目标:代理公司所有用户上INTERNET,分三类用户,一类高级用户,不分时段,不受限访问的站点;第二类为普通的用户,只能在工作时间访问,且有站点限制,如不能访开心网等;第三类用户,在普通用户受限的基础的上,只能访问公司规定的站点,其余站点都不能访问。
操作:在上次配置的基础上进阶(
http://xuchengji.blog.51cto.com/160472/306338)
#------------------ proxy server --------------
#2010-5-10
#----------------- acl ---------------------------------
#----------------- acl ---------------------------------
acl fann_network src 192.168.0.0/24
acl work_hours time MTWHFAS 07:30-20:30
# S - Sunday
# M - Monday
# T - Tuesday
# W - Wednesday
# H - Thursday
# F - Friday
# A - Saturday
acl deny_website dstdomain "/usr/lib/squid3/deny_website"
acl allow_website dstdomain "/usr/lib/squid3/allow_website"
#deny_website ,allow_website 分别是要禁止和允许访问的站点
auth_param basic program /usr/lib/squid3/ncsa_auth /usr/lib/squid3/fann_users
#fann_users为公司用户的认证文件,用htpasswd创建
acl normal proxy_auth normal
acl advanced proxy_auth manager
acl advanced proxy_auth manager
acl user proxy_auth user
#三类用户分别为manager,nolmal,user
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80
# http
acl Safe_ports port 21
# ftp
acl Safe_ports port 443
# https
acl Safe_ports port 70
# gopher
acl Safe_ports port 210
# wais
acl Safe_ports port 1025-65535
# unregistered ports
acl Safe_ports port 280
# http-mgmt
acl Safe_ports port 488
# gss-http
acl Safe_ports port 591
acl Safe_ports port 80
# http
acl Safe_ports port 21
# ftp
acl Safe_ports port 443
# https
acl Safe_ports port 70
# gopher
acl Safe_ports port 210
# wais
acl Safe_ports port 1025-65535
# unregistered ports
acl Safe_ports port 280
# http-mgmt
acl Safe_ports port 488
# gss-http
acl Safe_ports port 591
# filemaker
acl Safe_ports port 777
# multiling http
acl CONNECT method CONNECT
acl Safe_ports port 777
# multiling http
acl CONNECT method CONNECT
#------------------------------- http_access ------------------
http_access allow advanced
http_access deny !work_hours
http_access deny deny_website
http_access allow normal
http_access deny !allow_website
http_access allow user
http_access allow fann_network
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access deny all
htcp_access deny all
#------------------------------- server -------------------------
http_port 192.168.0.15:808
dns_nameservers 202.96.209.5 202.96.209.133
cache_dir ufs /var/spool/squid3 204800 16 256
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_log /var/log/squid3/cache.log
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
icp_port 3130
coredump_dir /var/spool/squid3
coredump_dir /var/spool/squid3
*:建起来很比较容易的,难的是如何维护!
本文转自xcjgutong 51CTO博客,原文链接:http://blog.51cto.com/xuchengji/314059
