squid代理实现账号登陆的问题

jixuuse

自己百度下吧，网上这种多的是

如果要IP认证，直接加入允许放行的IP子网即可，MAC认证没搞过，因为都是跨三层的大网络，看不到客户端MAC

mengcun123

回复 8# jixuuse

再确认一下，你是用yum安装的？用的linux哪个版本？另外实现账号认证的时候还需要安装什么呢


   

jixuuse

我很懒，能用yum装的绝不用源码，贴的这些都是自己亲手做的，我自己都会写一个txt安装过程文档记录下来

woxizishen

回复 11# jixuuse

MAC地址一样可以跨网段认证，呵呵，绑定arp，就可以进行跨网段的mac地址认证。

因为squid很偷懒，使用系统的ARP缓存条目来管理的。所以可以利用他的这个弱点来实现跨网段mac地址认证。

   

woxizishen

回复 10# mengcun123
请按照我下面的完整步骤来操作,我的squid版本是2.7的，每一行都有解释:

使用账号登陆才可以使用。只需做如下设定即可:
auth_param basic program /etc/squid/libexec/ncsa_auth /etc/squid/etc/passwd
auth_param basic children 10
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
auth_param basic realm 172.16.4.123 proxy cache
##认证部份有解释##

acl all2 src 0.0.0.0/0.0.0.0   允许所有网络访问此台代理服务器。
http_access allow all2


acl usergroup1 proxy_auth "/etc/squid/etc/ip1user"  
http_access allow usergroup1                                           设定允许用户账号登陆后访问外网、需要自行建立该用户文件夹
Touch /etc/squid/etc/ip1user
dawson                      一行一个账号
temp
……

上述完成后，开始建立密码:
htpasswd -b /etc/squid/etc/passwd dawson  123456
htpasswd -b /etc/squid/etc/passwd temp  123456

##这样重新载入配置文件后即可以用账号通过squid验证正确后即可以访问了。##


   

woxizishen

回复 13# jixuuse

如果不需要特别的功能，就只是用一个企业用的简单正向/透明代理，就直接用yum和rpm都很不错，重要是节省大家时间。

当然如果你想很透测的了解squid的各个功能特性和优化，最好是编译安装一次。因为你编译安装需要了解每一个编译参数。编译是很花时间的，但是也是让你快速熟悉squid的唯一途径。

如果从事的工作未来会牵扯到squid的CDN部分。编译安装必须掌握，偷懒的结果，出问题后就只能跑到论坛上发问了。

mengcun123

回复 15# woxizishen


使用账号登陆才可以使用。只需做如下设定即可:
auth_param basic program /etc/squid/libexec/ncsa_auth /etc/squid/etc/passwd     这个报错
auth_param basic children 10
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
auth_param basic realm 172.16.4.123 proxy cache
##认证部份有解释##

acl all2 src 0.0.0.0/0.0.0.0   允许所有网络访问此台代理服务器。
http_access allow all2


acl usergroup1 proxy_auth "/etc/squid/etc/ip1user"  
http_access allow usergroup1                                           设定允许用户账号登陆后访问外网、需要自行建立该用户文件夹
Touch /etc/squid/etc/ip1user
dawson                      一行一个账号
temp
…
上面的也贴进去吗


上述完成后，开始建立密码:
htpasswd -b /etc/squid/etc/passwd dawson  123456
htpasswd -b /etc/squid/etc/passwd temp  123456

##这样重新载入配置文件后即可以用账号通过squid验证正确后即可以访问了。##

   

woxizishen

回复 17# mengcun123

auth_param basic program /etc/squid/libexec/ncsa_auth /etc/squid/etc/passwd     这个报错

/etc/squid/libexec/ncsa_auth   
/etc/squid/etc/passwd     

这2个根据你的实际路径来填写，我的ncsa_auth在这个路径下，看看你自己的。     


acl usergroup1 proxy_auth "/etc/squid/etc/ip1user"  
http_access allow usergroup1                                           设定允许用户账号登陆后访问外网、需要自行建立该用户文件夹
Touch /etc/squid/etc/ip1user
dawson                      一行一个账号
temp
…

上面的也贴进去吗

acl usergroup1 proxy_auth "/etc/squid/etc/ip1user"
http_access allow usergroup1  
这2行贴到squid.conf里，你没账号怎么验证？？？？



Touch /etc/squid/etc/ip1user
dawson                      一行一个账号
temp
这个是存放账号的文件，自己手动输账号，一行只能输一个账号。

mengcun123

回复 18# woxizishen


密码可以生产，但是最主要的是没有认证界面。




   
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_user.txt
auth_param basic children 10
auth_param basic realm WELCOME

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed

#acl localnet src 10.0.0.0/8    # RFC1918 possible internal network     DHCP抓到的IP的10.0.0.0/8的，需要做到这个网段的ip需要认证  
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machine

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT




#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost



#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

acl squid_user proxy_auth REQUIRED

http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#

cache_dir ufs /var/spool/squid 1024 16 256
cache_mem 1024 MB
cache_swap_low 90
cache_swap_high 95
minimum_object_size 0 KB
maximum_object_size 4096 KB

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

mengcun123

回复 18# woxizishen


跳不出认证界面，密码什么的都可以生产，squid服务重启过，给看下



auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_user.txt
auth_param basic children 10
auth_param basic realm WELCOME

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed

#acl localnet src 10.0.0.0/8    # RFC1918 possible internal network    10.0.0.0/8网段ip都需要认证   
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machine

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT




#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost



#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

acl squid_user proxy_auth REQUIRED

http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#

cache_dir ufs /var/spool/squid 1024 16 256
cache_mem 1024 MB
cache_swap_low 90
cache_swap_high 95
minimum_object_size 0 KB
maximum_object_size 4096 KB

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320