisa zuwa gare ku ta hanyar uwar garken wakili na yanar gizo kuma, ta ketare manufofin toshe hanyoyin sadarwa na kamfanin ku.

Saita Squid - Tushen

Tsarin sarrafa damar shiga uwar garken wakili na yanar gizo na Squid ya ƙunshi sassa daban-daban guda biyu:

  1. Abubuwan ACL layukan umarni ne waɗanda suka fara da kalmar “acl” kuma suna wakiltar nau'ikan gwaje-gwajen da aka yi a kan kowace ciniki na buƙatu.
  2. Dokokin lissafin shiga sun ƙunshi aikin ba da izini ko ƙi aiki tare da adadin abubuwan ACL, kuma ana amfani da su don nuna aikin. ko kuma a aiwatar da iyakance don buƙatun da aka bayar. Ana duba su cikin tsari, kuma lissafin bincike ya ƙare da zaran ɗaya daga cikin ƙa'idodin ya kasance daidai. Idan ka'ida tana da abubuwan ACL da yawa, ana aiwatar da ita azaman boolean AND aiki (dukkan abubuwan ACL na ƙa'idar dole ne su zama matches domin ƙa'idar ta zama wasa).

Babban fayil ɗin Squid shine /etc/squid/squid.conf, wanda shine ~ 5000 layukan tun da ya haɗa da umarnin daidaitawa da takaddun bayanai. Don haka, za mu ƙirƙiri sabon fayil na squid.conf tare da layukan da suka haɗa da umarnin daidaitawa don dacewarmu, barin barin komai ko layukan sharhi. Don yin haka, za mu yi amfani da umarni masu zuwa.

# mv /etc/squid/squid.conf /etc/squid/squid.conf.bkp

Sai me,

# grep -Eiv '(^#|^$)' /etc/squid/squid.conf.bkp

OR

# grep -ve ^# -ve ^$ /etc/squid/squid.conf.bkp > /etc/squid/squid.conf

Yanzu, buɗe sabon fayil ɗin squid.conf, sannan nemi (ko ƙara) abubuwan ACL masu zuwa da lissafin shiga.

acl localhost src 127.0.0.1/32
acl localnet src 192.168.0.0/24

Layukan da ke sama suna wakiltar ainihin misali na amfani da abubuwan ACL.

  1. Kalmar farko, acl, tana nuna cewa wannan layin umarni ne na ACL.
  2. Kalmar ta biyu, localhost ko localnet, saka suna don umarnin.
  3. Kalmar ta uku, src a wannan yanayin, nau'in nau'in nau'in ACL ne wanda ake amfani da shi don wakiltar adireshin IP na abokin ciniki ko kewayon adireshi, bi da bi. Kuna iya ƙididdige runduna ɗaya ta IP (ko sunan mai masauki, idan kuna da wasu nau'ikan ƙudurin DNS da aka aiwatar) ko ta adireshin cibiyar sadarwa.
  4. Ma'auni na huɗu shine hujjar tacewa wanda shine \ ciyarwa zuwa umarnin.

Layukan da ke ƙasa sune dokokin jerin shiga kuma suna wakiltar aiwatar da ƙayyadaddun umarnin ACL da aka ambata a baya. A cikin 'yan kalmomi kaɗan, suna nuna cewa ya kamata a ba da http access idan buƙatar ta fito daga cibiyar sadarwar gida (localnet), ko daga localhost. Musamman mene ne izinin cibiyar sadarwa na gida ko adiresoshin gida? Amsar ita ce: waɗanda aka kayyade a cikin localhost da umarnin gida.

http_access allow localnet
http_access allow localhost

A wannan lokacin zaku iya sake kunnawa Squid don amfani da kowane canje-canjen da ke jiran.

# service squid restart 		[Upstart / sysvinit-based distributions]
# systemctl restart squid.service 	[systemd-based distributions]

sannan ka saita mai binciken abokin ciniki a cikin hanyar sadarwar gida (192.168.0.104 a yanayinmu) don shiga Intanet ta hanyar wakili kamar haka.

1. Je zuwa menu na Edit kuma zaɓi Preferences zaɓi.

2. Danna Advanced, sannan akan Network tab, sannan a karshe akan Settings

3. Duba Continue Reading Proxy sannan ka shigar da Adreshin IP na uwar garken wakili da tashar ruwainda yake sauraron haɗin kai.

Lura cewa ta tsohuwa, Squid yana sauraron tashar jiragen ruwa 3128, amma kuna iya ƙetare wannan hali ta hanyar gyara jerin shiga ka'idar da ta fara da http_port (ta tsoho yana karanta http_port 3128).

4. Danna Ok don amfani da canje-canje kuma kuna da kyau ku tafi.

Yanzu zaku iya tabbatar da cewa abokin sadarwar ku na gida yana shiga Intanet ta hanyar wakili kamar haka.

1. A cikin abokin aikin ku, buɗe terminal sannan ku rubuta,

# ip address show eth0 | grep -Ei '(inet.*eth0)'

Wannan umarni zai nuna adireshin IP na abokin cinikin ku na yanzu (192.168.0.104 a cikin hoton da ke gaba).

2. A cikin abokin cinikin ku, yi amfani da burauzar gidan yanar gizo don buɗe kowane rukunin yanar gizon da aka bayar (linux-console.net a wannan yanayin).

3. A cikin uwar garken, gudu.

# tail -f /var/log/squid/access.log

kuma za ku sami ra'ayi kai tsaye na buƙatun da ake ba da su ta hanyar Squid.

Ƙuntata Dama ta Abokin ciniki

Yanzu ɗauka cewa kuna son hana samun dama ga waccan adireshin IP na abokin ciniki, yayin da kuke ci gaba da samun dama ga sauran hanyar sadarwar gida.

1. Ƙayyade sabon umarnin ACL kamar haka (Na sanya masa suna ubuntuOS amma kuna iya sanya masa duk abin da kuke so).

acl ubuntuOS src 192.168.0.104

2. Ƙara umarnin ACL a cikin jerin hanyar shiga gida wanda ya riga ya kasance a wurin, amma fara gabatar da shi tare da alamar motsin rai. Wannan yana nufin, \Ba da damar Intanet ga abokan ciniki da suka dace da umarnin ACL na gida sai wanda ya yi daidai da umarnin ubuntuOS.

http_access allow localnet !ubuntuOS

3. Yanzu muna buƙatar sake kunna Squid don amfani da canje-canje. Sannan idan muka yi ƙoƙarin yin lilo a kowane rukunin yanar gizo za mu ga an hana shiga yanzu.

Haɓaka Squid-Kyakkyawan Tunatarwa

Don taƙaita isa ga Squid ta yanki za mu yi amfani da dstdomain keyword a cikin umarnin ACL, kamar haka.

acl forbidden dstdomain "/etc/squid/forbidden_domains"

Inda forbidden_domains babban fayil ne na rubutu wanda ya ƙunshi wuraren da muke son hana shiga.

A ƙarshe, dole ne mu ba da damar zuwa Squid don buƙatun da ba su dace da umarnin da ke sama ba.

http_access allow localnet !forbidden

Ko wataƙila za mu so mu ba da izinin shiga waɗannan rukunin yanar gizon ne kawai a wani ɗan lokaci na rana (10:00 har zuwa 11:00 na safe) kawai a Litinin (M), Laraba (W), da Juma'a (F).

acl someDays time MWF 10:00-11:00
http_access allow forbidden someDays
http_access deny forbidden

In ba haka ba, za a toshe damar shiga waɗancan wuraren.

Squid yana goyan bayan hanyoyin tabbatarwa da yawa (Basic, NTLM, Digest, SPNEGO, da Oauth) da mataimaka (SQL database, LDAP, NIS, NCSA, don suna kaɗan). A cikin wannan koyawa za mu yi amfani da Basic Tantance kalmar sirri tare da NCSA.

Ƙara waɗannan layikan zuwa fayil ɗin ku /etc/squid/squid.conf.

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic credentialsttl 30 minutes
auth_param basic casesensitive on
auth_param basic realm Squid proxy-caching web server for Tecmint's LFCE series
acl ncsa proxy_auth REQUIRED
http_access allow ncsa

Lura: A cikin CentOS 7, ana iya samun kayan aikin NCSA don squid a /usr/lib64/squid/basic_nsca_auth, don haka canza daidai a layin sama.

Wasu 'yan bayani:

  1. Muna buƙatar gaya wa Squid wane shirin taimako na tantancewa zai yi amfani da shi tare da umarnin auth_param ta hanyar tantance sunan shirin (wataƙila, /usr/lib/squid/ncsa_auth > ko /usr/lib64/squid/basic_nsca_auth), da kowane zaɓin layin umarni (/etc/squid/passwd a wannan yanayin) idan ya cancanta.
  2. An ƙirƙiri fayil ɗin /etc/squid/passwd ta hanyar htpasswd, kayan aiki don sarrafa ingantaccen tabbaci ta fayiloli. Zai ba mu damar ƙara jerin sunayen masu amfani (da kalmomin sirri masu kama da su) waɗanda za a ba su izinin amfani da Squid.
  3. credentialsttl minti 30 zai buƙaci shigar da sunan mai amfani da kalmar wucewa kowane minti 30 (za ku iya ƙayyade wannan tazarar lokaci tare da sa'o'i kuma).
  4. mai jin daɗi a kunne yana nuna cewa sunayen masu amfani da kalmomin shiga suna da hankali.
  5. sarauniya tana wakiltar rubutun maganganun tantancewa wanda za a yi amfani da shi don tantancewa ga squid.
  6. A ƙarshe, ana ba da damar shiga ne kawai lokacin da tantancewar wakili (proxy_auth ANA BUKATAR) ya yi nasara.

Gudun umarni mai zuwa don ƙirƙirar fayil ɗin kuma don ƙara takaddun shaida don mai amfani gacanepa (a cire alamar -c idan fayil ɗin ya riga ya wanzu).

# htpasswd -c /etc/squid/passwd gacanepa

Bude mai binciken gidan yanar gizo a cikin injin abokin ciniki kuma kuyi ƙoƙarin bincika kowane rukunin yanar gizon.

Idan ingantaccen aiki ya yi nasara, ana ba da dama ga albarkatun da ake nema. In ba haka ba, za a hana shiga.

Amfani da Cache don Haɓaka Canja wurin Data

Ɗaya daga cikin fasalulluka na Squid shine yuwuwar adana albarkatun da ake buƙata daga gidan yanar gizo zuwa faifai don hanzarta buƙatun waɗannan abubuwan na gaba ko dai ta abokin ciniki ɗaya ko wasu.

Ƙara waɗannan umarni a cikin fayil ɗin squid.conf.

cache_dir ufs /var/cache/squid 1000 16 256
maximum_object_size 100 MB
refresh_pattern .*\.(mp4|iso) 2880

Wasu 'yan bayani na umarnin da ke sama.

  1. ufs shine tsarin ajiya na Squid.
  2. /var/cache/squid babban kundin adireshi ne inda za a adana fayilolin cache. Dole ne wannan littafin ya kasance kuma Squid zai iya rubutawa (Squid ba zai ƙirƙira muku wannan littafin ba).
  3. 1000 shine adadin (a cikin MB) don amfani a ƙarƙashin wannan kundin adireshi.
  4. 16 ita ce adadin rukunonin darasi na mataki na 1, yayin da 256 ita ce adadin rukunnai na mataki na biyu a cikin /var/spool/squid >.
  5. Umarnin mafi girman_object_size yana ƙayyadadden girman girman abubuwan da aka yarda a cikin ma'ajin.
  6. refresh_pattern yana gaya wa Squid yadda ake mu'amala da takamaiman nau'ikan fayil (.mp4 da .iso a wannan yanayin) da tsawon lokacin da ya kamata. Ajiye abubuwan da ake buƙata a cikin cache (minti 2880 = kwanaki 2).

Na farko da na biyu 2880 suna da ƙasa da babba, bi da bi, kan tsawon lokacin da abubuwa ba tare da takamaiman lokacin ƙarewar za a yi la'akari da kwanan nan ba, don haka za a yi amfani da cache, yayin da 0% shine adadin shekarun abubuwan (lokacin da aka gyara na ƙarshe) wanda kowane abu ba tare da ƙayyadadden lokacin ƙarewa ba za a yi la'akari da kwanan nan.

Abokin ciniki na farko (IP 192.168.0.104) yana zazzage fayil ɗin 71 MB .mp4 a cikin mintuna 2 da sakan 52.

Abokin ciniki na biyu (IP 192.168.0.17) yana zazzage fayil iri ɗaya cikin daƙiƙa 1.4!

Wato saboda an aika fayil ɗin daga Squid cache (wanda TCP_HIT/200 ya nuna) a yanayi na biyu, sabanin misalin farko, lokacin da aka zazzage shi kai tsaye daga. Intanet (wanda TCP_MISS/200 ke wakilta).

Mahimman kalmomi HIT da MISS, tare da lambar amsawa ta 200 http, suna nuna cewa an ba da fayil ɗin cikin nasara sau biyu, amma cache ɗin ya kasance HIT. kuma An rasa bi da bi. Lokacin da cache ba za ta iya ba da buƙatu ba saboda wasu dalilai, to Squid yayi ƙoƙarin yin hidimar ta daga Intanet.

Kammalawa

A cikin wannan labarin mun tattauna yadda ake saita Squid web caching proxy. Kuna iya amfani da uwar garken wakili don tace abun ciki ta amfani da zaɓaɓɓen sharuɗɗa, da kuma rage jinkiri (tunda ana ba da buƙatun masu shigowa iri ɗaya daga cache, wanda ya fi kusa da abokin ciniki fiye da sabar gidan yanar gizon da ke ba da abun ciki a zahiri, yana haifar da sauri. canja wurin bayanai) da zirga-zirgar hanyar sadarwa kuma (rage yawan amfani da bandwidth, wanda ke ceton ku kuɗi idan kuna biyan zirga-zirga).

Kuna so ku koma gidan yanar gizon Squid don ƙarin takaddun (tabbatar kuma duba wiki), amma kada ku yi shakka a tuntuɓe mu idan kuna da tambayoyi ko sharhi. Za mu yi farin ciki da jin daga gare ku!