Linux下Squid正向/反向代理配置
jopen
9年前
应用场景: 1、正向代理 Squid被数以百计的网络提供商用来为他们的用户提供最好的网页访问,为了提升性能和常用内容来减少带宽squid充分利用客户端和服务端的数据流。Squid还能路由内容请求到服务器,以各种方式构建缓存服务器多层次结构,优化网络吞吐量 2、反向代理(网站内容加速和分发)Squid是一个支持HTTP, HTTPS, FTP的web缓存代理,它能通过缓存和反复使用频繁访问的网页来减少带宽、提高响应速度。Squid被广泛用于访问控制和做前端加速,它能运行在大部分 操作系统平台上,Squid能减少服务器的压力,提高客户端的响应速度,其高级的内容路由配置允许建立集群和负载均衡来处理各种WEB请求,3.2及之后 的版本基本都已支持SMP和多CPU
应用场景:
1、正向代理
Squid被数以百计的网络提供商用来为他们的用户提供最好的网页访问,为了提升性能和常用内容来减少带宽squid充分利用客户端和服务端的数据流。Squid还能路由内容请求到服务器,以各种方式构建缓存服务器多层次结构,优化网络吞吐量
2、反向代理(网站内容加速和分发)
一、正向代理
环境:
Squid
eth0: 10.0.2.15
eth1: 192.168.1.10
Client
eth0: 192.168.1.100
1、Squid 安装
A、yum安装
yum install squid -y
B、编译安装
groupadd squid
useradd -g squid -s /sbin/nologin squid
cd ~/downloads/
wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.4.tar.xz
tar -Jxf squid-3.5.4.tar.xz
cd squid-3.5.4
./configure \
--prefix=/usr/local/squid/ \
--localstatedir=/var \ #缓存目录
--mandir=/usr/share/man \
--enable-async-io=200 \ #async模式来运行squid,线程数
--enable-icmp \
--enable-delay-pools \ #延时池,这样能对某些特定的请求限制额定带宽
--enable-kill-parent-hack \ #关掉suqid的时候,连同父进程一起关掉
--enable-epoll \
--enable-snmp \ #可以让MRTG使用SNMP协议对服务器的流量状态进行监测
--enable-cache-digests \ #启用缓存摘要支持
--with-large-files \
--disable-arp-acl \ #禁用对客户端的MAC地址进行管理
--disable-ident-lookups
./configure --prefix=/usr/local/squid/ --localstatedir=/var --mandir=/usr/share/man --enable-async-io=200 --enable-icmp --enable-delay-pools --enable-kill-parent-hack --enable-epoll --enable-snmp --enable-cache-digests --with-large-files --disable-arp-acl --disable-ident-lookups
make && make install
vim /etc /init.d/squid #Squid 启动脚本
| #!/bin/bash # Squid server script # chkconfig: 2345 86 17 # description: Squid prxoy server squid_prefix='/usr/local/squid' squid_pid='/var/run/squid.pid' start() { if [ -e $squid_pid ]; then echo "squid already start, nothing " else $squid_prefix/sbin/squid -k parse >> /dev/null 2>&1 #check config_file if [ $? -ne 0 ]; then echo "squid config_file is Error " else echo "Squid is starting..." $squid_prefix/sbin/squid -s fi fi } stop() { if [ ! -e $squid_pid ]; then echo "squid already start stop, nothing " else echo "Squid is stoping..." $squid_prefix/sbin/squid -k shutdown fi } status() { if [ -e $squid_pid ]; then echo "squid (pid `cat $squid_pid`) is running..." else echo "Squid is stop" fi } case $1 in start) start ;; stop) stop ;; restart) stop sleep 40 #shutdown_lifetime is 30(default) start ;; status) status ;; reload) echo "Squid is reloading" $squid_prefix/sbin/squid -k reconfigure ;; *) echo "Usage: $0 {start|stop|restart|status|reload}" ;; esac |
chmod a+x /etc/init.d/squid
chkconfig --add squid #加入系统服务
chkconfig squid on
滚动日志(日志切割):
vim /etc/cron.d/squid_cutlog
| 0 3 * * * /usr/local/squid/sbin/squid -k rotate #每天3点切割一次 |
2、配置Squid
vim /etc/squid/squid.conf #编辑squid主配置文件
| #1、规则会依次执行,先执行的先优先生效 #2、先局部后整体,一般先局部拒绝再允许,最后定义一条拒绝策略(匹配完执行) # 访问控制规则,更多见 http://wiki.squid-cache.org/SquidFaq/SquidAcl acl 163mail dstdomain .163.com # URL words #acl Cooking1 url_regex -i cooking acl Bad_Url url_regex -i "/usr/local/squid/etc/Bad_Url.lst" # Local network acl Mynetwork src 192.168.1.0/24 #acl Arp1 arp 01:02:03:04:05:06 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machine # No Cache Site acl No_cache dstdomain .2345.com # Cache delete acl Purge method PURGE # Specific User acl Admin src 192.168.1.11 acl Manage src 192.168.1.15-192.168.1.25 # Bad Client IP acl Bad_client src "/usr/local/squid/etc/Bad_client.lst" # Max Conn acl Max_conn maxconn 10 # Work time acl Work_time time MTWHF 09:00-12:00 acl Work_time time MTWHF 13:00-17:00 cache deny No_cache always_direct allow 163mail http_access allow Admin Purge http_access deny Purge http_access allow Admin http_access allow Manage http_access deny Bad_client http_access deny Bad_Url http_access deny Max_conn Mynetwork http_access allow MyNetwork Work_time http_access deny Mynetwork #http_access allow Mynetwork http_access allow localnet http_access allow localhost http_access deny all http_port 3128 dns_nameservers 114.114.114.114 8.8.8.8 # DNS服务器,优先级比 ‘/etc/resolv.conf’ 更高 #MyNetwork acl MyNetwork src 192.168.1.0/24 192.168.18.0/24 # Local_host network http_access allow MyNetwork cache_dir ufs /var/cache/squid 100 16 256 # #100M、16个子目录、256个子子目录,可有多个. maximum_object_size 4 MB #4MB, cache的最大文件数 cache_mem 32 MB #对象内存缓存,一般设置成服务器内存的一半或更多 half_closed_clients off #关闭半连接 cache_swap_high 95 #95,达到%100时删除内容到swap_low值 cache_swap_low 80 #90, #maximum_object_size_in_memory 512 KB #512KB,内存cache的最大文件大小 cache_effective_user squid #运行用户 cache_effective_group squid # log access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log pid_filename /var/run/squid.pid visible_hostname Proxy.Srv01 #显示名 cache_mgr chenxuwq@163.com #管理员mail #数据过期算法,percent为百分比,低于该值则数据不过期 #refresh_pattern [-i] regexp min percent max [option] # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 |
chown -R squid:squid /var/cache/squid #缓冲目标权限
/usr/local/squid/sbin/squid -z #创建缓冲区目录
启动squid
/etc/init.d/squid restart #适用yum安装
/usr/local/squid/sbin/squid -f /usr/local/squid/etc/squid.conf
/usr/local/squid/bin/squidclient -p 3128 mgr:info #运行状态信息
/usr/local/squid/bin/squidclient -p 3128 mgr:mem #内存情况
/usr/local/squid/bin/squidclient -p 3128 mgr:diskd #磁盘情况
/usr/local/squid/bin/squidclient -p 3128 mgr:objects
/usr/local/squid/bin/squidclient -p 3128 mgr: #查看更多。。
/usr/local/squid/bin/squidclient -p 3128 PURGE http://www.php-oa.com/static.php #强制更新某个url
/usr/local/squid/sbin/squid -krec #重新载入配置
/usr/local/squid/sbin/squid -k reconfigure|rotate|shutdown|restart|interrupt|kill|debug|check|parse(检查语法) #用法
/usr/local/squid/sbin/squid -N -d1 # debug
3、客户端测试
1、非上网时间访问:
curl --proxy 192.168.1.10:3128 www.cooking.com
<p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p>
2、访问屏蔽URL关键字
curl --proxy 192.168.1.10:3128 www.baidu.com
<h2>The requested URL could not be retrieved</h2>
二、透明代理(特殊的一种正向代理)
vim etc/squid.conf #配置上同,加入"intercept“
| http_port 3128 intercept |
vim /etc/sysctl.conf #开启内核端口转发
| # Controls IP packet forwarding net.ipv4.ip_forward = 1 # Controls source route verification net.ipv4.conf.default.rp_filter = 0 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 |
sysctl -p
增加防火墙策略(SNAT):
iptable -A input -j ACCEPT -i lo
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
/etc/init.d/iptables save
参考:
http://www.squid-cache.org/Doc/config/
http://wiki.squid-cache.org/ConfigExamples
http://www.deckle.co.uk/squid-users-guide/
三、反向代理
反向代理服务器又称为 WEB 加速服务器,它位于 WEB 服务器的前端,充当 WEB 服务器的内容缓存加速器,这里根据Squid的联结模式展开讨论:
A、单Squid服务器架构
DNS服务器将解析结果指向Squid,Squid 以轮询方式去后台源服务器上取到数据,最终返回给Client
环境:
DNS/Squid
eth0:192.168.1.10
eth1:192.168.18.10
webServer1
eth0:192.168.1.11
webServer2
eth0:192.168.1.15
Client
eth1:192.168.18.1
1、配置DNS服务器
反向代理结合智能DNS(view)就能实现基本的CDN框架,当不同地区的Client 访问时,DNS服务器将解析结果指向对应地区的Squid 服务器
yum install bind #
vim /etc/named.conf #主配置文件
| options { listen-on port 53 { 192.168.18.10; 192.168.1.10; }; # listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { 192.168.18.0/24; 192.168.1.0/24; }; # allow-query { any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; rrset-order { order cyclic; }; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; vim /etc/named.rfc1912.zones #DNS区域定义 zone "test.org" IN { type master; file "test.org.zone"; allow-update { none; }; }; zone "1.168.192.in-adr.arpatest" IN { type master; file "1.168.192.org.zone"; allow-update { none; }; }; |
cd /var/named/
cp -a named.localhost test.org.zone #复制模板区域文件
cp -a named.empty 1.168.192.org.zone
vim test.org.zone #正向区域文件
| $TTL 3H @ IN SOA ns.test.org. root.test.org. ( 1 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ IN NS ns.test.org. ns IN A 192.168.18.10 www IN A 192.168.18.10 |
vim 1.168.192.org.zone #反向区域文件
| $TTL 3H @ IN SOA ns.test.org. root.test.org. ( 1 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ IN NS ns.test.org. 10 IN PTR http://www.test.org. |
/etc/init.d/named start #启动,并加入系统服务
chkconfig named on
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
service iptables save
2、Squid 配置
反向代理的大部分配置和正向代理一样,下面是特别配置:
http_port 80 accel vhost #accel设置squid为加速模式,vhost实现实现反向代理 http_port 3128 #方便squidclient管理缓存 # 设置后台源服务器 #cache_peer hostname type[parent] [sibling] [multicast] http- port icp-port [0] [option] #no-query 不使用ICP查询源服务器 round-robin 轮 询 weigh=N 权重 cache_peer 192.168.1.11 parent 80 0 no-query originserver round-robin name=webServer1 cache_peer 192.168.1.15 parent 80 0 no-query originserver round-robin name=webServer2 visible_hostname Proxy.Srv01 #显示名 |
3、Web源服务器设置
3.1. webServer1
yum install httpd
echo "webServer1" > /var/www/html/index.html
service httpd start
chkconfig httpd on
3.2 .webServer2配置基本类似
http://www.test.org/
B、邻居Squid服务器架构(>=2)
DNS服务器将解析结果以轮询方式指向多台Squid,Squid没有缓存时会通过ICP从兄弟Squid上取到数据,最终返回给Client
环境:
DNS/Squid1
eth0:192.168.1.10
eth1:192.168.18.10
Squid2
eth0:192.168.1.15
eth1:192.168.18.15
webServer1
eth0:192.168.1.11
eth0:192.168.18.11
webServer2
eth0:192.168.1.100
eth0:192.168.18.100
Client
eth1:192.168.18.1
http_port 80 accel vhost
icp_port 3130 #ICP查询端口
http_port 3128 #方便squidclient管理缓存
cache_peer 192.168.1.11 parent 80 0 no-query originserver round-robin name=webServer1
cache_peer 192.168.1.100 parent 80 0 no-query originserver round-robin name=webServer2
#squid1、squid2 为兄弟,当 squid1 在其缓存中没有找到请求的资源时, 通过 ICP 查询去其邻居中取得缓存
cache_peer 192.168.1.10 sibling 80 3130
cache_peer 192.168.1.15 sibling 80 3130
#将 www.test.org的请求通过轮询方式转发到三个父节点中的一个
cache_peer_domain webServer1 webServer2 www.test.org
iptables -A INPUT -m state --state NEW -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 3130 -j ACCEPT
四:内容过滤插件--SquidGuard
SquidGuard是 Squid的一个过滤插件,该软件会在Squid3处理请求的时候检查SquidGuard所管理的网站分类数据库,并根据自定义的规则进行转向(Redirect)拦截。
http://www.squidguard.org/
1、主程序下载
wget http://www.squidguard.org/Downloads/squidGuard-1.4.tar.gz
2、path 下载:
wget http://www.squidguard.org/Downloads/Patches/1.4/squidGuard-1.4-patch-20091015.tar.gz \
http://www.squidguard.org/Downloads/Patches/1.4/squidGuard-1.4-patch-20091015.tar.gz.md5 \
http://www.squidguard.org/Downloads/Patches/1.4/squidGuard-1.4-patch-20091019.tar.gz \
http://www.squidguard.org/Downloads/Patches/1.4/squidGuard-1.4-patch-20091019.tar.gz.md5 \
http://www.squidguard.org/Downloads/Patches/1.4/squidGuard-1.4-patch-20150201.tar.gz \
http://www.squidguard.org/Downloads/Patches/1.4/squidGuard-1.4-patch-20150201.tar.gz.md5
tar -zxf squidGuard-1.4-patch-20091015.tar.gz -C /opt/downloads/squidGuard-1.4/src/
tar -zxf squidGuard-1.4-patch-20091019.tar.gz -C /opt/downloads/squidGuard-1.4/src/
tar -zxf squidGuard-1.4-patch-20150201.tar.gz -C /opt/downloads/squidGuard-1.4/src/
./configure --prefix=/usr/local/squidGuard
make && make install
groupadd squid
useradd -g squid -s /sbin/nologin squid
wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.4.tar.xz
tar -Jxf squid-3.5.4.tar.xz
cd squid-3.5.4
./configure --prefix=/usr/local/squid
make && make install