配置squid，实现正向代理

环境：CentOS 6.5

代理主机ip：192.168.3.224，10.0.0.10

内网主机ip：10.0.0.11

安装前准备

1、关闭selinux

[[email protected] ~]# setenforce 0
[[email protected] ~]# getenforce
permissive
[[email protected] ~]# vim /etc/selinux/config
SELINUX=disabled

2、关闭防火墙filter表，设置防火墙端口转发规则

[[email protected] ~]# iptables -t filter -F
[[email protected] ~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

[[email protected] ~]# service iptables save

3、修改主机路由模式

[[email protected] ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

编译安装squid

1、安装squid

http://www.squid-cache.org/Versions/v3/3.2/squid-3.2.3.tar.gz

[[email protected] ~]# tar xf squid-3.2.3.tar.gz
[[email protected] ~]# cd squid-3.2.3

[[email protected] ~]# ./configure --prefix=/usr/local/squid --enable-dlmalloc --enable-gnuregex --disable-carp --enable-async-io=100 --with-aufs-threads=32 --with-pthreads --enable-storeio="ufs,aufs" --enable-removal-policies="heap,lru" --enable-icmp --enable-htcp --enable-delay-pools --enable-useragent-log --enable-referer-log --disable-wccp --disable-wccpv2 --enable-kill-parent-hack --enable-arp-acl --disable-snmp --enable-default-err-language=Simplify_Chinese --enable-err-languages="Simplify_Chinese English" --disable-poll --disable-select --enable-epoll --enable-auth --enable-auth-basic="DB,NCSA,PAM,RADIUS,SASL" --with-aio --disable-ident-lookups --enable-truncate --enable-stacktraces --with-maxfd=65535 --disable-ipv6 --enable-ipf-transparent --enable-linux-netfilter

2、配置squid

[[email protected] ~]# mkdir -p /data/squid/{cache,coredump,logs}

[[email protected] ~]# /usr/sbin/groupadd squid
[[email protected] ~]# /usr/sbin/useradd squid -g squid -s /sbin/nologin

[[email protected] ~]# chmod -R 777 /data/squid/{cache,coredump,logs}
[[email protected] ~]# chown -R squid.squid /data/squid/{cache,coredump,logs}

3、配置文件内容

[[email protected] ~]# vim /usr/local/squid/etc/squid.conf
http_port 10.0.0.10:1080
                                           
cache_effective_user squid
cache_effective_group squid
                                           
cache_mem 2048 MB
cache_swap_low 90
cache_swap_high 95
                                           
ipcache_size 1024
ipcache_low 90
ipcache_high 95
                                           
cache_replacement_policy lru
memory_replacement_policy lru
                                           
cache_dir aufs /data/squid/cache 20480 16 256
coredump_dir /data/squid/coredump
                                           
memory_pools_limit 1024 MB
max_open_disk_fds 0
minimum_object_size 0 KB
maximum_object_size 32768 KB
maximum_object_size_in_memory 2048 KB
                                           
access_log /dev/null
cache_access_log none
                                           
cache_log /dev/null
cache_store_log none
                                           
cache_swap_log /data/squid/logs/swap.log
                                           
logfile_rotate 1
pid_filename /usr/local/squid/var/logs/squid.pid
                                           
cache_mgr [email protected]
strip_query_terms off
visible_hostname ProxySrv
error_directory /usr/local/squid/share/errors/zh-cn
                                           
request_header_max_size 64 KB
request_body_max_size 0 KB
                                           
negative_ttl 5 minutes
read_timeout 1 minutes
client_lifetime 10 minutes
connect_timeout 1 minute
peer_connect_timeout 30 seconds
request_timeout 2 minutes
persistent_request_timeout 1 minute
                                           
client_persistent_connections off
server_persistent_connections on
tcp_recv_bufsize 65535 bytes
half_closed_clients off
httpd_suppress_version_string off
ie_refresh off
allow_underscore on
                                           
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
                                           
dns_nameservers DNS服务器IP
                                           
acl OverConnLimit maxconn 300
http_access deny OverConnLimit
                                           
acl our_network src 192.168.0.0/16
http_access allow our_network
                                           
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports
                                           
request_header_access Via deny all
request_header_access X-Forwarded-For deny all

#检查配置是否正确
[[email protected] ~]# /usr/local/squid/sbin/squid -k parse

#初始化cache缓存目录
[[email protected] ~]# /usr/local/squid/sbin/squid -z

4、配置启动脚本

[[email protected] ~]# vim /etc/init.d/squid
#!/bin/sh
#
#squid - this script start and stop the squid daemon
#
# chkconfig: - 90 25
# description: squid is a pagecache reverse proxy.
# processname: squid
# pidfile: /usr/local/squid/var/logs/squid.pid
# config: /usr/local/squid/etc/squid.conf
#
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
              
BINFILE="/usr/local/squid/sbin/squid"
CFGFILE="/usr/local/squid/etc/squid.conf"
PIDFILE="/usr/local/squid/var/logs/squid.pid"
LOCKFILE="/var/lock/squid.lock"
CACHEPATH="/data/squid/cache"
OUTFILE="/data/squid/logs/squid.out"
              
SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20}
SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}
              
[[ -f $BINFILE ]] && SQUID="${BINFILE}"
              
CACHE_SWAP=`sed -e ‘s/#.*//g‘ ${CFGFILE} | grep cache_dir | awk ‘{print $3}‘`
[ -z "$CACHE_SWAP" ] && CACHE_SWAP="${CACHEPATH}"
              
RETVAL=0
              
start() {
    if [[ ! -f ${CFGFILE} ]]; then
        echo "The configuration file: ${CFGFILE} has no found!" 1>&2
        exit 6
    fi
                 
    SQUID_OPTS="-s -f ${CFGFILE}"
                 
    [[ -z "$SQUID" ]] && echo "Insufficient privilege" 1>&2 && exit 4
                 
    for adir in $CACHE_SWAP
    do
        if [[ ! -d $adir/00 ]]; then
            echo -n "init_cache_dir $adir"
            $SQUID -z -F -D >> ${OUTFILE} 2>&1
        fi
    done
                 
    echo -n "Starting squid..."
    $SQUID $SQUID_OPTS >> ${OUTFILE} 2>&1
                 
    RETVAL=$?
                 
    if [[ $RETVAL -eq 0 ]]; then
        timeout=0;
                     
        while :
        do
            [[ ! -f ${PIDFILE} ]] || break
            [[ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]] && RETVAL=1 && break
                         
            sleep 1 && echo -n "."
            timeout=$((timeout+1))
        done
    fi
                 
    echo ""
    [[ $RETVAL -eq 0 ]] && touch ${LOCKFILE}
    [[ $RETVAL -eq 0 ]] && echo "start squid is ok!"
    [[ $RETVAL -ne 0 ]] && echo "start squid is failed!"
                 
    return $RETVAL
}
              
stop() {
    SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}
    echo -n "Stopping squid..."
    $SQUID -k check >> ${OUTFILE} 2>&1
                 
    RETVAL=$?
                 
    if [[ $RETVAL -eq 0 ]]; then
        $SQUID -k shutdown &
        rm -f ${LOCKFILE}
                     
        timeout=0
                     
        while :
        do
            [[ -f ${PIDFILE} ]] || break
            [[ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]] && echo "" && return 1
                         
            sleep 2 && echo -n "."
            timeout=$((timeout+2))
        done
                     
        echo ""
        echo "Stop squid is ok!"
    else
        echo ""
        echo "Stop squid is failed!"
        [[ ! -e ${LOCKFILE} ]] && RETVAL=0
    fi
                 
    return $RETVAL
}
              
restart() {
    stop
    sleep 1
    start
}
              
case "$1" in
start)
    start
    ;;
                 
stop)
    stop
    ;;
                 
reload)
    SQUID_OPTS=${SQUID_OPTS:-"-D"}
    $SQUID -k reconfigure -f ${CFGFILE}
    ;;
                 
restart)
    restart
    ;;
                 
condrestart)
    [[ -e ${LOCKFILE} ]] && restart || :
    ;;
                 
*)
    echo $"Usage: $0 {start|stop|reload|restart|condrestart}"
    exit 2
esac
              
exit $?

[[email protected] ~]# chmod +x /etc/init.d/squid  #添加执行权限
[[email protected] ~]# service squid start         #启动服务

3、配置主机ip地址

代理主机内网ip

[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0:0
DEVICE=eth0:0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=10.0.0.10
NETMASK=255.0.0.0

内网主机ip地址

[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=52:54:00:B1:B4:99
TYPE=Ethernet
UUID=4dd9081e-2cf6-4f81-bde4-561d3877267e
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=static
IPADDR=10.0.0.11
NETMASK=255.0.0.0
GATEWAY=10.0.0.10
DNS1=8.8.8.8
DNS2=8.8.4.4

内网主机测试可行：

[[email protected] ~]# curl -I www.qq.com
HTTP/1.1 200 OK
Server: squid/3.4.3
Date: Wed, 13 Jul 2016 06:01:36 GMT
Content-Type: text/html; charset=GB2312
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Expires: Wed, 13 Jul 2016 06:02:36 GMT
Cache-Control: max-age=60
Vary: Accept-Encoding
Access-Control-Allow-Origin: http://bz.qq.com
X-Cache: HIT from nanjing.qq.com