Squid做反向代理缓存

环境介绍：

一、准备工作

以其中一台为例：

[[email protected] etc]# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

[[email protected] etc]# getenforce

Disabled

[[email protected] etc]# tail -2 /etc/hosts

192.168.49.139  image01.contoso.com  image01

192.168.49.135  squid.contoso.com  squid

[[email protected] etc]# crontab -l  #时间同步一定要做，不然反向代理缓存可能出现无法命中的问题

0 * * * * /usr/sbin/ntpdate   210.72.145.44 64.147.116.229 time.nist.gov

二、squid配置

继续上一篇squid的正向代理中的配置，进行相应的修改。

acl manager proto cache_object

acl localhost src 127.0.0.1/32

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl Safe_ports port 8001

acl CONNECT method CONNECT

#acl qq url_regex -i ^http://.*qq.*$

#http_access deny qq

#acl qq_path urlpath_regex -i \.*qq*

#http_access deny qq_path

# 设置squid acl访问控制规则

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localnet

http_access deny all

icp_access allow localnet

icp_access deny all

htcp_access allow localnet

htcp_access deny all

http_port 80 accel vhost vport  #squid反向代理需要使用80端口，并设置squid支持虚拟主机模式

hierarchy_stoplist cgi-bin ?

cache_dir ufs /usr/local/squid/var/cache 100 16 256

access_log /usr/local/squid/var/logs/access.log squid

cache_log /usr/local/squid/var/logs/cache.log

cache_store_log /usr/local/squid/var/logs/store.log

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern (cgi-bin|\?) 0 0% 0

refresh_pattern . 0 20% 4320

cache_mgr [email protected]

# 设置squid运行的用户

cache_effective_user squid

cache_effective_group squid

# 设置squid的可视化主机名

visible_hostname  cache1.contoso.com

#icp_port 3130  #这里需要把icp端口注释掉，因为下面的cache_peer中定义端口0作为icp端口，也就是不使用icp端口进行squid服务器间通信，如果保留3130会产生冲突，所以要么修改为0，要么注释或删掉该行

coredump_dir /usr/local/squid/var/cache

cache_mem 90 MB

cache_swap_low  90

cache_swap_high 95

maximum_object_size  8192 KB

minimum_object_size  0 KB

maximum_object_size_in_memory  4096 KB

memory_replacement_policy  lru

emulate_httpd_log  on

cache_peer image01.contoso.com  parent 80 0 no-query no-digest max-conn=32 originserver #设置对那些web服务器做反向代理

hosts_file /etc/hosts   #设置squid使用/etc/hosts文件解析域名

request_header_max_size 128 KB   #设置请求头部大小的最大值

ipcache_size 1024

ipcache_low 90

ipcache_high 95

三、图片服务器安装httpd服务

yum -y install httpd
[[email protected] html]# ll
total 272
-rw-r--r-- 1 root root 193402 Jun 26  2014 lnmp.jpg
-rw-r--r-- 1 root root   7807 Jun  5  2014 mysql.png
-rw-r--r-- 1 root root  26837 Apr 24  2012 nginx.jpg
-rw-r--r-- 1 root root  43831 Dec 19  2013 php.jpg
service httpd restart

浏览器进行测试访问：

四、启动squid并测试反向代理

[[email protected] etc]# squid -k parse

2016/10/30 23:09:23| Processing Configuration File: /usr/local/squid/etc/squid.conf (depth 0)

2016/10/30 23:09:23| Initializing https proxy context

[[email protected] etc]# squid -D

[[email protected] etc]# netstat -tunlp|grep squid

tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      1164/(squid)

[[email protected] etc]# lsof -i :80   #这里也可以说明squid服务器上是没有httpd等web服务在运行

COMMAND  PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

squid   1164 squid   18u  IPv4  10763      0t0  TCP *:http (LISTEN)

在浏览器中访问squid服务器，测试反正代理效果：

访问成功，说明squid反向代理没有问题。

再查看一下squid访问日志：

[[email protected] etc]# squid -k rotate

[[email protected] ~]# >/usr/local/squid/var/logs/access.log

[[email protected] ~]# tail -f /usr/local/squid/var/logs/access.log

1477885541.844      0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- image/jpeg

1477885545.966      0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- image/jpeg

1477885557.249      0 192.168.49.1 TCP_IMS_HIT/304 248 GET http://192.168.49.135/php.jpg - NONE/- image/jpeg

1477885565.281      5 192.168.49.1 TCP_MISS/200 27189 GET http://192.168.49.135/nginx.jpg - FIRST_UP_PARENT/image01.contoso.com image/jpeg

1477885567.835      0 192.168.49.1 TCP_IMS_HIT/304 246 GET http://192.168.49.135/nginx.jpg - NONE/- image/jpeg

1477885568.629      0 192.168.49.1 TCP_IMS_HIT/304 246 GET http://192.168.49.135/nginx.jpg - NONE/- image/jpeg

1477885708.180      2 192.168.49.1 TCP_MISS/200 8157 GET http://192.168.49.135/mysql.png - FIRST_UP_PARENT/image01.contoso.com image/png

1477885710.626      0 192.168.49.1 TCP_IMS_HIT/304 245 GET http://192.168.49.135/mysql.png - NONE/- image/png

五、squid开启离线模式

# 在squid.conf中开启offline_mode

[[email protected] etc]# echo "offline_mode on" >> squid.conf

[[email protected] etc]# tail -1 squid.conf

offline_mode on

# 重启squid

[[email protected] etc]# killall squid

[[email protected] etc]# killall squid

[[email protected] etc]# killall squid

squid: no process killed

[[email protected] etc]# squid -k parse

2016/10/30 23:53:30| Processing Configuration File: /usr/local/squid/etc/squid.conf (depth 0)

2016/10/30 23:53:30| Initializing https proxy context

[[email protected] etc]# squid -D

[[email protected] etc]# lsof -i :80

COMMAND  PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

squid   1230 squid   18u  IPv4  11547      0t0  TCP *:http (LISTEN)

# 关闭图片服务器的httpd服务

[[email protected] html]# service httpd stop

Stopping httpd:                                            [  OK  ]

浏览器访问图片服务器（注意清除浏览器缓存先）：

发现图片服务器已经无法访问。

再访问squid代理服务器（也需要清理浏览器缓存）：

发现squid代理服务器依然能够访问，而且即使使用Ctrl+F5进行强制刷新依然能够正常访问。

查看一下日志：

1477892930.670      0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- image/jpeg

1477892930.905      0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- image/jpeg

1477892931.107      0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- image/jpeg

1477892941.516      0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- image/jpeg

1477892941.997      0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- image/jpeg

1477892942.196      0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- image/jpeg

1477892942.403      0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- image/jpeg

1477892942.584      0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- image/jpeg

1477892942.965      0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- image/jpeg

1477892943.139      0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- image/jpeg

发现也都是命中的状态，说明squid的离线模式生效。离线模式虽然能够在web服务器宕机的情况下继续提供服务，但是访问的资源不是最新的，一些长时间没有变化的静态内容可以使用这种设置，如果是动态内容不建议使用该选项。