Vous n'êtes pas identifié(e).
L'icône rouge permet de télécharger chaque page du wiki visitée au format PDF et la grise au format ODT →
Ci-dessous, les différences entre deux révisions de la page.
Prochaine révision | Révision précédente Prochaine révision Les deux révisions suivantes | ||
utilisateurs:hypathie:tutos:proxy-transparent [16/10/2014 06:40] Hypathie créée |
utilisateurs:hypathie:tutos:proxy-transparent [16/10/2014 10:16] Hypathie [Configuration de squid comme proxy transparent] |
||
---|---|---|---|
Ligne 7: | Ligne 7: | ||
===== Introduction ===== | ===== Introduction ===== | ||
+ | Voir : [[http://www.squid-cache.org/|le site de squid]] | ||
===Prérequis=== | ===Prérequis=== | ||
Un serveur DNS est installé sur la passerelle.\\ | Un serveur DNS est installé sur la passerelle.\\ | ||
- | + | ||
+ | La passerelle est mise en place avec masquerade :\\ | ||
+ | |||
+ | (eth0 est la carte ethernet vers le web)\\ | ||
+ | ''iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE'' | ||
+ | |||
+ | Le serveur squid est installé : | ||
+ | <code root>apt-get install --no-install-recommends squid3</code> | ||
+ | |||
+ | =====Configuration de squid comme proxy transparent===== | ||
+ | ===Faire une sauvegarde du fichier de configuration === | ||
+ | Le fichier est commenté quasiment entièrement. | ||
+ | <code root>cp /etc/squid/squid.conf /etc/squid/squid.conf-saved</code> | ||
+ | |||
+ | Puis pour y voir plus clair, on toutes les lignes dé-commentées du fichier original, et on re-crée ce fichier afin qu'il ne contienne que ces lignes. | ||
+ | |||
+ | <code root>echo "`grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'`" >/etc/squid/squid.conf</code> | ||
+ | |||
+ | Ce qui donne : | ||
+ | <code user>less /etc/squid/squid.conf</code> | ||
+ | <code> | ||
+ | acl all src all | ||
+ | acl manager proto cache_object #par défaut | ||
+ | acl localhost src 127.0.0.1/32 # par défaut | ||
+ | acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 # par défaut | ||
+ | acl localnet src 10.0.0.0/8 # RFC1918 possible internal network | ||
+ | acl localnet src 172.16.0.0/12 # RFC1918 possible internal network | ||
+ | acl localnet src 192.168.0.0/16 # RFC1918 possible internal network | ||
+ | acl SSL_ports port 443 # https | ||
+ | acl SSL_ports port 563 # snews | ||
+ | acl SSL_ports port 873 # rsync | ||
+ | acl Safe_ports port 80 # http | ||
+ | acl Safe_ports port 21 # ftp | ||
+ | acl Safe_ports port 443 # https | ||
+ | acl Safe_ports port 70 # gopher | ||
+ | acl Safe_ports port 210 # wais | ||
+ | acl Safe_ports port 1025-65535 # unregistered ports | ||
+ | acl Safe_ports port 280 # http-mgmt | ||
+ | acl Safe_ports port 488 # gss-http | ||
+ | acl Safe_ports port 591 # filemaker | ||
+ | acl Safe_ports port 777 # multiling http | ||
+ | acl Safe_ports port 631 # cups | ||
+ | acl Safe_ports port 873 # rsync | ||
+ | acl Safe_ports port 901 # SWAT | ||
+ | acl purge method PURGE | ||
+ | acl CONNECT method CONNECT | ||
+ | http_access deny all | ||
+ | http_access allow manager localhost | ||
+ | http_access deny manager | ||
+ | http_access allow purge localhost | ||
+ | http_access deny purge | ||
+ | http_access deny !Safe_ports | ||
+ | http_access deny CONNECT !SSL_ports | ||
+ | http_access allow localnet | ||
+ | http_access allow localhost | ||
+ | http_access deny all | ||
+ | icp_access allow localnet | ||
+ | icp_access deny all | ||
+ | http_port 3128 | ||
+ | hierarchy_stoplist cgi-bin ? | ||
+ | cache_mem 8 MB | ||
+ | access_log /var/log/squid/access.log squid | ||
+ | refresh_pattern ^ftp: 1440 20% 10080 | ||
+ | refresh_pattern ^gopher: 1440 0% 1440 | ||
+ | refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | ||
+ | refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 | ||
+ | refresh_pattern . 0 20% 4320 | ||
+ | acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] | ||
+ | upgrade_http0.9 deny shoutcast | ||
+ | acl apache rep_header Server ^Apache | ||
+ | broken_vary_encoding allow apache | ||
+ | extension_methods REPORT MERGE MKACTIVITY CHECKOUT | ||
+ | visible_hostname debian-serveur | ||
+ | hosts_file /etc/hosts | ||
+ | coredump_dir /var/spool/squid | ||
+ | </code> | ||
+ | |||
+ | * On ajoute ou modifie les lignes suivantes : | ||
+ | eth0 (vers internet) : 192.168.0.1\\ | ||
+ | eth1 (vers lan) : 192.168.1.1 | ||
+ | <code> | ||
+ | httpd_accel_host virtual | ||
+ | httpd_accel_port 80 | ||
+ | httpd_accel_with_proxy on | ||
+ | httpd_accel_uses_host_header on | ||
+ | acl lan src 192.168.0.1 192.168.1.0/24 | ||
+ | http_access allow localhost | ||
+ | http_access allow lan | ||
+ | </code> | ||
+ | |||
+ | * Ce qui donne : | ||
+ | <code> | ||
+ | acl all src all | ||
+ | acl manager proto cache_object #par défaut | ||
+ | acl localhost src 127.0.0.1/32 # par défaut | ||
+ | acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 # par défaut | ||
+ | acl localnet src 10.0.0.0/8 # RFC1918 possible internal network | ||
+ | acl localnet src 172.16.0.0/12 # RFC1918 possible internal network | ||
+ | acl localnet src 192.168.0.0/16 # RFC1918 possible internal network | ||
+ | acl SSL_ports port 443 # https | ||
+ | acl SSL_ports port 563 # snews | ||
+ | acl SSL_ports port 873 # rsync | ||
+ | acl Safe_ports port 80 # http | ||
+ | acl Safe_ports port 21 # ftp | ||
+ | acl Safe_ports port 443 # https | ||
+ | acl Safe_ports port 70 # gopher | ||
+ | acl Safe_ports port 210 # wais | ||
+ | acl Safe_ports port 1025-65535 # unregistered ports | ||
+ | acl Safe_ports port 280 # http-mgmt | ||
+ | acl Safe_ports port 488 # gss-http | ||
+ | acl Safe_ports port 591 # filemaker | ||
+ | acl Safe_ports port 777 # multiling http | ||
+ | acl Safe_ports port 631 # cups | ||
+ | acl Safe_ports port 873 # rsync | ||
+ | acl Safe_ports port 901 # SWAT | ||
+ | acl purge method PURGE | ||
+ | acl CONNECT method CONNECT | ||
+ | http_access deny all | ||
+ | http_access allow manager localhost | ||
+ | http_access deny manager | ||
+ | http_access allow purge localhost | ||
+ | http_access deny purge | ||
+ | http_access deny !Safe_ports | ||
+ | http_access deny CONNECT !SSL_ports | ||
+ | http_access allow localnet | ||
+ | httpd_accel_host virtual | ||
+ | httpd_accel_port 80 | ||
+ | httpd_accel_with_proxy on | ||
+ | httpd_accel_uses_host_header on | ||
+ | acl lan src 192.168.0.1 192.168.1.0/24 | ||
+ | http_access allow localhost | ||
+ | http_access allow lan | ||
+ | http_access deny all | ||
+ | icp_access allow localnet | ||
+ | icp_access deny all | ||
+ | http_port 3128 | ||
+ | hierarchy_stoplist cgi-bin ? | ||
+ | cache_mem 8 MB | ||
+ | access_log /var/log/squid/access.log squid | ||
+ | refresh_pattern ^ftp: 1440 20% 10080 | ||
+ | refresh_pattern ^gopher: 1440 0% 1440 | ||
+ | refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | ||
+ | refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 | ||
+ | refresh_pattern . 0 20% 4320 | ||
+ | acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] | ||
+ | upgrade_http0.9 deny shoutcast | ||
+ | acl apache rep_header Server ^Apache | ||
+ | broken_vary_encoding allow apache | ||
+ | extension_methods REPORT MERGE MKACTIVITY CHECKOUT | ||
+ | visible_hostname debian-serveur | ||
+ | hosts_file /etc/hosts | ||
+ | coredump_dir /var/spool/squid | ||
+ | </code> | ||
===== Installation ===== | ===== Installation ===== | ||