Squid

代理缓存

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
ping www.linuxprobe.com
PING www.linuxprobe.com (162.159.211.33) 56(84) bytes of data.
64 bytes from 162.159.211.33: icmp_seq=1 ttl=45 time=166 ms
64 bytes from 162.159.211.33: icmp_seq=2 ttl=45 time=168 ms
64 bytes from 162.159.211.33: icmp_seq=3 ttl=45 time=167 ms
64 bytes from 162.159.211.33: icmp_seq=4 ttl=45 time=166 ms
^C
--- www.linuxprobe.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 166.361/167.039/168.109/0.836 ms

yum install squid
Loaded plugins: langpacks, product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use 
subscription-manager to register.
rhel | 4.1 kB 00:00 
Resolving Dependencies
--> Running transaction check
………………省略部分输出信息………………
Installed:
 squid.x86_64 7:3.3.8-11.el7 
Dependency Installed:
 libecap.x86_64 0:0.2.0-8.el7 
 perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7 
 perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7 
 perl-DBI.x86_64 0:1.627-4.el7 
 perl-Data-Dumper.x86_64 0:2.145-3.el7 
 perl-Digest.noarch 0:1.17-245.el7 
 perl-Digest-MD5.x86_64 0:2.52-3.el7 
 perl-IO-Compress.noarch 0:2.061-2.el7 
 perl-Net-Daemon.noarch 0:0.48-5.el7 
 perl-PlRPC.noarch 0:0.2020-14.el7 
Complete!

Squid配置

参数作用
http_port-3128监听的端口号
cache_mem-64M内存缓冲区的大小
cache_dir_ufs-/var/spool/squid-2000-16-256硬盘缓冲区的大小
cache_effective_user-squid设置缓存的有效用户
cache_effective_group-squid设置缓存的有效用户组
dns_nameservers-[IP地址]一般不设置,而是用服务器默认的DNS地址
cache_access_log-/var/log/squid/access.log访问日志文件的保存路径
cache_log-/var/log/squid/cache.log缓存日志文件的保存路径
visible_hostname-linuxprobe.com设置Squid服务器的名称

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
systemctl restart squid
systemctl enable squid
ln -s '/usr/lib/systemd/system/squid.service' '/etc/systemd/system/multi-user.target.wants/squid.service'

vim /etc/squid/squid.conf
………………省略部分输出信息………………
45 #
46 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
47 #
48 
49 # Example rule allowing access from your local networks.
50 # Adapt localnet in the ACL section to list your (internal) IP networks
51 # from where browsing should be allowed
52 http_access allow localnet
53 http_access allow localhost
54 
55 # And finally deny all other access to this proxy
56 http_access deny all
57 
58 # Squid normally listens to port 3128
59 http_port 10000
………………省略部分输出信息………………

systemctl restart squid 
systemctl enable squid 
 ln -s '/usr/lib/systemd/system/squid.service' '/etc/systemd/system/multi-user.
target.wants/squid.service'

semanage port -l | grep squid_port_t
squid_port_t                  tcp      3128, 3401, 4827
squid_port_t                  udp      3401, 4827

semanage port -a -t squid_port_t -p tcp 10000
semanage port -l | grep squid_port_t
squid_port_t                  tcp      10000, 3128, 3401, 4827
squid_port_t                  udp      3401, 4827

#只允许IP地址为192.168.10.20的客户端使用服务器上的Squid服务程序提供的代理服务,禁止其余所有的主机代理请求
vim /etc/squid/squid.conf
 1 #
 2 # Recommended minimum configuration:
 3 #
 4 
 5 # Example rule allowing access from your local networks.
 6 # Adapt to list your (internal) IP networks from where browsing
 7 # should be allowed
 8 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
 9 acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
 10 acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
 11 acl localnet src fc00::/7 # RFC 4193 local private network range
 12 acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) mac hines
 13 
 14 acl SSL_ports port 443
 15 acl Safe_ports port 80 # http
 16 acl Safe_ports port 21 # ftp
 17 acl Safe_ports port 443 # https
 18 acl Safe_ports port 70 # gopher
 19 acl Safe_ports port 210 # wais
 20 acl Safe_ports port 1025-65535 # unregistered ports
 21 acl Safe_ports port 280 # http-mgmt
 22 acl Safe_ports port 488 # gss-http
 23 acl Safe_ports port 591 # filemaker
 24 acl Safe_ports port 777 # multiling http
 25 acl CONNECT method CONNECT
 26 acl client src 192.168.10.20
 27 #
 28 # Recommended minimum Access Permission configuration:
 29 #
 30 # Deny requests to certain unsafe ports
 31 http_access allow client
 32 http_access deny all
 33 http_access deny !Safe_ports
 34
………………省略部分输出信息………………
systemctl restart squid

#禁止所有客户端访问网址中包含linux关键词的网站
vim /etc/squid/squid.conf
 24 acl Safe_ports port 777 # multiling http
 25 acl CONNECT method CONNECT
 26 acl deny_keyword url_regex -i linux
 27 #
 28 # Recommended minimum Access Permission configuration:
 29 #
 30 # Deny requests to certain unsafe ports
 31 http_access deny deny_keyword
 33 http_access deny !Safe_ports
 34
systemctl restart squid

#禁止所有客户端访问某个特定的网站
vim /etc/squid/squid.conf
 24 acl Safe_ports port 777 # multiling http
 25 acl CONNECT method CONNECT
 26 acl deny_url url_regex http://www.linuxcool.com
 27 #
 28 # Recommended minimum Access Permission configuration:
 29 #
 30 # Deny requests to certain unsafe ports
 31 http_access deny deny_url
 33 http_access deny !Safe_ports
 34
systemctl restart squid

#禁止员工在企业网内部下载带有某些后缀的文件
 24 acl Safe_ports port 777 # multiling http
 25 acl CONNECT method CONNECT
 26 acl badfile urlpath_regex -i \.rar$ \.avi$
 27 #
 28 # Recommended minimum Access Permission configuration:
 29 #
 30 # Deny requests to certain unsafe ports
 31 http_access deny badfile
 33 http_access deny !Safe_ports
 34
systemctl restart squid

#透明正向代理
ping www.linuxprobe.com
ping请求找不到主机 www.linuxprobe.com。请检查该名称,然后重试。

iptables -F
iptables -t nat -A POSTROUTING -p udp --dport 53 -o 
eno33554968 -j MASQUERADE

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p 
net.ipv4.ip_forward = 1

C:\Users\linuxprobe>ping www.linuxprobe.com
正在ping www.linuxprobe.com [116.31.127.233] 具有 32 字节的数据:
请求超时。
请求超时。
请求超时。
请求超时。
116.31.127.233 的ping统计信息:
    数据包: 已发送 = 4,已接收 = 0,丢失 = 4 (100% 丢失),

vim /etc/squid/squid.conf
………………省略部分输出信息………………
58 # Squid normally listens to port 3128
59 http_port 3128 transparent
60
61 # Uncomment and adjust the following to add a disk cache directory.
62 cache_dir ufs /var/spool/squid 100 16 256
63 
………………省略部分输出信息………………
squid -k parse
2017/04/13 06:40:44| Startup: Initializing Authentication Schemes ...
2017/04/13 06:40:44| Startup: Initialized Authentication Scheme 'basic'
2017/04/13 06:40:44| Startup: Initialized Authentication Scheme 'digest'
2017/04/13 06:40:44| Startup: Initialized Authentication Scheme 'negotiate'
2017/04/13 06:40:44| Startup: Initialized Authentication Scheme 'ntlm'
2017/04/13 06:40:44| Startup: Initialized Authentication.
………………省略部分输出信息………………

squid -z
2017/04/13 06:41:26 kid1| Creating missing swap directories
2017/04/13 06:41:26 kid1| /var/spool/squid exists
2017/04/13 06:41:26 kid1| Making directories in /var/spool/squid/00
2017/04/13 06:41:26 kid1| Making directories in /var/spool/squid/01
2017/04/13 06:41:26 kid1| Making directories in /var/spool/squid/02
2017/04/13 06:41:26 kid1| Making directories in /var/spool/squid/03
2017/04/13 06:41:26 kid1| Making directories in /var/spool/squid/04
2017/04/13 06:41:26 kid1| Making directories in /var/spool/squid/05
2017/04/13 06:41:26 kid1| Making directories in /var/spool/squid/06
2017/04/13 06:41:26 kid1| Making directories in /var/spool/squid/07
2017/04/13 06:41:26 kid1| Making directories in /var/spool/squid/08
2017/04/13 06:41:26 kid1| Making directories in /var/spool/squid/09
2017/04/13 06:41:26 kid1| Making directories in /var/spool/squid/0A
2017/04/13 06:41:26 kid1| Making directories in /var/spool/squid/0B
2017/04/13 06:41:26 kid1| Making directories in /var/spool/squid/0C
2017/04/13 06:41:26 kid1| Making directories in /var/spool/squid/0D
2017/04/13 06:41:26 kid1| Making directories in /var/spool/squid/0E
2017/04/13 06:41:26 kid1| Making directories in /var/spool/squid/0F

systemctl restart squid

iptables -t nat -A PREROUTING  -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 –o eno33554968 -j SNAT --to 您的桥接网卡IP地址

service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

#反向代理
vim /etc/squid/squid.conf
………………省略部分输出信息………………
57 
58 # Squid normally listens to port 3128
59 http_port 您的桥接网卡IP地址:80 vhost
60 cache_peer 网站源服务器IP地址 parent 80 0 originserver
61 
………………省略部分输出信息………………
systemctl restart squid

Copyright ©2010-2022 比特日记 All Rights Reserved.

浙ICP备11005866号-12