5.2. Squid 安全化
Squid is one of the most popular proxy/cache server, and there are some security issues that should be taken into account. Squid’s default configuration file denies all users requests. However the Debian package allows access from ‘localhost’, you just need to configure your browser properly. You should configure Squid to allow access to trusted users, hosts or networks defining an Access Control List on /etc/squid/squid.conf
, see the http://www.deckle.co.za/squid-users-guide/Main_Page for more information about defining ACLs rules. Notice that Debian provides a minimum configuration for Squid that will prevent anything, except from localhost to connect to your proxy server (which will run in the default port 3128). You will need to customize your /etc/squid/squid.conf
as needed.
The recommended minimum configuration (provided with the package) is shown below:
- acl all src 0.0.0.0/0.0.0.0
- acl manager proto cache_object
- acl localhost src 127.0.0.1/255.255.255.255
- acl SSL_ports port 443 563
- acl Safe_ports port 80 # http
- acl Safe_ports port 21 # ftp
- acl Safe_ports port 443 563 # https, snews
- acl Safe_ports port 70 # gopher
- acl Safe_ports port 210 # wais
- acl Safe_ports port 1025-65535 # unregistered ports
- acl Safe_ports port 280 # http-mgmt
- acl Safe_ports port 488 # gss-http
- acl Safe_ports port 591 # filemaker
- acl Safe_ports port 777 # multiling http
- acl Safe_ports port 901 # SWAT
- acl purge method PURGE
- acl CONNECT method CONNECT
- (...)
- # Only allow cachemgr access from localhost
- http_access allow manager localhost
- http_access deny manager
- # Only allow purge requests from localhost
- http_access allow purge localhost
- http_access deny purge
- # Deny requests to unknown ports
- http_access deny !Safe_ports
- # Deny CONNECT to other than SSL ports
- http_access deny CONNECT !SSL_ports
- #
- # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
- #
- http_access allow localhost
- # And finally deny all other access to this proxy
- http_access deny all
- #Default:
- # icp_access deny all
- #
- #Allow ICP queries from eveyone
- icp_access allow all
您还应当基于系统资源来配置 Squid, 包括高速缓存(cache_mem
项), 本地缓存文件, 及其占用的空间大小(cache_dir
项).
注意, 如果配置不当, 某些人也许可以通过 Squid 传递邮件消息, 因为HTTP和SMTP协议设计的非常相似. Squid 的默认配置文件拒绝访问 25 端口. 如果您希望允许连接 25 端口, 仅需要将其加入 Safe_ports 列表即可. 但是, 这里推荐 NOT.
Setting and configuring the proxy/cache server properly is only part of keeping your site secure. Another necessary task is to analyze Squid’s logs to assure that all things are working as they should be working. There are some packages in Debian GNU/Linux that can help an administrator to do this. The following packages are available in Debian 3.0 and Debian 3.1 (sarge):
calamaris - Squid 或 Oops 代理的日志分析工具.
modlogan - 日志分析工具组件.
sarg - Squid Analysis Report Generator.
squidtaild - Squid 日志监控程序.
When using Squid in Accelerator Mode it acts as a web server too. Turning on this option increases code complexity, making it less reliable. By default Squid is not configured to act as a web server, so you don’t need to worry about this. Note that if you want to use this feature be sure that it is really necessary. To find more information about Accelerator Mode on Squid see the http://www.deckle.co.za/squid-users-guide/Accelerator_Mode