squid代理實現(xiàn)賬號登陸的問題

jixuuse

自己百度下吧，網(wǎng)上這種多的是

如果要IP認(rèn)證，直接加入允許放行的IP子網(wǎng)即可，MAC認(rèn)證沒搞過，因為都是跨三層的大網(wǎng)絡(luò)，看不到客戶端MAC

mengcun123

回復(fù) 8# jixuuse

再確認(rèn)一下，你是用yum安裝的？用的linux哪個版本？另外實現(xiàn)賬號認(rèn)證的時候還需要安裝什么呢


   

jixuuse

我很懶，能用yum裝的絕不用源碼，貼的這些都是自己親手做的，我自己都會寫一個txt安裝過程文檔記錄下來

woxizishen

回復(fù) 11# jixuuse

MAC地址一樣可以跨網(wǎng)段認(rèn)證，呵呵，綁定arp，就可以進(jìn)行跨網(wǎng)段的mac地址認(rèn)證。

因為squid很偷懶，使用系統(tǒng)的ARP緩存條目來管理的。所以可以利用他的這個弱點來實現(xiàn)跨網(wǎng)段mac地址認(rèn)證。

   

woxizishen

回復(fù) 10# mengcun123
請按照我下面的完整步驟來操作,我的squid版本是2.7的，每一行都有解釋:

使用賬號登陸才可以使用。只需做如下設(shè)定即可:
auth_param basic program /etc/squid/libexec/ncsa_auth /etc/squid/etc/passwd
auth_param basic children 10
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
auth_param basic realm 172.16.4.123 proxy cache
##認(rèn)證部份有解釋##

acl all2 src 0.0.0.0/0.0.0.0   允許所有網(wǎng)絡(luò)訪問此臺代理服務(wù)器。
http_access allow all2


acl usergroup1 proxy_auth "/etc/squid/etc/ip1user"  
http_access allow usergroup1                                           設(shè)定允許用戶賬號登陸后訪問外網(wǎng)、需要自行建立該用戶文件夾
Touch /etc/squid/etc/ip1user
dawson                      一行一個賬號
temp
……

上述完成后，開始建立密碼:
htpasswd -b /etc/squid/etc/passwd dawson  123456
htpasswd -b /etc/squid/etc/passwd temp  123456

##這樣重新載入配置文件后即可以用賬號通過squid驗證正確后即可以訪問了。##


   

woxizishen

回復(fù) 13# jixuuse

如果不需要特別的功能，就只是用一個企業(yè)用的簡單正向/透明代理，就直接用yum和rpm都很不錯，重要是節(jié)省大家時間。

當(dāng)然如果你想很透測的了解squid的各個功能特性和優(yōu)化，最好是編譯安裝一次。因為你編譯安裝需要了解每一個編譯參數(shù)。編譯是很花時間的，但是也是讓你快速熟悉squid的唯一途徑。

如果從事的工作未來會牽扯到squid的CDN部分。編譯安裝必須掌握，偷懶的結(jié)果，出問題后就只能跑到論壇上發(fā)問了。

mengcun123

回復(fù) 15# woxizishen


使用賬號登陸才可以使用。只需做如下設(shè)定即可:
auth_param basic program /etc/squid/libexec/ncsa_auth /etc/squid/etc/passwd     這個報錯
auth_param basic children 10
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
auth_param basic realm 172.16.4.123 proxy cache
##認(rèn)證部份有解釋##

acl all2 src 0.0.0.0/0.0.0.0   允許所有網(wǎng)絡(luò)訪問此臺代理服務(wù)器。
http_access allow all2


acl usergroup1 proxy_auth "/etc/squid/etc/ip1user"  
http_access allow usergroup1                                           設(shè)定允許用戶賬號登陸后訪問外網(wǎng)、需要自行建立該用戶文件夾
Touch /etc/squid/etc/ip1user
dawson                      一行一個賬號
temp
…
上面的也貼進(jìn)去嗎


上述完成后，開始建立密碼:
htpasswd -b /etc/squid/etc/passwd dawson  123456
htpasswd -b /etc/squid/etc/passwd temp  123456

##這樣重新載入配置文件后即可以用賬號通過squid驗證正確后即可以訪問了。##

   

woxizishen

回復(fù) 17# mengcun123

auth_param basic program /etc/squid/libexec/ncsa_auth /etc/squid/etc/passwd     這個報錯

/etc/squid/libexec/ncsa_auth   
/etc/squid/etc/passwd     

這2個根據(jù)你的實際路徑來填寫，我的ncsa_auth在這個路徑下，看看你自己的。     


acl usergroup1 proxy_auth "/etc/squid/etc/ip1user"  
http_access allow usergroup1                                           設(shè)定允許用戶賬號登陸后訪問外網(wǎng)、需要自行建立該用戶文件夾
Touch /etc/squid/etc/ip1user
dawson                      一行一個賬號
temp
…

上面的也貼進(jìn)去嗎

acl usergroup1 proxy_auth "/etc/squid/etc/ip1user"
http_access allow usergroup1  
這2行貼到squid.conf里，你沒賬號怎么驗證？？？？



Touch /etc/squid/etc/ip1user
dawson                      一行一個賬號
temp
這個是存放賬號的文件，自己手動輸賬號，一行只能輸一個賬號。

mengcun123

回復(fù) 18# woxizishen


密碼可以生產(chǎn)，但是最主要的是沒有認(rèn)證界面。




   
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_user.txt
auth_param basic children 10
auth_param basic realm WELCOME

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed

#acl localnet src 10.0.0.0/8    # RFC1918 possible internal network     DHCP抓到的IP的10.0.0.0/8的，需要做到這個網(wǎng)段的ip需要認(rèn)證  
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machine

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT




#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost



#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

acl squid_user proxy_auth REQUIRED

http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#

cache_dir ufs /var/spool/squid 1024 16 256
cache_mem 1024 MB
cache_swap_low 90
cache_swap_high 95
minimum_object_size 0 KB
maximum_object_size 4096 KB

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

mengcun123

回復(fù) 18# woxizishen


跳不出認(rèn)證界面，密碼什么的都可以生產(chǎn)，squid服務(wù)重啟過，給看下



auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_user.txt
auth_param basic children 10
auth_param basic realm WELCOME

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed

#acl localnet src 10.0.0.0/8    # RFC1918 possible internal network    10.0.0.0/8網(wǎng)段ip都需要認(rèn)證   
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machine

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT




#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost



#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

acl squid_user proxy_auth REQUIRED

http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#

cache_dir ufs /var/spool/squid 1024 16 256
cache_mem 1024 MB
cache_swap_low 90
cache_swap_high 95
minimum_object_size 0 KB
maximum_object_size 4096 KB

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320