Product SiteDocumentation Site

5.2. Squid 安全化

Squid is one of the most popular proxy/cache server, and there are some security issues that should be taken into account. Squid's default configuration file denies all users requests. However the Debian package allows access from 'localhost', you just need to configure your browser properly. You should configure Squid to allow access to trusted users, hosts or networks defining an Access Control List on /etc/squid/squid.conf, see the for more information about defining ACLs rules. Notice that Debian provides a minimum configuration for Squid that will prevent anything, except from localhost to connect to your proxy server (which will run in the default port 3128). You will need to customize your /etc/squid/squid.conf as needed.
The recommended minimum configuration (provided with the package) is shown below:
acl all src
acl manager proto cache_object
acl localhost src
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT
acl purge method PURGE
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# icp_access deny all
#Allow ICP queries from eveyone
icp_access allow all
您还应当基于系统资源来配置 Squid, 包括高速缓存(cache_mem项), 本地缓存文件, 及其占用的空间大小(cache_dir项).
注意, 如果配置不当, 某些人也许可以通过 Squid 传递邮件消息, 因为HTTP和SMTP协议设计的非常相似. Squid 的默认配置文件拒绝访问 25 端口. 如果您希望允许连接 25 端口, 仅需要将其加入 Safe_ports 列表即可. 但是, 这里推荐 NOT.
Setting and configuring the proxy/cache server properly is only part of keeping your site secure. Another necessary task is to analyze Squid's logs to assure that all things are working as they should be working. There are some packages in Debian GNU/Linux that can help an administrator to do this. The following packages are available in Debian 3.0 and Debian 3.1 (sarge):
  • calamaris - Squid 或 Oops 代理的日志分析工具.
  • modlogan - 日志分析工具组件.
  • sarg - Squid Analysis Report Generator.
  • squidtaild - Squid 日志监控程序.
When using Squid in Accelerator Mode it acts as a web server too. Turning on this option increases code complexity, making it less reliable. By default Squid is not configured to act as a web server, so you don't need to worry about this. Note that if you want to use this feature be sure that it is really necessary. To find more information about Accelerator Mode on Squid see the