Product SiteDocumentation Site

5.2. Squid を安全にする

Squid is one of the most popular proxy/cache server, and there are some security issues that should be taken into account. Squid's default configuration file denies all users requests. However the Debian package allows access from 'localhost', you just need to configure your browser properly. You should configure Squid to allow access to trusted users, hosts or networks defining an Access Control List on /etc/squid/squid.conf, see the https://web.archive.org/web/20061206052115/http://www.deckle.co.za/squid-users-guide/Main_Page for more information about defining ACLs rules. Notice that Debian provides a minimum configuration for Squid that will prevent anything, except from localhost to connect to your proxy server (which will run in the default port 3128). You will need to customize your /etc/squid/squid.conf as needed.
The recommended minimum configuration (provided with the package) is shown below:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
(...)
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
#Default:
# icp_access deny all
#
#Allow ICP queries from everyone
icp_access allow all
You should also configure Squid based on your system resources, including cache memory (option cache_mem), location of the cached files and the amount of space they will take up on disk (option cache_dir).
さらに、適切に設定されていなければ、だれもがメールを Squid を通じてリレーする ことができます。なぜなら、HTTP プロトコルと SMTP プロトコルは同じように 設計されているからです。Squid のデフォルトの設定ファイルでは 25 番ポートへの アクセスは禁止されています。もし 25 番ポートへの接続を許可したいなら それを Safe_ports リストに追加するだけです。しかし、これは推奨されて 「いません」
プロキシおよびキャッシュサーバを適切に設置して設定することはあなたのサイトを 安全に保つことの一部にすぎません。他に必要な仕事には何事もそうあるべきように 動いていることを確実にするため Squid のログを解析することがあります。 Debian GNU/Linux には管理者がこれを行うのを助けるパッケージがいくつかあります。 以下のパッケージが woody (Debian 3.0) で利用可能です:
  • calamaris - Log analyzer for Squid or Oops proxy log files.
  • modlogan - A modular logfile analyzer.
  • sarg - Squid Analysis Report Generator.
  • squidtaild - Squid log monitoring program.
When using Squid in Accelerator Mode it acts as a web server too. Turning on this option increases code complexity, making it less reliable. By default Squid is not configured to act as a web server, so you don't need to worry about this. Note that if you want to use this feature be sure that it is really necessary. To find more information about Accelerator Mode on Squid see the https://web.archive.org/web/20070104164802/http://www.deckle.co.za/squid-users-guide/Accelerator_Mode