环境:一台单网卡服务器 ,Centos6.8 serverSystem,squid-3.1.23-16.el6_8.6.x86_64
代理服务功能:
代理服务器是目前网络中常见的服务器之一,它可以提供文件缓存、复制和地址过滤等服务,充分利用有限的出口带宽,加快内部主机的访问速度,也可以解决多用户需要同时访问外网但公有IP地址不足的问题。同时可以作为一个防火墙,隔离内网与外网,并且能提供监控网络和记录传输信息的功能,加强局域网的安全性等。它的主要作用有以下几点。
1.共享网络
2.加快访问速度,节约通信带宽
3.防止内部主机受到攻击
4.限制用户访问,完善网络管理
1.安装有三种方式如下:
rpm -ivh squid-3.1.23-16.el6_8.6.x86_64.rpm
yum install squid
tar -zxvf squid-3.1.23-16.el6_8.6.x86_64.gz
#个人选择yum 源安装方式,配置路径较熟悉,软件版本较新
2.squid配置文件:
[[email protected] ~]# cat /etc/squid/squid.conf
http_port 3128 transparent # squid 3.1开启透明代理方式
#备注,如果是squid2.6之前版本,开启透明代理方式下四句配置代码
#httpd_accel_host virtual
#httpd_accel_port 80
#httpd_accel_with_proxy on
#httpd_accel_user_host_header on
cache_mem 1 GB
fqdncache_size 1024
cache_swap_low 90
cache_swap_high 95
error_directory /usr/share/squid/errors/Simplify_Chinese
maximum_object_size 4096 KB
maximum_object_size_in_memory 8 MB
memory_replacement_policy heap LFUDA
cache_replacement_policy heap LFUDA
cache_dir ufs /var/spool/squid 20480 16 256
max_open_disk_fds 0
maximum_object_size 30 MB
minimum_object_size 1 KB
ipcache_size 2M
cache_effective_user squid
cache_effective_group squid
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
emulate_httpd_log on
refresh_pattern . 0 20% 4320 override-expire override-lastmod reload-into-ims ignore-reload #更新cache规则
icp_port 0
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
visible_hostname 192.168.100.254
dns_nameservers 114.114.114.114
dns_nameservers 192.168.100.254
dns_nameservers 210.22.84.3
dns_nameservers 202.96.209.133
cache_mgr [email protected]:150xxxxxxx6
hierarchy_stoplist cgi-bin n ?
#acl QUERY urlpath_regex cgi-bin \?
#no_cache deny QUERY
acl coach urlpath_regex coach
no_cache deny coach
acl SSL_ports port 443 8080 9525 9510 5222 21 88
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 8080
acl Safe_ports port 9525 9510 5222
acl Safe_ports port 8888
acl CONNECT method CONNECT
acl OverConnLimit maxconn 30
http_access deny OverConnLimit
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
acl clientip1 src 192.168.100.100 # 仅允许ip 192.168.1.130 不受限制
http_access allow clientip1
acl OverConnLimit maxconn 4
http_access deny OverConnLimit
acl baddomain2 url_regex -i xunlei
http_access deny baddomain2
acl baddomainurl2 url_regex -i letao game.qq.com ztgame
http_access deny baddomainurl2
acl baddomainurl3 url_regex -i kaixin kankan kugou
http_access deny baddomainurl3
acl baddomainurl5 urlpath_regex -i \.co$ \.bak$ \.grp$ \.mp3$ \.avi$ \.rmvb$ \.wma$ \.vob$ \.mkv$ \.mp4$ \.mpe$ \.wmv$ \.rar$ #这里禁用了部分游戏更新库文件
http_access deny baddomainurl5
acl baddomainurl6 url_regex -i dl_dir.qq.com youku.com tudou.com 56.com ztgame.net ztgamail.com
http_access deny baddomainurl6
acl xunlei1 browser ^Mozilla/4\.0\s\(compatible;\sMSIE\s6\.0;Windows\sNT\s5\.1\)$
acl xunlei2 browser ^Mozilla/4\.0\s\(compatible;\sMSIE\s6\.0;Windows\sNT\s5\.0\)$
acl xunlei3 browser ^Mozilla/5\.0\s\(compatible;\sMSIE\s6\.0;Windows\sNT\s5\.0\)$
acl xunlei4 browser ^Mozilla/4\.0\s\(compatible;\sMSIE\s6\.0;Windows\sNT\s5\.1;\s\)$
acl xunlei5 browser ^Mozilla/4.0\s\(compatible;\sMSIE\s6.0;\sWindows\sNT\s5.1;\sSV1;\s\.NETCLR\s1\.1\.4322;\s\.NET\sLR\s2\.0\.50727\)$
http_access deny xunlei1
http_access deny xunlei2
http_access deny xunlei3
http_access deny xunlei4
http_access deny xunlei5
#acl baddomainurl7 url_regex -i qilooo
#http_access deny baddomainurl7
#acl baddomainurl8 url_regex -i kxnc
#http_access deny baddomainurl8
#acl baddomainurl9 url_regex -i vercd.com
#http_access deny baddomainurl9
acl baddomainurl10 url_regex -i m18
http_access deny baddomainurl10
acl baddomainurl11 url_regex -i mkv kugou
http_access deny baddomainurl11
acl baddomainurl12 url_regex -i mp3 avi wma rmvb video movie startgame
http_access deny baddomainurl12
acl baddomainurl13 url_regex -i 51.com kaixin.com pps.tv youku.com pptv.com iqyi.com
http_access deny baddomainurl13
acl badurl url_regex -i sex
http_access deny badurl
#httpd_accel_host virtual
#httpd_accel_port 80
#httpd_accel_with_proxy on
#httpd_accel_uses_host_header on
acl all src 0.0.0.0/0.0.0.0
http_access allow all
# 以上配置是个人公司需求的文本配置,可以根据需求自己修改配置文件即可
2.开启路由功能
方法1,# echo "1" > /proc/sys/net/ipv4/ip_forward
方法2,# vim /etc/sysctl.conf
net.ipv4.ipforward = 1
3. iptables 设置:
iptables -F
iptables -t nat -F
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#转换网络端口
For cat setupfiles:
[[email protected] squid]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Wed Feb 8 23:35:27 2012
*nat
:PREROUTING ACCEPT [23:6405]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed on Wed Feb 8 23:35:27 2012
# Generated by iptables-save v1.3.5 on Wed Feb 8 23:35:27 2012
*filter
:INPUT ACCEPT [296:41176]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [167:20040]
COMMIT
# Completed on Wed Feb 8 23:35:27 2012
4.配置squid透明代理注意事项
一般双网卡或者双网卡以上代理服务器多作为路由用,或者都是需要改变现有的网络状况的。首先透明代理跟普通代理的区别,就在于客户机无需在IE代理处做任何设置,根双网卡代理服务一样网关配置肯定是squid内网lan口的ip,单网卡代理毋庸置疑网关要配置当前squid单网卡ip地址,之所以使用单网卡代理的目的在于服务器上的不知不觉,不改变当前网络环境,无需设置Bind服务和dhcp服务,dns只需设置外网dns即可,在进口路由的dhcpserver里修改网关为192.168.16.squidip 即可,这样dhcp请求上来获得的ip地址将分配新的网关(squid网关给客户端使用)。为安全考虑,可以把进口route的默认ip修改成squid代理ip,route另外单独给其一个ip,这样设置效果最好,可以杜绝一些有点网络常识的同事捣乱。
另关于squid代理acl规则配置匹配是从上往下匹配,设置规则要注意,如果没有生效,及时查看规则所在行是否被其他规则覆盖。
5.squid 常用命令
/etc/init.d/squid -z # 建立缓存目录
/etc/init.d/squid -k parse #测试语法是否有误
/etc/init./squid start/stop/restart/status/reload # 当语法有错误时,在执行这几条命令时也会提示语法错误
pas -aux | grep suqid #查看squid进程
squid -k rotate #切割日志循环,可以配合crontab 任务计划脚本按需执行
----------------------------------------------------------------------------