Chinaunix

标题: squid代理实现账号登陆的问题 [打印本页]

作者: mengcun123 时间: 2015-01-10 16:23
标题: squid代理实现账号登陆的问题
centos 6.3  安装  yum安装squid和http
没有能实现有登陆提示，哪里有问题？？？？？？？？？？？？？？？？？？？？？？？？？
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_user.txt
auth_param basic children 5
auth_param basic realm WELCOME
auth_param basic credentialsttl 2 hours
acl normal proxy_auth REQUIRED
http_access allow normal

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16       # RFC1918 possible internal network
acl localnet src fc00::/7    # RFC 4193 local private network range
acl localnet src fe80::/10    # RFC 4291 link-local (directly plugged) machines

acl squid_user proxy_auth REQUIRED

acl SSL_ports port 443
acl Safe_ports port 80       # http
acl Safe_ports port 21       # ftp
acl Safe_ports port 443       # https
acl Safe_ports port 70       # gopher
acl Safe_ports port 210       # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280       # http-mgmt
acl Safe_ports port 488       # gss-http
acl Safe_ports port 591       # filemaker
acl Safe_ports port 777       # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#

cache_dir ufs /var/spool/squid 1024 16 256
cache_mem 1024 MB
cache_swap_low 90
cache_swap_high 95
minimum_object_size 0 KB
maximum_object_size 4096 KB

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:          1440 20%    10080
refresh_pattern ^gopher:       1440 0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .             0    20%    4320

作者: 睿智2012 时间: 2015-01-10 18:50
http://bbs.chinaunix.net/forum.php?mod=viewthread&tid=4153855&mobile=yes
认真比对一下，看看问题在哪里

作者: mengcun123 时间: 2015-01-12 12:43
回复 2# 睿智2012
yum安装不行吗？感觉编译的好嘛啊！！

作者: jixuuse 时间: 2015-01-12 13:50
yum安装的可以实现账号登陆，包括绑定ad账号，自己用过

作者: woxizishen 时间: 2015-01-12 14:35
1.使用用户账号认真配置，就这样设定是没问题的，主要是看你第一行路径有没有指定正确。
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_user.txt
auth_param basic children 5
auth_param basic realm WELCOME
auth_param basic credentialsttl 2 hours

2. 其他解决方式
2.1如果上述路径没问题，查看下你yum安装的squid是不是支持NCSA。
squid -v
--enable-basic-auth-helpers=LDAP,MSNT,NCSA 看到这一行代表是支持的。

2.2 /etc/squid/squid_user.txt
/etc/squid/squid_user.txt 存放密码用的。密码不能手动创建，需要通过htpasswd命令创建

作者: mengcun123 时间: 2015-01-13 12:21
回复 4# jixuuse

貌似不行啊
其他的不说，mac地址我就试过，没有成功！请问你用的是什么版本的系统

作者: mengcun123 时间: 2015-01-13 16:14
回复 5# woxizishen

看截图，yum安装的可以支持认证和mac地址认证的啊，但是不知道为什么我不成功

QQ截图20150113161228.jpg (123.71 KB, 下载次数: 48)

yum安装的截图

作者: jixuuse 时间: 2015-01-14 10:43
安装squid openldap openldap-clients

/etc/openldap/ldap.conf
BASE dc=test,dc=com
URI    ladp://ad.test.com

/etc/squid/squid.conf
//>-----使用账号做验证--------<
auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "DC=test,DC=com" -D "CN=squid,CN=Users,DC=test,DC=com" -w "123456" -f sAMAccountName=%s -h ad.test.com

auth_param basic children 50
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 10 minute

acl ldap-auth proxy_auth REQUIRED
http_access deny !ldap-auth

作者: mengcun123 时间: 2015-01-14 10:55
回复 8# jixuuse
没看明白，你有qq吗，我加你，给我详细的将一下

作者: mengcun123 时间: 2015-01-14 10:58
回复 5# woxizishen

我也不需要做的很麻烦，就是可以ip地址和mac地址认证通过，另外实现账号认证，AD认证可有可无！

作者: jixuuse 时间: 2015-01-14 11:04
自己百度下吧，网上这种多的是

如果要IP认证，直接加入允许放行的IP子网即可，MAC认证没搞过，因为都是跨三层的大网络，看不到客户端MAC

作者: mengcun123 时间: 2015-01-14 11:09
回复 8# jixuuse

再确认一下，你是用yum安装的？用的linux哪个版本？另外实现账号认证的时候还需要安装什么呢

作者: jixuuse 时间: 2015-01-14 11:13
我很懒，能用yum装的绝不用源码，贴的这些都是自己亲手做的，我自己都会写一个txt安装过程文档记录下来

作者: woxizishen 时间: 2015-01-14 14:07
本帖最后由 woxizishen 于 2015-01-14 14:32 编辑

回复 11# jixuuse

MAC地址一样可以跨网段认证，呵呵，绑定arp，就可以进行跨网段的mac地址认证。

因为squid很偷懒，使用系统的ARP缓存条目来管理的。所以可以利用他的这个弱点来实现跨网段mac地址认证。

作者: woxizishen 时间: 2015-01-14 14:21
回复 10# mengcun123
请按照我下面的完整步骤来操作,我的squid版本是2.7的，每一行都有解释:

使用账号登陆才可以使用。只需做如下设定即可:
auth_param basic program /etc/squid/libexec/ncsa_auth /etc/squid/etc/passwd
auth_param basic children 10
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
auth_param basic realm 172.16.4.123 proxy cache
##认证部份有解释##

acl all2 src 0.0.0.0/0.0.0.0 允许所有网络访问此台代理服务器。
http_access allow all2

acl usergroup1 proxy_auth "/etc/squid/etc/ip1user"
http_access allow usergroup1                                        设定允许用户账号登陆后访问外网、需要自行建立该用户文件夹
Touch /etc/squid/etc/ip1user
dawson                   一行一个账号
temp
……

上述完成后，开始建立密码:
htpasswd -b /etc/squid/etc/passwd dawson  123456
htpasswd -b /etc/squid/etc/passwd temp  123456

##这样重新载入配置文件后即可以用账号通过squid验证正确后即可以访问了。##

作者: woxizishen 时间: 2015-01-14 14:29
回复 13# jixuuse

如果不需要特别的功能，就只是用一个企业用的简单正向/透明代理，就直接用yum和rpm都很不错，重要是节省大家时间。

当然如果你想很透测的了解squid的各个功能特性和优化，最好是编译安装一次。因为你编译安装需要了解每一个编译参数。编译是很花时间的，但是也是让你快速熟悉squid的唯一途径。

如果从事的工作未来会牵扯到squid的CDN部分。编译安装必须掌握，偷懒的结果，出问题后就只能跑到论坛上发问了。

作者: mengcun123 时间: 2015-01-14 15:47
回复 15# woxizishen

使用账号登陆才可以使用。只需做如下设定即可:
auth_param basic program /etc/squid/libexec/ncsa_auth /etc/squid/etc/passwd    这个报错
auth_param basic children 10
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
auth_param basic realm 172.16.4.123 proxy cache
##认证部份有解释##

acl all2 src 0.0.0.0/0.0.0.0 允许所有网络访问此台代理服务器。
http_access allow all2

acl usergroup1 proxy_auth "/etc/squid/etc/ip1user"
http_access allow usergroup1                                        设定允许用户账号登陆后访问外网、需要自行建立该用户文件夹
Touch /etc/squid/etc/ip1user
dawson                   一行一个账号
temp
…
上面的也贴进去吗

上述完成后，开始建立密码:
htpasswd -b /etc/squid/etc/passwd dawson  123456
htpasswd -b /etc/squid/etc/passwd temp  123456

##这样重新载入配置文件后即可以用账号通过squid验证正确后即可以访问了。##

作者: woxizishen 时间: 2015-01-14 18:12
回复 17# mengcun123

auth_param basic program /etc/squid/libexec/ncsa_auth /etc/squid/etc/passwd    这个报错

/etc/squid/libexec/ncsa_auth
/etc/squid/etc/passwd

这2个根据你的实际路径来填写，我的ncsa_auth在这个路径下，看看你自己的。

acl usergroup1 proxy_auth "/etc/squid/etc/ip1user"
http_access allow usergroup1                                        设定允许用户账号登陆后访问外网、需要自行建立该用户文件夹
Touch /etc/squid/etc/ip1user
dawson                   一行一个账号
temp
…

上面的也贴进去吗

acl usergroup1 proxy_auth "/etc/squid/etc/ip1user"
http_access allow usergroup1
这2行贴到squid.conf里，你没账号怎么验证？？？？

Touch /etc/squid/etc/ip1user
dawson                   一行一个账号
temp
这个是存放账号的文件，自己手动输账号，一行只能输一个账号。

作者: mengcun123 时间: 2015-01-15 10:33
回复 18# woxizishen

密码可以生产，但是最主要的是没有认证界面。

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_user.txt
auth_param basic children 10
auth_param basic realm WELCOME

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed

#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network    DHCP抓到的IP的10.0.0.0/8的，需要做到这个网段的ip需要认证
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16       # RFC1918 possible internal network
acl localnet src fc00::/7    # RFC 4193 local private network range
acl localnet src fe80::/10    # RFC 4291 link-local (directly plugged) machine

acl SSL_ports port 443
acl Safe_ports port 80       # http
acl Safe_ports port 21       # ftp
acl Safe_ports port 443       # https
acl Safe_ports port 70       # gopher
acl Safe_ports port 210       # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280       # http-mgmt
acl Safe_ports port 488       # gss-http
acl Safe_ports port 591       # filemaker
acl Safe_ports port 777       # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

acl squid_user proxy_auth REQUIRED

http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#

cache_dir ufs /var/spool/squid 1024 16 256
cache_mem 1024 MB
cache_swap_low 90
cache_swap_high 95
minimum_object_size 0 KB
maximum_object_size 4096 KB

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:          1440 20%    10080
refresh_pattern ^gopher:       1440 0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .             0    20%    4320

作者: mengcun123 时间: 2015-01-15 10:35
回复 18# woxizishen

跳不出认证界面，密码什么的都可以生产，squid服务重启过，给看下

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_user.txt
auth_param basic children 10
auth_param basic realm WELCOME

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed

#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network 10.0.0.0/8网段ip都需要认证
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16       # RFC1918 possible internal network
acl localnet src fc00::/7    # RFC 4193 local private network range
acl localnet src fe80::/10    # RFC 4291 link-local (directly plugged) machine

acl SSL_ports port 443
acl Safe_ports port 80       # http
acl Safe_ports port 21       # ftp
acl Safe_ports port 443       # https
acl Safe_ports port 70       # gopher
acl Safe_ports port 210       # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280       # http-mgmt
acl Safe_ports port 488       # gss-http
acl Safe_ports port 591       # filemaker
acl Safe_ports port 777       # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

acl squid_user proxy_auth REQUIRED

http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#

cache_dir ufs /var/spool/squid 1024 16 256
cache_mem 1024 MB
cache_swap_low 90
cache_swap_high 95
minimum_object_size 0 KB
maximum_object_size 4096 KB

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:          1440 20%    10080
refresh_pattern ^gopher:       1440 0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .             0    20%    4320

作者: mengcun123 时间: 2015-01-15 14:18
回复 18# woxizishen

单纯的账号认证已经搞出来了。域认证有会不会？？？？

作者: woxizishen 时间: 2015-01-15 15:16
回复 21# mengcun123

老兄你在测试squid吗？一个接一个的呵呵。你所说的域认证要用何种方式实现。samba或者opendap都可以。

不过这2种我都没有去实际使用过，
给你一个samba实现的方法
http://www.chinaunix.net/old_jh/102/928743.html

作者: mengcun123 时间: 2015-01-19 09:06
回复 8# jixuuse

用ad认证的方式，你有文档吗，想学习一下

作者: mengcun123 时间: 2015-01-27 16:32
回复 22# woxizishen

自己搞了一个透明代理，没有跳出认证界面。

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_user.txt
auth_param basic children 5
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off
auth_param basic realm WELCOME

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed

#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16       # RFC1918 possible internal network
acl localnet src fc00::/7    # RFC 4193 local private network range
acl localnet src fe80::/10    # RFC 4291 link-local (directly plugged) machine

acl SSL_ports port 443
acl Safe_ports port 80       # http
acl Safe_ports port 21       # ftp
acl Safe_ports port 443       # https
acl Safe_ports port 70       # gopher
acl Safe_ports port 210       # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280       # http-mgmt
acl Safe_ports port 488       # gss-http
acl Safe_ports port 591       # filemaker
acl Safe_ports port 777       # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

acl squid_user proxy_auth REQUIRED

http_access allow localnet
http_access allow localhost

http_access allow squid_user

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 transparent

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#

cache_dir ufs /var/spool/squid 1024 16 256
cache_mem 1024 MB
cache_swap_low 90
cache_swap_high 95
minimum_object_size 0 KB
maximum_object_size 4096 KB

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:          1440 20%    10080
refresh_pattern ^gopher:       1440 0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .             0    20%    4320

哪里有问题。

作者: woxizishen 时间: 2015-01-28 08:33
回复 24# mengcun123

请把！透明代理！这4个字好好理解下，你就懂了，为撒不需要输入账号就可以通过代理出去。

作者: mengcun123 时间: 2015-01-28 09:22
回复 25# woxizishen

上次我不是说我已经搞定了普通代理账号密码认证的吗？，昨天我再去弄一台新的时候按照之前的步骤，居然不能使用了，

yum安装squid
yum安装httpd

httpd这个要不要启动？

作者: woxizishen 时间: 2015-01-28 09:38
本帖最后由 woxizishen 于 2015-01-28 09:44 编辑

回复 26# mengcun123

他们2个是不相干的2个软件，你以前配置成功，现在又不行了，证明你还不够熟练，如果你想练手就用源码编译安装一次，因为他会逼着你去了解参数，当然如果你到网上到处摘抄现成的编译条件就没撒意义了。推荐你把squid中文权威手册看完，虽然讲的是squid2.7之前的版本，但你至少了解这玩意是个撒东西，除了前面的基础部分，后面应用捡自己感兴趣的看，全看完看懂，没基础的话要一个月时间，建议捡重点和自己工作相关的看，我当年就浪费太多时间研究太透彻，实质上很多牛逼的功能企业用不到，时间长了复杂的应用又忘记了，虽然说再看能很快捡回来，但是真有点浪费时间，少走点弯路吧。

作者: mengcun123 时间: 2015-01-28 09:50
回复 27# woxizishen

是不是透明代理不能使用账号密码认证？

作者: woxizishen 时间: 2015-01-28 10:13
回复 28# mengcun123

你可以这样理解。

作者: mengcun123 时间: 2015-01-28 14:36

回复 29# woxizishen

欢迎光临 Chinaunix (http://bbs.chinaunix.net/)