Vous n'êtes pas identifié(e).
L'icône rouge permet de télécharger chaque page du wiki visitée au format PDF et la grise au format ODT →
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente Prochaine révision Les deux révisions suivantes | ||
utilisateurs:hypathie:tutos:proxy-transparent [16/10/2014 09:28] Hypathie [Introduction] |
utilisateurs:hypathie:tutos:proxy-transparent [16/10/2014 14:02] Hypathie [Introduction] |
||
---|---|---|---|
Ligne 8: | Ligne 8: | ||
===== Introduction ===== | ===== Introduction ===== | ||
Voir : [[http://www.squid-cache.org/|le site de squid]] | Voir : [[http://www.squid-cache.org/|le site de squid]] | ||
+ | |||
+ | Lorsqu'un serveur mandataire est installé, on configure souvent le routage du réseau pour que l'utilisateur final soit orienté vers le serveur mandataire sans avoir à modifier sa configuration. On parle alors de « proxy transparent ». Cette configuration est obtenue par translation d'adresse IP. | ||
+ | |||
===Prérequis=== | ===Prérequis=== | ||
Ligne 23: | Ligne 26: | ||
===Faire une sauvegarde du fichier de configuration === | ===Faire une sauvegarde du fichier de configuration === | ||
Le fichier est commenté quasiment entièrement. | Le fichier est commenté quasiment entièrement. | ||
- | <code root>mv /etc/squid/squid.conf /etc/squid/squid.conf-saved</code> | + | <code root>cp /etc/squid/squid.conf /etc/squid/squid.conf-saved</code> |
- | Puis pour y voir plus clair on édite /etc/squid/squid.conf et on y copie les quelques lignes dé-commentées du fichier original. | + | Puis pour y voir plus clair, on toutes les lignes dé-commentées du fichier original, et on re-crée ce fichier afin qu'il ne contienne que ces lignes. |
- | <code root>vim /etc/squid/squid.conf</code> | + | <code root>echo "`grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'`" >/etc/squid/squid.conf</code> |
- | <code>#Recommended minimum configuration: | + | Ce qui donne : |
+ | <code user>less /etc/squid/squid.conf</code> | ||
+ | <code> | ||
acl all src all | acl all src all | ||
- | acl manager proto cache_object | + | acl manager proto cache_object #par défaut |
- | acl localhost src 127.0.0.1/32 | + | acl localhost src 127.0.0.1/32 # par défaut |
- | acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 | + | acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 # par défaut |
- | # | + | |
- | # Example rule allowing access from your local networks. | + | |
- | # Adapt to list your (internal) IP networks from where browsing | + | |
- | # should be allowed | + | |
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network | acl localnet src 10.0.0.0/8 # RFC1918 possible internal network | ||
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network | acl localnet src 172.16.0.0/12 # RFC1918 possible internal network | ||
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network | acl localnet src 192.168.0.0/16 # RFC1918 possible internal network | ||
- | # | ||
acl SSL_ports port 443 # https | acl SSL_ports port 443 # https | ||
acl SSL_ports port 563 # snews | acl SSL_ports port 563 # snews | ||
Ligne 51: | Ligne 51: | ||
acl Safe_ports port 210 # wais | acl Safe_ports port 210 # wais | ||
acl Safe_ports port 1025-65535 # unregistered ports | acl Safe_ports port 1025-65535 # unregistered ports | ||
- | acl Safe_ports port 280 # http-mgmt | ||
acl Safe_ports port 280 # http-mgmt | acl Safe_ports port 280 # http-mgmt | ||
acl Safe_ports port 488 # gss-http | acl Safe_ports port 488 # gss-http | ||
Ligne 61: | Ligne 60: | ||
acl purge method PURGE | acl purge method PURGE | ||
acl CONNECT method CONNECT | acl CONNECT method CONNECT | ||
- | + | http_access deny all | |
- | + | ||
- | #Default: | + | |
- | # http_access deny all | + | |
- | # | + | |
- | #Recommended minimum configuration: | + | |
- | # | + | |
- | # Only allow cachemgr access from localhost | + | |
http_access allow manager localhost | http_access allow manager localhost | ||
http_access deny manager | http_access deny manager | ||
- | # Only allow purge requests from localhost | ||
http_access allow purge localhost | http_access allow purge localhost | ||
http_access deny purge | http_access deny purge | ||
- | # Deny requests to unknown ports | ||
http_access deny !Safe_ports | http_access deny !Safe_ports | ||
- | # Deny CONNECT to other than SSL ports | ||
http_access deny CONNECT !SSL_ports | http_access deny CONNECT !SSL_ports | ||
- | # | + | http_access allow localnet |
- | # We strongly recommend the following be uncommented to protect innocent | + | |
- | # web applications running on the proxy server who think the only | + | |
- | # one who can access services on "localhost" is a local user | + | |
- | #http_access deny to_localhost | + | |
- | # | + | |
- | # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS | + | |
- | + | ||
- | # Example rule allowing access from your local networks. | + | |
- | # Adapt localnet in the ACL section to list your (internal) IP networks | + | |
- | # from where browsing should be allowed | + | |
- | #http_access allow localnet | + | |
http_access allow localhost | http_access allow localhost | ||
- | |||
- | # And finally deny all other access to this proxy | ||
http_access deny all | http_access deny all | ||
+ | icp_access allow localnet | ||
+ | icp_access deny all | ||
+ | http_port 3128 | ||
+ | hierarchy_stoplist cgi-bin ? | ||
+ | cache_mem 8 MB | ||
+ | access_log /var/log/squid/access.log squid | ||
+ | refresh_pattern ^ftp: 1440 20% 10080 | ||
+ | refresh_pattern ^gopher: 1440 0% 1440 | ||
+ | refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | ||
+ | refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 | ||
+ | refresh_pattern . 0 20% 4320 | ||
+ | acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] | ||
+ | upgrade_http0.9 deny shoutcast | ||
+ | acl apache rep_header Server ^Apache | ||
+ | broken_vary_encoding allow apache | ||
+ | extension_methods REPORT MERGE MKACTIVITY CHECKOUT | ||
+ | visible_hostname debian-serveur | ||
+ | hosts_file /etc/hosts | ||
+ | coredump_dir /var/spool/squid | ||
+ | </code> | ||
- | # TAG: http_access2 | + | * On ajoute ou modifie les lignes suivantes : |
- | # Allowing or Denying access based on defined access lists | + | eth0 (vers internet) : 192.168.0.1\\ |
- | # | + | eth1 (vers lan) : 192.168.1.1 |
- | # Identical to http_access, but runs after redirectors. If not set | + | <code> |
- | # then only http_access is used. | + | acl localnet src 192.168.1.0/24 |
- | # | + | httpd_accel_host virtual |
- | #Default: | + | httpd_accel_port 80 |
- | # none | + | httpd_accel_with_proxy on |
+ | httpd_accel_uses_host_header on | ||
+ | acl lan src 192.168.0.1 192.168.1.0/24 | ||
+ | http_access allow localhost | ||
+ | http_access allow lan | ||
+ | </code> | ||
+ | > ''acl localnet src 192.168.1.0/24'' : le réseau qui doit avoir accès au serveur proxy | ||
+ | >''httpd_accel_host virtual'': Squid comme un accélérateur de http((Dans ce mode, Squid est capable de se substituer à un serveur http, il fonctionne alors en "reverse proxying". Il ne sert donc plus à partager "le monde" pour un réseau, mais à partager une machine (ou plusieurs) "au monde". Ainsi, les clients n'accéderons plus au serveur http, mais à Squid. Dans une configuration classique, Squid devra donc écouter sur le port 80 et avoir connaissance du serveur http qu'il remplace. )) | ||
+ | >''httpd_accel_port 80'': choix du port 80 comme port contrôlé par le proxy | ||
+ | >''httpd_accel_with_proxy on'': poser squid comme proxy local et comme accélérateur http | ||
+ | >''httpd_accel_uses_host_header on'': activer le nom d'hôte | ||
+ | >''acl lan src 192.168.1.1 192.168.2.0/24'': Liste de contrôle : le lan seulement utilise squid | ||
+ | >''http_access allow localhost'': accès à squid permis au localhost | ||
+ | >''http_access allow lan'': idem | ||
- | #Default: | ||
- | # http_reply_access allow all | ||
- | #Default: | + | * Ce qui donne : |
- | # icp_access deny all | + | <code> |
- | # | + | acl all src all |
- | #Allow ICP queries from local networks only | + | acl manager proto cache_object #par défaut |
+ | acl localhost src 127.0.0.1/32 # par défaut | ||
+ | acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 # par défaut | ||
+ | acl localnet src 192.168.1.0/24 # RFC1918 possible internal network | ||
+ | acl localnet src 172.16.0.0/12 # RFC1918 possible internal network | ||
+ | acl localnet src 192.168.0.0/16 # RFC1918 possible internal network | ||
+ | acl SSL_ports port 443 # https | ||
+ | acl SSL_ports port 563 # snews | ||
+ | acl SSL_ports port 873 # rsync | ||
+ | acl Safe_ports port 80 # http | ||
+ | acl Safe_ports port 21 # ftp | ||
+ | acl Safe_ports port 443 # https | ||
+ | acl Safe_ports port 70 # gopher | ||
+ | acl Safe_ports port 210 # wais | ||
+ | acl Safe_ports port 1025-65535 # unregistered ports | ||
+ | acl Safe_ports port 280 # http-mgmt | ||
+ | acl Safe_ports port 488 # gss-http | ||
+ | acl Safe_ports port 591 # filemaker | ||
+ | acl Safe_ports port 777 # multiling http | ||
+ | acl Safe_ports port 631 # cups | ||
+ | acl Safe_ports port 873 # rsync | ||
+ | acl Safe_ports port 901 # SWAT | ||
+ | acl purge method PURGE | ||
+ | acl CONNECT method CONNECT | ||
+ | http_access deny all | ||
+ | http_access allow manager localhost | ||
+ | http_access deny manager | ||
+ | http_access allow purge localhost | ||
+ | http_access deny purge | ||
+ | http_access deny !Safe_ports | ||
+ | http_access deny CONNECT !SSL_ports | ||
+ | http_access allow localnet | ||
+ | httpd_accel_host virtual | ||
+ | httpd_accel_port 80 | ||
+ | httpd_accel_with_proxy on | ||
+ | httpd_accel_uses_host_header on | ||
+ | acl lan src 192.168.0.1 192.168.1.0/24 | ||
+ | http_access allow localhost | ||
+ | http_access allow lan | ||
+ | http_access deny all | ||
icp_access allow localnet | icp_access allow localnet | ||
icp_access deny all | icp_access deny all | ||
+ | http_port 3128 | ||
+ | hierarchy_stoplist cgi-bin ? | ||
+ | cache_mem 8 MB | ||
+ | access_log /var/log/squid/access.log squid | ||
+ | refresh_pattern ^ftp: 1440 20% 10080 | ||
+ | refresh_pattern ^gopher: 1440 0% 1440 | ||
+ | refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | ||
+ | refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 | ||
+ | refresh_pattern . 0 20% 4320 | ||
+ | acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] | ||
+ | upgrade_http0.9 deny shoutcast | ||
+ | acl apache rep_header Server ^Apache | ||
+ | broken_vary_encoding allow apache | ||
+ | extension_methods REPORT MERGE MKACTIVITY CHECKOUT | ||
+ | visible_hostname debian-serveur | ||
+ | hosts_file /etc/hosts | ||
+ | coredump_dir /var/spool/squid | ||
+ | </code> | ||
- | #Default: | + | ===Redémarrer squid=== |
- | # htcp_access deny all | + | <code root>/etc/init.d/squid restart</code> |
- | # | + | ===== configuration d'iptables (NAT) ===== |
- | #Allow HTCP queries from local networks only | + | Nous n'avons pour l'instant que l'IP masquerade mis en place : |
- | # htcp_access allow localnet | + | |
- | # htcp_access deny all | + | |
- | # NETWORK OPTIONS | + | * On ajoute à iptables: |
+ | ''iptables -t nat -A PREROUTING -i interface_LAN -p tcp --dport 80 -j DNAT --to SQUID_SERVEUR:SQUID_PORT'' | ||
+ | <code root> | ||
+ | iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128 | ||
+ | </code> | ||
- | #Default: | + | ''iptables -t nat -A PREROUTING -i interface_WEB -p tcp --dport 80 -j REDIRECT --to-port SQUID_PORT'' |
- | # none | + | <code root> |
+ | iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 | ||
+ | </code> | ||
+ | * Ce qui donne : | ||
+ | <code root>iptables -L -t nat</code> | ||
- | #Default: | + | <code>Chain PREROUTING (policy ACCEPT) |
- | # cache_log /var/log/squid/cache.log | + | target prot opt source destination |
- | </code> | + | DNAT tcp -- anywhere anywhere tcp dpt:http to:192.168.1.1:3128 |
+ | REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128 | ||
+ | |||
+ | Chain INPUT (policy ACCEPT) | ||
+ | target prot opt source destination | ||
- | ===== Installation ===== | + | Chain OUTPUT (policy ACCEPT) |
+ | target prot opt source destination | ||
+ | Chain POSTROUTING (policy ACCEPT) | ||
+ | target prot opt source destination | ||
+ | MASQUERADE all -- anywhere anywhere</code> | ||
===== Utilisation ===== | ===== Utilisation ===== | ||