更多>>关于我们

西安鲲之鹏网络信息技术有限公司从2010年开始专注于Web(网站)数据抓取领域。致力于为广大中国客户提供准确、快捷的数据采集相关服务。我们采用分布式系统架构,日采集网页数千万。我们拥有海量稳定高匿HTTP代理IP地址池,可以有效绕过各种反采集策略。

您只需告诉我们您想抓取的网站是什么,您感兴趣的字段有哪些,你需要的数据是哪种格式,我们将为您做所有的工作,最后把数据(或程序)交付给你。

数据的格式可以是CSV、JSON、XML、ACCESS、SQLITE、MSSQL、MYSQL等等。

更多>>官方微博

当前位置: 首页 > 技术文章 >
squid external_acl_type介绍及后台程序编写示例
发布时间:2016-10-17 来源:未知 浏览:

        近日我在查询Squid相关问题时无意在谷歌搜索结果中看到external_acl_type,然后详细了解了一下,发现它功能是在太强大了。
        利用external_acl_type可以自定义一种Squid的ACL类型,并且可以指定一个自定义的后端程序(Helper Program)。我们可以向这个后端程序动态传递很多有用的参数,例如客户端IP (%SRC,) 服务端IP( %MYADDR),客户端访问的URL( %PATH),访问者的用户名( %LOGIN)等变量,然后在认证程序中我们可以根据这些变量实现复杂的逻辑认证。PS:我在网上找了很久都没找到介绍这些变量参数含义的,最后抱着试一试的想法在squid.conf的注释中找到的详细的说明(如下FORMAT specifications部分)。

#  TAG: external_acl_type
#       This option defines external acl classes using a helper program
#       to look up the status
#
#         external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
#
#       Options:
#
#         ttl=n         TTL in seconds for cached results (defaults to 3600
#                       for 1 hour)
#         negative_ttl=n
#                       TTL for cached negative lookups (default same
#                       as ttl)
#         children-max=n
#                       Maximum number of acl helper processes spawned to service
#                       external acl lookups of this type. (default 20)
#         children-startup=n
#                       Minimum number of acl helper processes to spawn during
#                       startup and reconfigure to service external acl lookups
#                       of this type. (default 0)
#         children-idle=n
#                       Number of acl helper processes to keep ahead of traffic
#                       loads. Squid will spawn this many at once whenever load
#                       rises above the capabilities of existing processes.
#                       Up to the value of children-max. (default 1)
#         concurrency=n concurrency level per process. Only used with helpers
#                       capable of processing more than one query at a time.
#         cache=n       limit the result cache size, default is unbounded.
#         grace=n       Percentage remaining of TTL where a refresh of a
#                       cached entry should be initiated without needing to
#                       wait for a new reply. (default is for no grace period)
#         protocol=2.5  Compatibility mode for Squid-2.5 external acl helpers
#         ipv4 / ipv6   IP protocol used to communicate with this helper.
#                       The default is to auto-detect IPv6 and use it when available.
#
#       FORMAT specifications
#
#         %LOGIN        Authenticated user login name
#         %EXT_USER     Username from previous external acl
#         %EXT_LOG      Log details from previous external acl
#         %EXT_TAG      Tag from previous external acl
#         %IDENT        Ident user name
#         %SRC          Client IP
#         %SRCPORT      Client source port
#         %URI          Requested URI
#         %DST          Requested host
#         %PROTO        Requested protocol
#         %PORT         Requested port
#         %PATH         Requested URL path
#         %METHOD       Request method
#         %MYADDR       Squid interface address
#         %MYPORT       Squid http_port number
#         %PATH         Requested URL-path (including query-string if any)
#         %USER_CERT    SSL User certificate in PEM format
#         %USER_CERTCHAIN SSL User certificate chain in PEM format
#         %USER_CERT_xx SSL User certificate subject attribute xx
#         %USER_CA_xx   SSL User certificate issuer attribute xx
#
#         %>{Header}    HTTP request header "Header"
#         %>{Hdr:member}
#                       HTTP request header "Hdr" list member "member"
#         %>{Hdr:;member}
#                       HTTP request header list member using ; as
#                       list separator. ; can be any non-alphanumeric
#                       character.
#
#         %<{Header}    HTTP reply header "Header"
#         %<{Hdr:member}
#                       HTTP reply header "Hdr" list member "member"
#         %<{Hdr:;member}
#                       HTTP reply header list member using ; as
#                       list separator. ; can be any non-alphanumeric
#                       character.
#
#         %ACL          The name of the ACL being tested.
#         %DATA         The ACL arguments. If not used then any arguments
#                       is automatically added at the end of the line
#                       sent to the helper.
#                       NOTE: this will encode the arguments as one token,
#                       whereas the default will pass each separately.
#
#         %%            The percent sign. Useful for helpers which need
#                       an unchanging input format.
#
#       In addition to the above, any string specified in the referencing
#       acl will also be included in the helper request line, after the
#       specified formats (see the "acl external" directive)
#
#       The helper receives lines per the above format specification,
#       and returns lines starting with OK or ERR indicating the validity
#       of the request and optionally followed by additional keywords with
#       more details.
#
#       General result syntax:
#
#         OK/ERR keyword=value ...
#
#       Defined keywords:
#
#         user=         The users name (login)
#         password=     The users password (for login= cache_peer option)
#         message=      Message describing the reason. Available as %o
#                       in error pages
#         tag=          Apply a tag to a request (for both ERR and OK results)
#                       Only sets a tag, does not alter existing tags.
#         log=          String to be logged in access.log. Available as
#                       %ea in logformat specifications
#
#       If protocol=3.0 (the default) then URL escaping is used to protect
#       each value in both requests and responses.
#
#       If using protocol=2.5 then all values need to be enclosed in quotes
#       if they may contain whitespace, or the whitespace escaped using \.
#       And quotes or \ characters within the keyword value must be \ escaped.
#
#       When using the concurrency= option the protocol is changed by
#       introducing a query channel tag infront of the request/response.
#       The query channel tag is a number between 0 and concurrency-1.
#Default:
# none

配置示例:

        下面这个配置结合了“用户名密码认证(HTTP Basic Auth)”和“自定义的认证”。只有同时通过这两个认证的请求才会被Squid放行(否则会返回403)。

        external_acl_type自定义认证部分后端程序使用自己编写的Python脚本(后面有源码),并将%LOGIN(客户用户名),%SRC(客户端IP) ,%MYADDR(服务端IP)作为命令行参数传递给后端认证程序。

#用户名密码认证:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/users.pwd
auth_param basic children 5
auth_param basic realm IPRENT.CN Proxy Auth Required
auth_param basic credentialsttl 2 hours
#使用external_acl_type实现的自定义认证,后台程序 /etc/squid/squid_external_acl_helper.py
#支持多种宏格式,上面帮助文档里面有列举。
#ipv4标记如果不加,可能会看到“external ACL 'ip_user_check' queue overload”异常(cache.log), >>> https://ubuntuforums.org/showthread.php?t=2187256
external_acl_type ip_user_check children-startup=5 ipv4 %LOGIN %SRC %MYADDR /usr/bin/python /etc/squid/squid_external_acl_helper.py

acl ipuseracl external ip_user_check
acl auth_users proxy_auth REQUIRED
http_access allow auth_users ipuseracl

后台程序(Helper program)示例脚本(Python):

这里只写了一个框架(直接返回验证通过),没有加入实际性的逻辑判断,你可以根据传递进来的参数实现复杂的逻辑判断。

# coding: utf-8
# squid_external_acl_helper.py
# Author: redice(qi@site-digger.com)
# Created at: 2016-10-14

# Python版本的Squid external_acl_type扩展ACL后台脚本
# 在squid.conf中的"htcp_access deny all"之前加入如下配置:
#external_acl_type ip_user_check children-startup=5 ipv4 %LOGIN %SRC %MYADDR /usr/bin/python /etc/squid/squid_external_acl_helper.py
#acl ipuseracl external ip_user_check
#http_access allow ipuseracl


import sys
import logging

# 记录日志
# sudo chmod 755 /var/log/squid/squid_auth_helper.log
# sudo chown proxy:proxy /var/log/squid/squid_auth_helper.log
logging.basicConfig(level=logging.DEBUG,
                    format='%(asctime)s %(levelname)s %(message)s',
                    filename='/var/log/squid/squid_auth_helper.log', filemode='a')


if __name__ == '__main__':
    while True:
        # 从stdin读取一行
        line = sys.stdin.readline()
        username, client_ip, local_ip = line.split()
        logging.info('New auth request: username = {}, client_ip = {}, local_ip = {}'.format(username, client_ip, local_ip))
        # 这里直接输出'OK'(通过认证,反之输出'ERR\n')。你可以根据上述参数实现复杂的认证逻辑。
        sys.stdout.write('OK\n')
        sys.stdout.flush()

日志输出示例:

2016-10-14 12:29:11,968 INFO New auth request: username = test, client_ip = 103.27.125.250, local_ip = 58.96.184.54

特别说明:该文章为鲲鹏数据原创文章 ,您除了可以发表评论外,还可以转载到别的网站,但是请保留源地址,谢谢!!(尊重他人劳动,我们共同努力)
☹ Disqus被Qiang了,之前的评论内容都没了。现在改用国产的友言。如果您有爬虫相关技术方面的问题,欢迎发到我们的问答平台:http://spider.site-digger.com/
QQ在线客服
欢迎咨询,点击这里给我发送消息。
欢迎咨询,点击这里给我发送消息。