Installing Squid proxy server running on Windows

我在WINDOWS2012上安装SQUID 2.8 UPDATE8.

按以下方法，不加认证，几乎不用更改就生效了。

（DOS窗口的操作都是以管理员身份操作的）

http://certcollection.org/forum/topic/98920-installing-squid-proxy-server-running-on-windows/

There are various software that implement a proxy server, some commercial and some free stuff. In this guide we will see how to implement a proxy server in a Windows environment is fully integrated into Active Directory at no cost.

The product concerned is Squid

http://www.squid-cache.org/

, originally developed for the Linux porting is also available on the Windows platform.

Integration with Active Directory, you can if we install on a machine both Linux and Windows, on Linux configuration for authentication in AD is slightly more complex than in the Windows environment.

Squid can be installed on any machine of our network not necessarily with two network adapters, in which case must do also from gateway.

First we must download Squid from

http://squid.acmeconsulting.it/index.html

site, follow the signs for Squid 2.7 for Windows-> Squid Download Page-> mirror mirror 1/ 2-> and here and get the latest version Stable, at the moment is the 2.7. STABLE8.

Once the download unpack the .zip file in the path c:\squid. Copy these three files in the path c:\squid\etc:

（以下必作）

* squid.conf.default==> squid.conf         
* mime.conf.default==> mime file         
* cachemgr.conf.default==> cachemgr. conf

Open the squid.conf and making some changes required for the first time:

    * Section OPTIONS FOR AUTHENTICATION
          o Remove the comment on these three rows and we complete the first so that you have:

（以下没作）

auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth .exe                         
auth_param ntlm children 5                         
auth_param ntlm keep_alive on

            These parameters indicate to squid to use authentication NTLM, to use the program and mswin_ntlm_auth. xe to authenticate and use 5 concurrent processes for authentication.
    * ACCESS CONTROLS Section
          o Default Squid grants access from local networks that have private ip addresses of 3 standard classes, if our network does not fall into these we must add it to these 3 lines:

（以下没改）
acl localnet src 10.0.0.0/8# RFC1918 possible internal network                         
acl localnet src 172.16.0.0/12# RFC1918 possible internal network                         
acl localnet src 192.168.0.0/16# RFC1918 possible internal network

          o In the basic configuration Squid grants access only to the following ports:

（以下没改）

acl SSL_ports port 443                         
acl Safe_ports port 80# http                         
acl Safe_ports port 21# ftp                         
acl Safe_ports port 443# https                         
acl Safe_ports port 70# gopher                         
acl Safe_ports port 210# wais                         
acl Safe_ports port 1025-65535# unregistered ports                         
acl Safe_ports port 280# http-mgmt                         
acl Safe_ports port 488# gss-http                         
acl Safe_ports port 591# filemaker                         
acl Safe_ports port 777# multiling http

         Also here if we have other needs we must add the ports you want to be reached.
          o Immediately after the last we must insert an ACL to verify authentication in Active Directory:

                        acl Authenticatedusing proxy_auth ACL REQUIRED

            and set an access rule that denies all unauthenticated sessions:

                        http_access deny!Authenticated

            
            be inserted immediately after the line:

                        # INSERT YOUR OWN RULE (S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

    * Section DISK CACHE OPTIONS
          o In this section we have to set the configuration parameters of the disk cache, to do this, remove the comment line:

（这步我作了，参数未改，并且手工在VAR下新建了CACHE目录）

  cache_dir ufs c:/squid/var/cache 10016256

            and edit the parameters according to our needs.
            Taking into account that the three parameters have this meaning:
            100 = maximum size in MB of disk cache
            16 = number of subdirectories (1st level)
            256 = number of subdirectory of 2nd level
            Initially we can leave the default these 3 parameters.

    * LOGFILE OPTIONS Section

          o In this section we define the location and the type of access log file that is generated by Squid.
            The path is defined by the following directive:

                        access_log c:/squid/var/logs/squid access.log

            While the type is defined by the line:

                        logformat squid%0% ts.3tu%6tr% a%Ss/>%< st 03Hs%% rm% ru% a%Sh/%<% mt

            in this case we define a log format called squid and use it in the command access_log.

    * ADMINISTRATIVE PARAMETERS Section
          o In case of failure or to access an unauthorized site Squid displays a page with details including an e-mal address of the system administrator. In this regard we can change this address by using the following directive:

                        cache_mgr <indirizzo_email>

    * ERROR PAGE OPTIONS Section

          o The last parameter to change the language in which you want to display the error pages, to achieve this, we use this directive:

                        error_directory c:/squid/share/errors/English

            where instead of English we insert the name of the directory that reflects the language that we use inside the folder c:/squid/share/and rrors, in the case of English we:

                        error_directory c:/squid/share/errors/Italian

At this point, the basic configuration Squid is finished and we can send him running for the first time. Open a dos directory, find the white flashing c:\squid\sbin and launch the command:

（这步必作）

 squid-z

in order to create the cache directory. If we have not made mistakes in the configuration file you should see something like:

C:\squid\sbin>squid -z 2010/04/2411:33:24|CreatingSwapDirectories

We suggest that the creation of the directory is successful, otherwise we will see something like:

C:\squid\sbin>squid -z 2010/04/2411:41:28| parseConfigFile: squid.conf:4257 unrecognized:'error_directoryxxx'2010/04/2411:41:28|CreatingSwapDirectories

in which case we have committed some syntax error. (In this case was wanted!!).


    NOTE: If we install squid in the default directory c:\squid we should never specify the location of the configuration file, if instead we use a different path is necessaroio change all references in the squid.conf file and use the parameter -f configfile every time I launch the command squid.exe.

Now we can install Squid as a service and start to test it. To do this, launch the command:

（这步必作）

C:\squid\sbin>squid -i 
Registry stored HKLM\SOFTWARE\GNU\Squid\2.6\Squid\ConfigFile value c:/squid/etc/squid.conf 
SquidCache version 2.7.STABLE8 for i686-pc-winnt installed successfully asSquidWindowsSystemService.
To run, start it from the ServicesApplet of ControlPanel.Don't forget to edit squid.conf before starting it.

If all is successful you will create the service Squid. If we want to call it differently, we need to add the parameter -n servicename. Once you have created the service we need to start it with the command:

（这步必作）

net start Squid

and we will get output like:

TheSquid service is starting.TheSquid service was started successfully.

We verify that Squid is actually listening via the command:

C:\squid\sbin > netstat-na | findstr:31280.0.0.00.0.0.0:3128 TCP:0 LISTENING

As you can see clearly squid is listening on the default port 3128.

Open Internet Explorer on a client and to configure the proxy settings using the menu Tools > Internet Options-> Connections-> LAN Settings and set the proxy server as shown in Figure:


replacing the address and port of the server with those of our configuration.

Let's go back to the browser and try to reach a site any, if everything works you should see the page without any problem.

To verify the actual use of the proxy, we can use one of several test online type

http://www.lagado.com/proxy-test

or check the file access.log in the folder C:\squid\var\logs.

If you see a window like this:



We ask for your login credentials means that the proxy is working but there is some problem with NTLM authentication. In this case we change the LAN Manager authentication level in value:

Send LM and NTLM –useNTLMv2 session security if negotiated

For simplicity we can change the Default Domain Policy so you want to configure all machines in the domain. The setting is located in the key:

ComputerConfiguration->Policies->WindowsSettings->SecuritySettings->LocalPolicies->SecurityOptions->Network security: LAN Manager authentication level

Once change expect the policy is applied or forziamola with the command GPUDATE/force, then try again and if everything went well this time the request for username and password should appear.

With the procedures specified so far according to Squid configuration has finished, access is granted to all for any site and a log is generated for each login.

In next part we will see some parameters for optimization of Squid and how to configure the proxy settings in the browser automatically