User redirection by rules in Squid
At work, I encountered such a problem: there are a dozen proxy servers (squid) in different countries and not one dozen users. Each of them decides through which server to work - there is a chrome extension in which they can make a choice.
But all the servers are located at different distances from the user and the user from Russia, using a server in Canada, faces good brakes. On the other hand, all servers are connected in the data centers to the highways and there are much less delays between them.
It was decided to direct each user to the server closest to him, and from there to the selected one.
The first item you need to configure the proxy to work with each other. The simplest way was to specify:
But it turned out that not everyone allows the reverse conversion to the domain you specified. I had to register all ip servers:
If someone tells me another solution, I will be glad to fix it. While the servers do not change often, and in case of a change, they are quickly corrected using puppets.
The next step is to configure acl for server redirection:
In this case, user1, user2 and user3 are acl users.
The company has already configured a radius server for these cases. In centos 5, I went through the configuration via pam, since squid itself was not built, but then I had to go the path of self-assembly (ssl is not included in the standard one) and I used the key --enable-basic-auth-helpers = squid_radius_auth. Also, for those who do not want to bother with pam, I would recommend a separate library:
In any installation option, the squid configuration does not change, only the file paths in the first line:
Example radius_config file:
The rules were simple enough. First we indicate which user will be controlled by which rule:
And, of course, we allow them to use proxies:
That's all. When the user selects a server, a separate program deletes the user from the files in the userlist and adds to the selected one. But that's another story.
The basic information was taken from the squid wiki, but there are not enough examples:
But all the servers are located at different distances from the user and the user from Russia, using a server in Canada, faces good brakes. On the other hand, all servers are connected in the data centers to the highways and there are much less delays between them.
It was decided to direct each user to the server closest to him, and from there to the selected one.
Proxy proxy
The first item you need to configure the proxy to work with each other. The simplest way was to specify:
acl localnet srcdomain мой домен.com
But it turned out that not everyone allows the reverse conversion to the domain you specified. I had to register all ip servers:
acl localnet srcdomain IP серверa 1
acl localnet srcdomain IP серверa 2
acl localnet srcdomain IP серверa 3
If someone tells me another solution, I will be glad to fix it. While the servers do not change often, and in case of a change, they are quickly corrected using puppets.
Redirection management
The next step is to configure acl for server redirection:
cache_peer {сервер 1} parent 3128 3130 name=peer1
cache_peer {сервер 2} parent 3128 3130 name=peer2
cache_peer {сервер 3} parent 3128 3130 name=peer3
cache_peer_access peer1 allow user1
cache_peer_access peer2 allow user2
cache_peer_access peer3 allow user3
In this case, user1, user2 and user3 are acl users.
Login
The company has already configured a radius server for these cases. In centos 5, I went through the configuration via pam, since squid itself was not built, but then I had to go the path of self-assembly (ssl is not included in the standard one) and I used the key --enable-basic-auth-helpers = squid_radius_auth. Also, for those who do not want to bother with pam, I would recommend a separate library:
wget http://www.squid-cache.org/contrib/squid_radius_auth/squid_radius_auth-1.10.tar.gz
tar xvzf squid_radius_auth-1.10.tar.gz
cd squid_radius_auth-1.10
cp Makefile.default Makefile
make
make install
In any installation option, the squid configuration does not change, only the file paths in the first line:
auth_param basic program /usr/local/squid/libexec/basic_radius_auth -f /usr/local/squid/etc/radius_config
auth_param basic children 5
auth_param basic realm {мой сервер} // будет отображаться в окошке авторизации
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl radius proxy_auth REQUIRED
Example radius_config file:
server {адрес radius сервера}
password {секретная фраза для подключения к radius}
Each server has its own user
The rules were simple enough. First we indicate which user will be controlled by which rule:
acl user1 proxy_auth "/usr/local/squid/userlist/user1" no_cache
acl user2 proxy_auth "/usr/local/squid/userlist/user2" no_cache
acl user3 proxy_auth "/usr/local/squid/userlist/user3" no_cache
And, of course, we allow them to use proxies:
http_access allow localnet // для proxy-proxy
http_access allow radius // для тех, кто не выбрал прокси - пользуется ближайшим
http_access allow user1
http_access allow user2
http_access allow user3
http_access deny all // не забываем запретить остальным
That's all. When the user selects a server, a separate program deletes the user from the files in the userlist and adds to the selected one. But that's another story.
Sources
The basic information was taken from the squid wiki, but there are not enough examples:
- The main site is wiki.squid-cache.org . Without translation into Russian. I do not indicate individual pages, since I used them a lot.
- Configuring radius Setup Squid and FreeRADIUS on CentOS 5 and CentOS 6
- And this is Acl reference - ACL elements
This article does not describe the entire service, but only the squid configuration. But what is not written applies only to dynamics, and everyone can have their own. I noted only the necessary points. Do not try to set everything up using the copy-paste method - lines that are not relevant to the topic of the article are missing.