Implantation

Ce tutoriel développe la mise en place d'un serveur proxy HTTP/FTP avec un accès au cache des utilisateurs par authentification OpenLDAP.


Installation des packages

squid-2.5.STABLE4-1mdk.i586.rpm

squid_2.5.7-1_i386.deb
squid-common_2.5.7-1_all.deb



Important :
Le binaire squid (squid_ldap_auth ou ldap_auth selon la distribution) permettant l'authentification vers un annuaire LDAP fait ses requêtes avec le
protocole LDAP v2 !
Il faut que vous ajoutiez l'option
allow bind_v2 dans votre fichier :

/etc/openldap/slapd.conf

/etc/ldap/slapd.conf


Sinon vous aurez ce type de message :
pc:/home/user# tail -f /var/log/syslog

Feb 10 14:19:45 debian slapd[6183]: conn=1 fd=11 ACCEPT from IP=192.168.0.1:38100 (IP=192.168.0.
Feb 10 14:19:45 debian slapd[6183]: conn=1 op=0 BIND dn="uid=arnofear,ou=people,dc=alex,dc=fr" method=128
Feb 10 14:19:45 debian slapd[6183]: conn=1 op=0 RESULT tag=97 err=2 text=requested protocol version not allowed
Feb 10 14:19:45 debian slapd[6183]: conn=1 op=1 UNBIND
Feb 10 14:19:45 debian slapd[6183]: conn=1 fd=11 closed


Configuration de Squid

Editez le fichier
/etc/squid/squid.conf

# WELCOME TO SQUID 2
# NETWORK OPTIONS
# ------------------------------

# TAG: http_port
# Usage: port
# hostname:port
# 1.2.3.4:port
#
# The socket addresses where Squid will listen for HTTP client
# requests. You may specify multiple socket addresses.
# There are three forms: port alone, hostname with port, and
# IP address with port. If you specify a hostname or IP
# address, then Squid binds the socket to that specific
# address. This replaces the old 'tcp_incoming_address'
# option. Most likely, you do not need to bind to a specific
# address, so you can use the port number alone.
#
# The default port number is 3128.
#
# If you are running Squid in accelerator mode, then you
# probably want to listen on port 80 also, or instead.
#
# The -a command line option will override the *first* port
# number listed here. That option will NOT override an IP
# address, however.
#
# You may specify multiple socket addresses on multiple lines.
#
# If you run Squid on a dual-homed machine with an internal
# and an external interface then we recommend you to specify the
# internal address:port in http_port. This way Squid will only be
# visible on the internal address.
#
#Default:
# http_port 3128
http_port 3128

# TAG: icp_port
# The port number where Squid sends and receives ICP queries to
# and from neighbor caches. Default is 3130. To disable use
# "0". May be overridden with -u on the command line.
#
#Default:
# icp_port 3130
# Nous n'avons pas d'autres serveurs proxy.
icp_port 0

# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# ------------------------------

# TAG: hierarchy_stoplist
# A list of words which, if found in a URL, cause the object to
# be handled directly by this cache. In other words, use this
# to not query neighbor caches for certain objects. You may
# list this option multiple times.
#We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# TAG: no_cache
# A list of ACL elements which, if matched, cause the request to
# not be satisfied from the cache and the reply to not be cached.
# In other words, use this to force certain objects to never be cached.
#
# You must use the word 'DENY' to indicate the ACL names which should
# NOT be cached.
#
#We recommend you to use the following two lines.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

# OPTIONS WHICH AFFECT THE CACHE SIZE
# ------------------------------

# TAG: cache_mem (bytes)
# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
#
# 'cache_mem' specifies the ideal amount of memory to be used
# for:
# * In-Transit objects
# * Hot Objects
# * Negative-Cached objects
#
# Data for these objects are stored in 4 KB blocks. This
# parameter specifies the ideal upper limit on the total size of
# 4 KB blocks allocated. In-Transit objects take the highest
# priority.
#
# In-transit objects have priority over the others. When
# additional space is needed for incoming data, negative-cached
# and hot objects will be released. In other words, the
# negative-cached and hot objects will fill up any unused space
# not needed for in-transit objects.
#
# If circumstances require, this limit will be exceeded.
# Specifically, if your incoming request rate requires more than
# 'cache_mem' of memory to hold in-transit objects, Squid will
# exceed this limit to satisfy the new requests. When the load
# decreases, blocks will be freed until the high-water mark is
# reached. Thereafter, blocks will be used to store hot
# objects.
#
#Default:
# cache_mem 8 MB
cache_mem 16 MB

# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# ------------------------------

# TAG: cache_dir
# Usage:
#
# cache_dir Type Directory-Name Fs-specific-data [options]
#
# You can specify multiple cache_dir lines to spread the
# cache among different disk partitions.
#
# Type specifies the kind of storage system to use. Only "ufs"
# is built by default. To eanble any of the other storage systems
# see the --enable-storeio configure option.
#
# 'Directory' is a top-level directory where cache swap
# files will be stored. If you want to use an entire disk
# for caching, then this can be the mount-point directory.
# The directory must exist and be writable by the Squid
# process. Squid will NOT create this directory for you.
#
# The ufs store type:
#
# "ufs" is the old well-known Squid storage format that has always
# been there.
#
# cache_dir ufs Directory-Name Mbytes L1 L2 [options]
#
# 'Mbytes' is the amount of disk space (MB) to use under this
# directory. The default is 100 MB. Change this to suit your
# configuration. Do NOT put the size of your disk drive here.
# Instead, if you want Squid to use the entire disk drive,
# subtract 20% and use that value.
#
# 'Level-1' is the number of first-level subdirectories which
# will be created under the 'Directory'. The default is 16.
#
# 'Level-2' is the number of second-level subdirectories which
# will be created under each first-level directory. The default
# is 256.
#
# The aufs store type:
#
# "aufs" uses the same storage format as "ufs", utilizing
# POSIX-threads to avoid blocking the main Squid process on
# disk-I/O. This was formerly known in Squid as async-io.
#
# cache_dir aufs Directory-Name Mbytes L1 L2 [options]
#
# see argument descriptions under ufs above
#
# The diskd store type:
#
# "diskd" uses the same storage format as "ufs", utilizing a
# separate process to avoid blocking the main Squid process on
# disk-I/O.
#
# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
#
# see argument descriptions under ufs above
#
# Q1 specifies the number of unacknowledged I/O requests when Squid
# stops opening new files. If this many messages are in the queues,
# Squid won't open new files. Default is 64
#
# Q2 specifies the number of unacknowledged messages when Squid
# starts blocking. If this many messages are in the queues,
# Squid blocks until it receives some replies. Default is 72
#
# When Q1 < Q2 (the default), the cache directory is optimized
# for lower response time at the expense of a decrease in hit
# ratio. If Q1 > Q2, the cache directory is optimized for
# higher hit ratio at the expense of an increase in response
# time.
#
# The coss store type:
#
# block-size=n defines the "block size" for COSS cache_dir's.
# Squid uses file numbers as block numbers. Since file numbers
# are limited to 24 bits, the block size determines the maximum
# size of the COSS partition. The default is 512 bytes, which
# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
# that you should not change the coss block size after Squid
# has written some objects to the cache_dir.
#
# Common options:
#
# read-only, this cache_dir is read only.
#
# max-size=n, refers to the max object size this storedir supports.
# It is used to initially choose the storedir to dump the object.
# Note: To make optimal use of the max-size limits you should order
# the cache_dir lines with the smallest max-size value first and the
# ones with no max-size specification last.
#
# Note that for coss, max-size must be less than COSS_MEMBUF_SZ
# (hard coded at 1 MB).
#
#Default:
# cache_dir ufs /var/spool/squid 100 16 256
cache_dir diskd /var/spool/squid 200 16 256

# TAG: cache_access_log
# Logs the client request activity. Contains an entry for
# every HTTP and ICP queries received. To disable, enter "none".
#
#Default:
# cache_access_log /var/log/squid/access.log
cache_access_log none

# TAG: cache_log
# Cache logging file. This is where general information about
# your cache's behavior goes. You can increase the amount of data
# logged to this file with the "debug_options" tag below.
#
#Default:
# cache_log /var/log/squid/cache.log
cache_log none

# TAG: cache_store_log
# Logs the activities of the storage manager. Shows which
# objects are ejected from the cache, and which objects are
# saved and for how long. To disable, enter "none". There are
# not really utilities to analyze this data, so you can safely
# disable it.
#
#Default:
# cache_store_log /var/log/squid/store.log
cache_store_log none

# TAG: debug_options
# Logging options are set as section,level where each source file
# is assigned a unique section. Lower levels result in less
# output, Full debugging (level 9) can result in a very large
# log file, so be careful. The magic word "ALL" sets debugging
# levels for all sections. We recommend normally running with
# "ALL,1".
#
#Default:
# debug_options ALL,1
debug_options ALL,1

# TAG: ftp_passive
# If your firewall does not allow Squid to use passive
# connections, then turn off this option.
#
#Default:
# ftp_passive on

# OPTIONS FOR TUNING THE CACHE
# ------------------------------

# TAG: refresh_pattern
# usage: refresh_pattern [-i] regex min percent max [options]
#
# By default, regular expressions are CASE-SENSITIVE. To make
# them case-insensitive, use the -i option.
#
# 'Min' is the time (in minutes) an object without an explicit
# expiry time should be considered fresh. The recommended
# value is 0, any higher values may cause dynamic applications
# to be erroneously cached unless the application designer
# has taken the appropriate actions.
#
# 'Percent' is a percentage of the objects age (time since last
# modification age) an object without explicit expiry time
# will be considered fresh.
#
# 'Max' is an upper limit on how long objects without an explicit
# expiry time will be considered fresh.
#
# options: override-expire
# override-lastmod
# reload-into-ims
# ignore-reload
#
# override-expire enforces min age even if the server
# sent a Expires: header. Doing this VIOLATES the HTTP
# standard. Enabling this feature could make you liable
# for problems which it causes.
#
# override-lastmod enforces min age even on objects
# that was modified recently.
#
# reload-into-ims changes client no-cache or ``reload''
# to If-Modified-Since requests. Doing this VIOLATES the
# HTTP standard. Enabling this feature could make you
# liable for problems which it causes.
#
# ignore-reload ignores a client no-cache or ``reload''
# header. Doing this VIOLATES the HTTP standard. Enabling
# this feature could make you liable for problems which
# it causes.
#
# Basically a cached object is:
#
# FRESH if expires < now, else STALE
# STALE if age > max
# FRESH if lm-factor < percent, else STALE
# FRESH if age < min
# else STALE
#
# The refresh_pattern lines are checked in the order listed here.
# The first entry which matches is used. If none of the entries
# match, then the default will be used.
#
# Note, you must uncomment all the default lines if you want
# to change one. The default setting is only active if none is
# used.
#
#Suggested default:
refresh_pattern ^ftp:    1440 20%  10080
refresh_pattern ^gopher: 1440 0%  1440
refresh_pattern .        0    20%  4320

# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
# ------------------------------
# TAG: redirect_program
# Specify the location of the executable for the URL redirector.
# Since they can perform almost any function there isn't one included.
# See the FAQ (section 15) for information on how to write one.
# By default, a redirector is not used.
#
#Default:
# none
#redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

# TIMEOUTS
# ------------------------------

# TAG: half_closed_clients
# Some clients may shutdown the sending side of their TCP
# connections, while leaving their receiving sides open. Sometimes,
# Squid can not tell the difference between a half-closed and a
# fully-closed TCP connection. By default, half-closed client
# connections are kept open until a read(2) or write(2) on the
# socket returns an error. Change this option to 'off' and Squid
# will immediately close client connections when read(2) returns
# "no more data to read."
#
#Default:
# half_closed_clients on
half_closed_clients off

# TAG: auth_param
# This is used to define parameters for the various authentication
# schemes supported by Squid.
#
# format: auth_param scheme parameter [setting]
#
# The order that authentication schemes are presented to the client is
# dependant on the order the scheme first appears in config file. IE
# has a bug (it's not rfc 2617 compliant) in that it will use the basic
# scheme if basic is the first entry presented, even if more secure
# schemes are presented. For now use the order in the recommended
# settings section below. If other browsers have difficulties (don't
# recognise the schemes offered even if you are using basic) then either
# put basic first, or disable the other schemes (by commenting out their
# program entry).
#
# Once an authentication scheme is fully configured, it can only be
# shutdown by shutting squid down and restarting. Changes can be made on
# the fly and activated with a reconfigure. I.E. You can change to a
# different helper, but not unconfigure the helper completely.
#
# Please note that while this directive defines how Squid processes
# authentication it does not automatically activate authentication.
# To use authenticaiton you must in addition make use of acls based
# on login name in http_access (proxy_auth, proxy_auth_regex or
# external with %LOGIN used in the format tag). The browser will be
# challenged for authentication on the first such acl encountered
# in http_access processing and will also be rechallenged for new
# login credentials if the request is being denied by a proxy_auth
# type acl.
#
# === Parameters for the basic scheme follow. ===
#
# "program" cmdline
# Specify the command for the external authenticator. Such a program
# reads a line containing "username password" and replies "OK" or
# "ERR" in an endless loop.
#
# By default, the basic authentication sheme is not used unless a
# program is specified.
#
# If you want to use the traditional proxy authentication, jump over to
# the helpers/basic_auth/NCSA directory and type:
# % make
# % make install
#
# Then, set this line to something like
#
# auth_param basic program /usr/lib/squid/ncsa_auth /usr/etc/passwd
#
# "children" numberofchildren
# The number of authenticator processes to spawn.
# If you start too few Squid will have to wait for them to process a
# backlog of usercode/password verifications, slowing it down. When
# password verifications are done via a (slow) network you are likely to
# need lots of authenticator processes.
# auth_param basic children 5
#
# "realm" realmstring
# Specifies the realm name which is to be reported to the client for
# the basic proxy authentication scheme (part of the text the user
# will see when prompted their username and password).
# auth_param basic realm Squid proxy-caching web server
#
# "credentialsttl" timetolive
# Specifies how long squid assumes an externally validated
# username:password pair is valid for - in other words how often the
# helper program is called for that user. Set this low to force
# revalidation with short lived passwords. Note that setting this high
# does not impact your susceptability to replay attacks unless you are
# using an one-time password system (such as SecureID). If you are using
# such a system, you will be vulnerable to replay attacks unless you
# also use the max_user_ip ACL in an http_access rule.
# auth_param basic credentialsttl 2 hours
#
# === Parameters for the digest scheme follow ===
#
# "program" cmdline
# Specify the command for the external authenticator. Such a program
# reads a line containing "username":"realm" and replies with the
# appropriate H(A1) value base64 encoded or ERR if the user (or his H(A1)
# hash) does not exists. See rfc 2616 for the definition of H(A1).
#
# By default, the digest authentication scheme is not used unless a
# program is specified.
#
# If you want to use a digest authenticator, jump over to the
# helpers/digest_auth/ directory and choose the authenticator to use.
# It it's directory type
# % make
# % make install
#
# Then, set this line to something like
#
# auth_param digest program /usr/lib/squid/digest_auth_pw /usr/etc/digpass
#
#
# "children" numberofchildren
# The number of authenticator processes to spawn (no default). If you
# start too few Squid will have to wait for them to process a backlog of
# H(A1) calculations, slowing it down. When the H(A1) calculations are
# done via a (slow) network you are likely to need lots of authenticator
# processes.
# auth_param digest children 5
#
# "realm" realmstring
# Specifies the realm name which is to be reported to the client for the
# digest proxy authentication scheme (part of the text the user will see
# when prompted their username and password).
# auth_param digest realm Squid proxy-caching web server
#
# "nonce_garbage_interval" timeinterval
# Specifies the interval that nonces that have been issued to clients are
# checked for validity.
# auth_param digest nonce_garbage_interval 5 minutes
#
# "nonce_max_duration" timeinterval
# Specifies the maximum length of time a given nonce will be valid for.
# auth_param digest nonce_max_duration 30 minutes
#
# "nonce_max_count" number
# Specifies the maximum number of times a given nonce can be used.
# auth_param digest nonce_max_count 50
#
# "nonce_strictness" on|off
# Determines if squid requires strict increment-by-1 behaviour for nonce
# counts, or just incrementing (off - for use when useragents generate
# nonce counts that occasionally miss 1 (ie, 1,2,4,6)).
# auth_param digest nonce_strictness off
#
# "check_nonce_count" on|off
# This directive if set to off can disable the nonce count check
# completely to work around buggy digest qop implementations in certain
# mainstream browser versions. Default on to check the nonce count to
# protect from authentication replay attacks.
# auth_param digest check_nonce_count on
#
# "post_workaround" on|off
# This is a workaround to certain buggy browsers who sends an incorrect
# request digest in POST requests when reusing the same nonce as aquired
# earlier in response to a GET request.
# auth_param digest post_workaround off
#
# === NTLM scheme options follow ===
#
# "program" cmdline
# Specify the command for the external ntlm authenticator. Such a
# program participates in the NTLMSSP exchanges between Squid and the
# client and reads commands according to the Squid ntlmssp helper
# protocol. See helpers/ntlm_auth/ for details. Recommended ntlm
# authenticator is ntlm_auth from Samba-3.X, but a number of other
# ntlm authenticators is available.
#
# By default, the ntlm authentication scheme is not used unless a
# program is specified.
#
# Note: If you're using Samba >= 3.0.2, please install the winbind
# package and use the ntlm_auth helper from that package.
#
# auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
#
# "children" numberofchildren
# The number of authenticator processes to spawn (no default). If you
# start too few Squid will have to wait for them to process a backlog
# of credential verifications, slowing it down. When crendential
# verifications are done via a (slow) network you are likely to need
# lots of authenticator processes.
# auth_param ntlm children 5
#
# "max_challenge_reuses" number
# The maximum number of times a challenge given by a ntlm authentication
# helper can be reused. Increasing this number increases your exposure
# to replay attacks on your network. 0 (the default) means use the
# challenge is used only once. See also the max_ntlm_challenge_lifetime
# directive if enabling challenge reuses.
# auth_param ntlm max_challenge_reuses 0
#
# "max_challenge_lifetime" timespan
# The maximum time period that a ntlm challenge is reused over. The
# actual period will be the minimum of this time AND the number of
# reused challenges.
# auth_param ntlm max_challenge_lifetime 2 minutes
#
# "use_ntlm_negotiate" on|off
# Enables support for NTLM NEGOTIATE packet exchanges with the helper.
# The configured ntlm authenticator must be able to handle NTLM
# NEGOTIATE packet. See the authenticator programs documentation if
# unsure. ntlm_auth from Samba-3.0.2 or later supports the use of this
# option.
# The NEGOTIATE packet is required to support NTLMv2 and a
# number of other negotiable NTLMSSP options, and also makes it
# more likely the negotiation is successful. Enabling this parameter
# will also solve problems encountered when NT domain policies
# restrict users to access only certain workstations. When this is off,
# all users must be allowed to log on the proxy servers too, or they'll
# get "invalid workstation" errors - and access denied - when trying to
# use Squid's services.
# Use of ntlm NEGOTIATE is incompatible with challenge reuse, so
# enabling this parameter will OVERRIDE the max_challenge_reuses and
# max_challenge_lifetime parameters and set them to 0.
# auth_param ntlm use_ntlm_negotiate off
#
#Recommended minimum configuration:
#auth_param digest program <uncomment and complete this line>
#auth_param digest children 5
#auth_param digest realm Squid proxy-caching web server
#auth_param digest nonce_garbage_interval 5 minutes
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
#auth_param ntlm program <uncomment and complete this line to activate>
#auth_param ntlm children 5
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param ntlm use_ntlm_negotiate off
#auth_param basic program <uncomment and complete this line>
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
#
# pam_auth
#auth_param basic program /usr/lib/squid/pam_auth
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
#
# smb_auth
# make sure you add the user using smbpasswd -a -U username
# then create a file called /var/lib/samba/netlogon/proxyauth
# and simply enter an allow line
#auth_param basic program /usr/lib/squid/smb_auth -W MANDRAKESOFT
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
#
#
# ldap_auth
#
# Recherche dans la branche ou=people,dc=alex,dc=fr si
# l'utilisateur possède l'attribut "description" (choisissez celui
# que vous désirez) avec la valeur "internet".
# A vous de décider quelle valeur et nom pour cet attribut.
# Requête sur serveurs OpenLDAP ldaps://srv2.alex.fr ldaps://srv6.alex.fr
# Reportez vous à la configuration des clients OpenLDAP "SSL/TLS".
# Si vous préférez utilisez ldap : ldap://srv2.alex.fr ...
#
# Mandrake :
#auth_param basic program /usr/lib/squid/
squid_ldap_auth -b ou=people,dc=alex,dc=fr -f (&(uid=%s)(description=internet)) ldaps://srv2.alex.fr ldaps://srv6.alex.fr
# Debian :
auth_param basic program /usr/lib/squid/
ldap_auth -b ou=people,dc=alex,dc=fr -f (&(uid=%s)(description=internet)) ldaps://srv2.alex.fr ldaps://srv6.alex.fr

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours


# TAG: authenticate_ttl
# The time a user & their credentials stay in the logged in user cache
# since their last request. When the garbage interval passes, all user
# credentials that have passed their TTL are removed from memory.
#
#Default:
# authenticate_ttl 1 hour
authenticate_ttl 1 hour

# TAG: authenticate_ip_ttl
# If you use proxy authentication and the 'max_user_ip' ACL, this
# directive controls how long Squid remembers the IP addresses
# associated with each user. Use a small value (e.g., 60 seconds) if
# your users might change addresses quickly, as is the case with
# dialups. You might be safe using a larger value (e.g., 2 hours) in a
# corporate LAN environment with relatively static address assignments.
#
#Default:
# authenticate_ip_ttl 0 seconds
authenticate_ip_ttl 60 seconds

# ACCESS CONTROLS
# ------------------------------

# TAG: acl
# Defining an Access List
#
# acl aclname acltype string1 ...
# acl aclname acltype "file" ...
#
# when using "file", the file should contain one item per line
#
# acltype is one of the types described below
#
# By default, regular expressions are CASE-SENSITIVE. To make
# them case-insensitive, use the -i option.
#
# acl aclname src ip-address/netmask ... (clients IP address)
# acl aclname src addr1-addr2/netmask ... (range of addresses)
# acl aclname dst ip-address/netmask ... (URL host's IP address)
# acl aclname myip ip-address/netmask ... (local socket IP address)
#
# acl aclname srcdomain .foo.com ... # reverse lookup, client IP
# acl aclname dstdomain .foo.com ... # Destination server from URL
# acl aclname srcdom_regex [-i] xxx ... # regex matching client name
# acl aclname dstdom_regex [-i] xxx ... # regex matching server
# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
# # based URL is used. The name "none" is used if the reverse lookup
# # fails.
#
# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
# day-abbrevs:
# S – Sunday
# M – Monday
# T – Tuesday
# W – Wednesday
# H – Thursday
# F – Friday
# A – Saturday
# h1:m1 must be less than h2:m2
# acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
# acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
# acl aclname urllogin [-i] [^a-zA-Z0-9] ... # regex matching on URL login field
# acl aclname port 80 70 21 ...
# acl aclname port 0-1024 ... # ranges allowed
# acl aclname myport 3128 ... # (local socket TCP port)
# acl aclname proto HTTP FTP ...
# acl aclname method GET POST ...
# acl aclname browser [-i] regexp ...
# # pattern match on User-Agent header
# acl aclname referer_regex [-i] regexp ...
# # pattern match on Referer header
# # Referer is highly unreliable, so use with care
# acl aclname ident username ...
# acl aclname ident_regex [-i] pattern ...
# # string match on ident output.
# # use REQUIRED to accept any non-null ident.
# acl aclname src_as number ...
# acl aclname dst_as number ...
# # Except for access control, AS numbers can be used for
# # routing of requests to specific caches. Here's an
# # example for routing all requests for AS#1241 and only
# # those to mycache.mydomain.net:
# # acl asexample dst_as 1241
# # cache_peer_access mycache.mydomain.net allow asexample
# # cache_peer_access mycache_mydomain.net deny all
#
# acl aclname proxy_auth username ...
# acl aclname proxy_auth_regex [-i] pattern ...
# # list of valid usernames
# # use REQUIRED to accept any valid username.
# #
# # NOTE: when a Proxy-Authentication header is sent but it is not
# # needed during ACL checking the username is NOT logged
# # in access.log.
# #
# # NOTE: proxy_auth requires a EXTERNAL authentication program
# # to check username/password combinations (see
# # auth_param directive).
# #
# # WARNING: proxy_auth can't be used in a transparent proxy. It
# # collides with any authentication done by origin servers. It may
# # seem like it works at first, but it doesn't.
#
# acl aclname snmp_community string ...
# # A community string to limit access to your SNMP Agent
# # Example:
# #
# # acl snmppublic snmp_community public
#
# acl aclname maxconn number
# # This will be matched when the client's IP address has
# # more than <number> HTTP connections established.
#
# acl aclname max_user_ip [-s] number
# # This will be matched when the user attempts to log in from more
# # than <number> different ip addresses. The authenticate_ip_ttl
# # parameter controls the timeout on the ip entries.
# # If -s is specified then the limit is strict, denying browsing
# # from any further IP addresses until the ttl has expired. Without
# # -s Squid will just annoy the user by "randomly" denying requests.
# # (the counter is then reset each time the limit is reached and a
# # request is denied)
# # NOTE: in acceleration mode or where there is mesh of child proxies,
# # clients may appear to come from multiple addresses if they are
# # going through proxy farms, so a limit of 1 may cause user problems.
#
# acl aclname req_mime_type mime-type1 ...
# # regex match agains the mime type of the request generated
# # by the client. Can be used to detect file upload or some
# # types HTTP tunelling requests.
# # NOTE: This does NOT match the reply. You cannot use this
# # to match the returned file type.
#
# acl aclname rep_mime_type mime-type1 ...
# # regex match against the mime type of the reply recieved by
# # squid. Can be used to detect file download or some
# # types HTTP tunelling requests.
# # NOTE: This has no effect in http_access rules. It only has
# # effect in rules that affect the reply data stream such as
# # http_reply_access.
#
# acl acl_name external class_name [arguments...]
# # external ACL lookup via a helper class defined by the
# # external_acl_type directive.
#
#Examples:
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#

acl password proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT

# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, then the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow password
http_access deny all

# TAG: icp_access
# Allowing or Denying access to the ICP port based on defined
# access lists
#
# icp_access allow|deny [!]aclname ...
#
# See http_access for details
#
#Default:
# icp_access deny all
#
#Allow ICP queries from everyone
icp_access allow all

# TAG: miss_access
# Use to force your neighbors to use you as a sibling instead of
# a parent. For example:
#
# acl localclients src 172.16.0.0/16
# miss_access allow localclients
# miss_access deny !localclients
#
# This means that only your local clients are allowed to fetch
# MISSES and all other clients can only fetch HITS.
#
# By default, allow all clients who passed the http_access rules
# to fetch MISSES from us.
#
#Default setting:
# miss_access allow all
miss_access allow all

# Autorise le protocole HTTP
acl protocole_web proto HTTP
http_access allow protocole_web

# Refuse le protocole FTP
acl protocole_ftp proto FTP
http_access deny protocole_ftp

# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
# day-abbrevs:
# S – Sunday
# M – Monday
# T – Tuesday
# W – Wednesday
# H – Thursday
# F – Friday
# A – Saturday
# h1:m1 must be less than h2:m2

# Autorise l'accès au cache de 8h à 18h
acl horaire time M-F 08:00-18:00
http_access allow horaire

# Refuse l'accès au cache de 0h à 7h59
acl hors_horaire1 time MTWHF 00:00-07:59
http_access deny hors_horaire1

# Refuse l'accès au cache de 18h01 à 23h59
acl hors_horaire2 time MTWHF 18:01-23:59
http_access deny hors_horaire2

#
Refuse l'accès au cache du samedi au dimanche.
acl week_end time A-S
http_access deny week_end

# Refuse l'accès aux domaines écrit dans ce fichier.
# le -i indique pas "sensible à la case"
# mettre un domaine par ligne sous cette forme :
# .microsoft.com
# .sco.com
acl bad_domain dstdomain -i "/etc/squid/baddomain.txt"
http_access deny bad_domain

# Refuse l'accès aux URL écrites dans ce fichier.
acl sex_site url_regex -i "/etc/squid/sexsite.txt"
http_access deny sex_site

acl warez_site url_regex -i "/etc/squid/warezsite.txt"
http_access deny warez_site

# Refuse l'accès aux extensions suivantes :
acl url_mp3 url_regex -i \.mp3$
http_access deny url_mp3
acl url_avi url_regex -i \.avi$
http_access deny url_avi
acl url_mpeg url_regex -i \.mpeg$
http_access deny url_mpeg
acl url_mpg url_regex -i \.mpg$
http_access deny url_mpg
acl url_mov url_regex -i \.mov$
http_access deny url_mov
acl url_exe url_regex -i \.exe$
http_access deny url_exe


# ADMINISTRATIVE PARAMETERS
# ------------------------------

# TAG: cache_mgr
# Email-address of local cache manager who will receive
# mail if the cache dies. The default is "webmaster."
#
#Default:
# cache_mgr webmaster
cache_mgr proxy@alex.fr

# TAG: visible_hostname
# If you want to present a special hostname in error messages, etc,
# then define this. Otherwise, the return value of gethostname()
# will be used. If you have multiple caches in a cluster and
# get errors about IP-forwarding you must set them to have individual
# names with this setting.
#
#Default:
# none
visible_hostname proxy.alex.fr

# HTTPD-ACCELERATOR OPTIONS
# ------------------------------

# TAG: httpd_accel_host
# TAG: httpd_accel_port
# If you want to run Squid as an httpd accelerator, define the
# host name and port number where the real HTTP server is.
#
# If you want IP based virtual host support then specify the
# hostname as "virtual". This will make Squid use the IP address
# where it accepted the request as hostname in the URL.
#
# If you want virtual port support then specify the port as "0".
#
# NOTE: enabling httpd_accel_host disables proxy-caching and
# ICP. If you want these features enabled also, then set
# the 'httpd_accel_with_proxy' option.
#
#Default:
# httpd_accel_port 80
httpd_accel_host virtual


# TAG: httpd_accel_with_proxy on|off
# If you want to use Squid as both a local httpd accelerator
# and as a proxy, change this to 'on'. Note however that your
# proxy users may have trouble to reach the accelerated domains
# unless their browsers are configured not to use this proxy for
# those domains (for example via the no_proxy browser configuration
# setting)
#
#Default:
# httpd_accel_with_proxy off
httpd_accel_with_proxy on

# TAG: httpd_accel_uses_host_header on|off
# HTTP/1.1 requests include a Host: header which is basically the
# hostname from the URL. The Host: header is used for domain based
# virutal hosts. If your accelerator needs to provide domain based
# virtual hosts on the same IP address then you will need to turn this
# on.
#
# Note that Squid does NOT check the value of the Host header matches
# any of your accelerated server, so it may open a big security hole
# unless you take care to set up access controls proper. We recommend
# that this option remain disabled unless you are sure of what you
# are doing.
#
# However, you will need to enable this option if you run Squid
# as a transparent proxy. Otherwise, virtual servers which
# require the Host: header will not be properly cached.
#
#Default:
# httpd_accel_uses_host_header off
httpd_accel_uses_host_header on

# MISCELLANEOUS
# ------------------------------

# TAG: append_domain
# Appends local domain name to hostnames without any dots in
# them. append_domain must begin with a period.
#
# Be warned that there today is Internet names with no dots in
# them using only top-domain names, so setting this may
# cause some Internet sites to become unavailable.
#
#Example:
# append_domain .yourdomain.com
#
#Default:
# none
append_domain .alex.fr

# TAG: err_html_text
# HTML text to include in error messages. Make this a "mailto"
# URL to your admin address, or maybe just a link to your
# organizations Web page.
#
# To include this in your error messages, you must rewrite
# the error template files (found in the "errors" directory).
# Wherever you want the 'err_html_text' line to appear,
# insert a %L tag in the error template file.
#
#Default:
# none
err_html_text proxy@alex.fr

# TAG: memory_pools on|off
# If set, Squid will keep pools of allocated (but unused) memory
# available for future use. If memory is a premium on your
# system and you believe your malloc library outperforms Squid
# routines, disable this.
#
#Default:
# memory_pools on
memory_pools off

# TAG: deny_info
# Usage: deny_info err_page_name acl
# or deny_info http://... acl
# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
#
# This can be used to return a ERR_ page for requests which
# do not pass the 'http_access' rules. A single ACL will cause
# the http_access check to fail. If a 'deny_info' line exists
# for that ACL then Squid returns a corresponding error page.
#
# You may use ERR_ pages that come with Squid or create your own pages
# and put them into the configured errors/ directory.
#
# Alternatively you can specify an error URL. The browsers will then
# get redirected (302) to the specified URL. %s in the redirection
# URL will be replaced by the requested URL.
#
# Alternatively you can tell Squid to reset the TCP connection
# by specifying TCP_RESET.
#
#Default:
# none
#deny_info ERR_CUSTOM_ACCESS_DENIED all

# TAG: error_directory
# If you wish to create your own versions of the default
# (English) error files, either to customize them to suit your
# language or company copy the template English files to another
# directory and point this tag at them.
#
#Default:
# error_directory /usr/share/squid/errors/English
# Mandrake :
#error_directory /usr/lib/squid/errors/French
# Debian :
error_directory /usr/share/squid/errors/French

# DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
# ------------------------------

# TAG: coredump_dir
# By default Squid leaves core files in the directory from where
# it was started. If you set 'coredump_dir' to a directory
# that exists, Squid will chdir() to that directory at startup
# and coredump files will be left there.
#
#Default:
# coredump_dir none
#
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid


Configuration de /etc/resolv.conf


Pour une meilleure résolution des noms de domaine vers internet, installez
un serveur DNS cache sur la machine ou vous avez installé Squid. Ce serveur DNS cache n'aura pas de relations directe avec les deux autres serveurs DNS dédiés à la résolution des noms des machines de votre réseau local et ne sera pas informé, ni mit à jour par eux.

# N'indiquez pas les adresses de vos serveurs DNS si vous avez
# installé un serveur DNS cache sur le proxy.
nameserver 127.0.0.1


Il suffit de configurer les navigateurs de vos utilisateurs pour qu'ils utilisent le serveur Proxy 192.168.1.4 sur le port 3128.

Si vous souhaitez filtrer
le contenu des pages affichées et d'autres options encore, reportez vous à la configuration de
DansGuardian.




Dernière modification : 13/06/05

 

Copyright © 04/02/2004, Arnofear

Contrat Creative Commons Ce document est publié sous licence Creative Commons
Paternité - Pas d'Utilisation Commerciale - Partage des Conditions Initiales à l'Identique :
http://creativecommons.org/licenses/by-nc-sa/3.0/deed.fr