2014-02-13 29 views
2

我使用我通过google找到的指南在centos 6.4上设置squid。我正在使用VPS并通过家庭计算机连接到它,以匿名浏览并连接到FTP服务器进行工作。它工作正常,但是现在任何人都可以连接到代理。我如何限制它只允许我的家庭IP?在centos上配置鱿鱼只允许一个ip

这里是我的配置,

# 
# Recommended minimum configuration: 
# 
acl manager proto cache_object 
acl localhost src 127.0.0.1/32 ::1 
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 

# Example rule allowing access from your local networks. 
# Adapt to list your (internal) IP networks from where browsing 
# should be allowed 
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network 
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network 
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network 
acl localnet src fc00::/7  # RFC 4193 local private network range 
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) machines 

acl SSL_ports port 443 
acl Safe_ports port 80  # http 
acl Safe_ports port 21  # ftp 
acl Safe_ports port 443  # https 
acl Safe_ports port 70  # gopher 
acl Safe_ports port 210  # wais 
acl Safe_ports port 1025-65535 # unregistered ports 
acl Safe_ports port 280  # http-mgmt 
acl Safe_ports port 488  # gss-http 
acl Safe_ports port 591  # filemaker 
acl Safe_ports port 777  # multiling http 
acl CONNECT method CONNECT 

# 
# Recommended minimum Access Permission configuration: 
# 
# Only allow cachemgr access from localhost 
http_access allow manager localhost 
http_access deny manager 
http_access allow all 
http_access allow localnet 

# Deny requests to certain unsafe ports 
http_access deny !Safe_ports 

# Deny CONNECT to other than secure SSL ports 
http_access deny CONNECT !SSL_ports 

# We strongly recommend the following be uncommented to protect innocent 
# web applications running on the proxy server who think the only 
# one who can access services on "localhost" is a local user 
#http_access deny to_localhost 

# 
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS 
# 

# Example rule allowing access from your local networks. 
# Adapt localnet in the ACL section to list your (internal) IP networks 
# from where browsing should be allowed 
http_access allow localnet 
http_access allow localhost 

# And finally deny all other access to this proxy 
http_access deny all 

# Squid normally listens to port 3128 
http_port 0.0.0.0:3128 

# We recommend you to use at least the following line. 
hierarchy_stoplist cgi-bin ? 

# Uncomment and adjust the following to add a disk cache directory. 
#cache_dir ufs /var/spool/squid 100 16 256 

# Leave coredumps in the first cache dir 
coredump_dir /var/spool/squid 

# Add any of your own refresh_pattern entries above these. 
refresh_pattern ^ftp:  1440 20% 10080 
refresh_pattern ^gopher: 1440 0% 1440 
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 
refresh_pattern .  0 20% 4320 

via off 
forwarded_for off 

request_header_access Allow allow all 
request_header_access Authorization allow all 
request_header_access WWW-Authenticate allow all 
request_header_access Proxy-Authorization allow all 
request_header_access Proxy-Authenticate allow all 
request_header_access Cache-Control allow all 
request_header_access Content-Encoding allow all 
request_header_access Content-Length allow all 
request_header_access Content-Type allow all 
request_header_access Date allow all 
request_header_access Expires allow all 
request_header_access Host allow all 
request_header_access If-Modified-Since allow all 
request_header_access Last-Modified allow all 
request_header_access Location allow all 
request_header_access Pragma allow all 
request_header_access Accept allow all 
request_header_access Accept-Charset allow all 
request_header_access Accept-Encoding allow all 
request_header_access Accept-Language allow all 
request_header_access Content-Language allow all 
request_header_access Mime-Version allow all 
request_header_access Retry-After allow all 
request_header_access Title allow all 
request_header_access Connection allow all 
request_header_access Proxy-Connection allow all 
request_header_access User-Agent allow all 
request_header_access Cookie allow all 
request_header_access All deny all 

tcp_outgoing_address public_ip 

回答

5

中,你有还有一个名为localnet的访问控制列表的缺省配置。您可以修改localnet acl,使其仅包含您连接的源地址而不是默认值,或者您可以为自己的源地址创建自己的acl。您需要在允许访问的http_access命令中使用它。

我看到都在你的配置中使用以下的http_access命令:

http_access allow manager localhost #1 
http_access deny manager #2 
http_access allow all #3 
http_access allow localnet #4 
http_access deny !Safe_ports #5 
http_access deny CONNECT !SSL_ports #6 
http_access allow localnet #7 
http_access allow localhost #8 
http_access deny all #9 

4和7是多余的。如果您的源地址与localnet匹配,则可以删除3。 3也涵盖了一些在5和6给出的安全功能,我提出以下,其中localnet的ACL已被修改为只有你的源地址:

acl localnet src <source_ip> 

http_access allow manager localhost #1 
http_access deny manager #2 
http_access deny !Safe_ports #3 
http_access deny CONNECT !SSL_ports #4 
http_access allow localnet #5 
http_access allow localhost #6 
http_access deny all #7 

我认为这会做的伎俩。