5.2. Squid 安全化

Squid is one of the most popular proxy/cache server, and there are some security issues that should be taken into account. Squid’s default configuration file denies all users requests. However the Debian package allows access from ‘localhost’, you just need to configure your browser properly. You should configure Squid to allow access to trusted users, hosts or networks defining an Access Control List on /etc/squid/squid.conf, see the http://www.deckle.co.za/squid-users-guide/Main_Page for more information about defining ACLs rules. Notice that Debian provides a minimum configuration for Squid that will prevent anything, except from localhost to connect to your proxy server (which will run in the default port 3128). You will need to customize your /etc/squid/squid.conf as needed.

The recommended minimum configuration (provided with the package) is shown below:

  1. acl all src 0.0.0.0/0.0.0.0
  2. acl manager proto cache_object
  3. acl localhost src 127.0.0.1/255.255.255.255
  4. acl SSL_ports port 443 563
  5. acl Safe_ports port 80 # http
  6. acl Safe_ports port 21 # ftp
  7. acl Safe_ports port 443 563 # https, snews
  8. acl Safe_ports port 70 # gopher
  9. acl Safe_ports port 210 # wais
  10. acl Safe_ports port 1025-65535 # unregistered ports
  11. acl Safe_ports port 280 # http-mgmt
  12. acl Safe_ports port 488 # gss-http
  13. acl Safe_ports port 591 # filemaker
  14. acl Safe_ports port 777 # multiling http
  15. acl Safe_ports port 901 # SWAT
  16. acl purge method PURGE
  17. acl CONNECT method CONNECT
  18. (...)
  19. # Only allow cachemgr access from localhost
  20. http_access allow manager localhost
  21. http_access deny manager
  22. # Only allow purge requests from localhost
  23. http_access allow purge localhost
  24. http_access deny purge
  25. # Deny requests to unknown ports
  26. http_access deny !Safe_ports
  27. # Deny CONNECT to other than SSL ports
  28. http_access deny CONNECT !SSL_ports
  29. #
  30. # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
  31. #
  32. http_access allow localhost
  33. # And finally deny all other access to this proxy
  34. http_access deny all
  35. #Default:
  36. # icp_access deny all
  37. #
  38. #Allow ICP queries from eveyone
  39. icp_access allow all

您还应当基于系统资源来配置 Squid, 包括高速缓存(cache_mem项), 本地缓存文件, 及其占用的空间大小(cache_dir项).

注意, 如果配置不当, 某些人也许可以通过 Squid 传递邮件消息, 因为HTTP和SMTP协议设计的非常相似. Squid 的默认配置文件拒绝访问 25 端口. 如果您希望允许连接 25 端口, 仅需要将其加入 Safe_ports 列表即可. 但是, 这里推荐 NOT.

Setting and configuring the proxy/cache server properly is only part of keeping your site secure. Another necessary task is to analyze Squid’s logs to assure that all things are working as they should be working. There are some packages in Debian GNU/Linux that can help an administrator to do this. The following packages are available in Debian 3.0 and Debian 3.1 (sarge):

  • calamaris - Squid 或 Oops 代理的日志分析工具.

  • modlogan - 日志分析工具组件.

  • sarg - Squid Analysis Report Generator.

  • squidtaild - Squid 日志监控程序.

When using Squid in Accelerator Mode it acts as a web server too. Turning on this option increases code complexity, making it less reliable. By default Squid is not configured to act as a web server, so you don’t need to worry about this. Note that if you want to use this feature be sure that it is really necessary. To find more information about Accelerator Mode on Squid see the http://www.deckle.co.za/squid-users-guide/Accelerator_Mode