squid通路控制

閑的無聊，寫一篇關于squid的文章吧！

需求：允許客戶機通路指定的網站，但是允許的網站裡面不包括網盤，比如百度相關網站都放行，但是百度網盤不允許通路，其餘的所有網站一律不允許通路！

環境：CentOS6.3(64位)

1、安裝squid

yum install -y squid

2、squid的主配置檔案：

vi /etc/squid/squid.conf

#

# Recommended minimum configuration:

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

#acl localnet src 10.0.0.0/8    # RFC1918 possible internal network

#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

#acl localnet src 192.168.0.0/16        # RFC1918 possible internal network

#acl localnet src fc00::/7       # RFC 4193 local private network range

#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machin

es

acl SSL_ports port 443

acl Safe_ports port 80          # http

#acl Safe_ports port 21         # ftp

acl Safe_ports port 443         # https

#acl Safe_ports port 70         # gopher

#acl Safe_ports port 210                # wais

#acl Safe_ports port 1025-65535 # unregistered ports

#acl Safe_ports port 280                # http-mgmt

#acl Safe_ports port 488                # gss-http

#acl Safe_ports port 591                # filemaker

#acl Safe_ports port 777                # multiling http

acl CONNECT method CONNECT

# Recommended minimum Access Permission configuration:

# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

#http_access allow localnet

http_access allow localhost

# And finally deny all other access to this proxy

#http_access deny all

# Squid normally listens to port 3128

http_port 192.168.1.1:3128           ============>監聽的IP位址和端口

# We recommend you to use at least the following line.

hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

dns_nameservers 8.8.8.8      ============>DNS伺服器，不能寫多個！

允許的網站

acl url_deny url_regex pan.baidu.com                 

acl url_deny url_regex vdisk.weibo.com

acl url_deny url_regex share.renren.com

acl url_deny url_regex sfsf55.xunzai.com

acl url_deny url_regex disk.sbox.uc.sina.com.cn/webdisk/client

http_access deny url_deny

#下面是允許的網站，我之前使用的是-i參數，-i參數是比對網頁裡面的關鍵字！比如我允許放行baidu.com，結果chinaunix的首頁裡面有百度的關鍵字也被放行了，是以比對url不能加-i參數，這裡.代表通配符。

acl url_allow url_regex .bdimg.com                   ====>一些大網站有自己的圖檔伺服器，例如百度，很多圖檔都來自于這個伺服器，是以得放行。

acl url_allow url_regex .google.com

acl url_allow url_regex .google.cn

acl url_allow url_regex .gstatic.com

acl url_allow url_regex .google-analytics.com

acl url_allow url_regex .googleusercontent.com

acl url_allow url_regex .chinaz.com

acl url_allow url_regex .aizhan.com

acl url_allow url_regex .dedecms.com

acl url_allow url_regex .7c.com

acl url_allow url_regex .ciku5.com

acl url_allow url_regex .bdstatic.com

acl url_allow url_regex .baidustatic.com

acl url_allow url_regex .toberp.com

acl url_allow url_regex .zbintel.com

acl url_allow url_regex .cnzz.com

acl url_allow url_regex .weibo.com

acl url_allow url_regex .weixin.qq.com

acl url_allow url_regex .wx.qq.com

acl url_allow url_regex .renren.com

acl url_allow url_regex .xnimg.cn

acl url_allow url_regex .sinaimg.cn

acl url_allow url_regex .sinajs.cn

acl url_allow url_regex .sina.com.cn

acl url_allow url_regex .youku

acl url_allow url_regex .doubleclick.net

acl url_allow url_regex .ykimg.com

acl url_allow url_regex .iresearch.cn

acl url_allow url_regex .meihua.info

#拒絕所有網站

http_access deny all

3、儲存啟動squid服務

/etc/init.d/squid start

4、開通防火牆3128端口

vi /etc/sysconfig/iptables

-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 3128 -j ACCEPT

/etc/init.d/iptables restart

5、用戶端測試，在IE裡面的工具，區域網路裡面寫上伺服器監聽的IP位址和端口。這裡不詳細介紹了！

6、測試成功！