如何用Oracle Linux 9.x编译Squid?
- By : Will
- Category : Forward Proxy
Forward Proxy
1 基础理论
1.1 介绍
Squid是支持HTTP、HTTPS、FTP等协议的Web缓存服务器
1.2 作用
– Squid通过缓存和重用频繁请求的页面来减少带宽并缩短响应时间
– Squid拥有广泛的访问控制
1.3 适合的系统
– Unix
– Linux
– Windows
1.4 应用场景
– 为用户提供Web访问加速(提高性能与节省带宽)
– 将请求路由到其他服务器(优化网络吞吐量和缓存服务器的层次结构)
– 提供网页访问速度和减轻后端服务器的压力
– 构建Web的负载均衡集群
1.5 命中率
– Squid系统目前的命中率大约是75%
– Squid系统处于大流量环境,页面缓存可高达100%
2. 实践部分
2.1 系统环境配置
2.1.1 基本配置信息
Squid Server:
IP Address = 10.168.0.80
Gateway = 10.168.0.1
hostname = squid.cmdschool.org
Operating System = Oracle Linux Server 9.0
Squid Client:
IP Address = 10.168.0.x
Gateway = 10.168.0.1
hostname = client.cmdschool.org
Operating System = Oracle Linux Server 9.0
2.1.2 更新系统
dnf -y update
2.1.3 关闭SELinux
setenforce 0 sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
2.1.4 配置时间同步
dnf install -y chrony
确认以下时间服务器的配置符合环境需求,
grep ^server /etc/chrony.conf
可见如下服务配置,
server 0.centos.pool.ntp.org iburst server 1.centos.pool.ntp.org iburst server 2.centos.pool.ntp.org iburst server 3.centos.pool.ntp.org iburst
启动服务并配置自启动
systemctl start chronyd.service systemctl enable chronyd.service
2.1.5 配置防火墙
firewall-cmd --permanent --add-service squid firewall-cmd --reload firewall-cmd --list-all
2.2 软件配置
2.2.1 安装常用的工具
dnf install -y vim bzip2 sudo wget net-tools
2.2.3 下载安装包
cd ~ wget http://www.squid-cache.org/Versions/v6/squid-6.1.tar.bz2
2.2.4 解压软件包
cd ~ tar -xf squid-6.1.tar.bz2
2.3 编译安装Squid
2.3.1 安装编译工具
dnf install -y perl gcc gcc-c++ autoconf automake make
2.3.2 预编译
cd ~/squid-6.1 ./configure \ '--build=x86_64-redhat-linux-gnu' \ '--host=x86_64-redhat-linux-gnu' \ '--program-prefix=' \ '--prefix=/usr' \ '--exec-prefix=/usr' \ '--bindir=/usr/bin' \ '--sbindir=/usr/sbin' \ '--sysconfdir=/etc' \ '--datadir=/usr/share' \ '--includedir=/usr/include' \ '--libdir=/usr/lib64' \ '--libexecdir=/usr/libexec' \ '--localstatedir=/var' \ '--sharedstatedir=/var/lib' \ '--mandir=/usr/share/man' \ '--infodir=/usr/share/info' \ '--libexecdir=/usr/lib64/squid' \ '--datadir=/usr/share/squid' \ '--sysconfdir=/etc/squid' \ '--with-logdir=/var/log/squid' \ '--with-pidfile=/run/squid.pid' \ '--disable-dependency-tracking' \ '--enable-eui' \ '--enable-follow-x-forwarded-for' \ '--enable-auth' \ '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM' \ '--enable-auth-ntlm=SMB_LM,fake' \ '--enable-auth-digest=file,LDAP' \ '--enable-auth-negotiate=kerberos' \ '--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' \ '--enable-storeid-rewrite-helpers=file' \ '--enable-cache-digests' \ '--enable-cachemgr-hostname=localhost' \ '--enable-delay-pools' \ '--enable-epoll' \ '--enable-icap-client' \ '--enable-ident-lookups' \ '--enable-linux-netfilter' \ '--enable-removal-policies=heap,lru' \ '--enable-snmp' \ '--enable-ssl' \ '--enable-ssl-crtd' \ '--enable-storeio=aufs,diskd,ufs,rock' \ '--enable-diskio' \ '--enable-wccpv2' \ '--enable-esi' \ '--enable-ecap' \ '--with-aio' \ '--with-default-user=squid' \ '--with-dl' \ '--with-openssl' \ '--with-pthreads' \ '--disable-arch-native' \ '--disable-security-cert-validators' \ '--disable-strict-error-checking' \ '--with-swapdir=/var/spool/squid' \ 'build_alias=x86_64-redhat-linux-gnu' \ 'host_alias=x86_64-redhat-linux-gnu' \ 'CC=gcc' \ 'CFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' \ 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ' \ 'CXX=g++' \ 'CXXFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' \ 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' \ 'LT_SYS_LIBRARY_PATH=/usr/lib64:'
如果遇到如下错误提示,
configure: error: ESI processor requires libxml2 or libexpat
你需要使用如下命令解决依赖关系,
dnf install -y libxml2-devel
如果遇到如下错误提示,
configure: error: Package requirements (libecap >= 1.0 libecap < 1.1) were not met:
你需要使用如下命令解决依赖关系,
dnf install -y libecap-devel
如果遇到如下错误提示,
configure: error: library 'crypto' is required for OpenSSL
你需要使用如下命令解决依赖关系,
dnf install -y openssl-devel
如果遇到如下错误提示,
configure: error: required helper auth/basic/LDAP ... found but cannot be built
你需要使用如下命令解决依赖关系,
dnf install -y openldap-devel
如果遇到如下错误提示,
configure: error: required helper auth/basic/PAM ... found but cannot be built
你需要使用如下命令解决依赖关系,
dnf install -y pam-devel
如果遇到如下错误提示,
configure: error: required helper auth/negotiate/kerberos ... found but cannot be built
你需要使用如下命令解决依赖关系,
dnf install -y krb5-devel
如果遇到如下错误提示,
configure: error: required helper acl/external/time_quota ... found but cannot be built
你需要使用如下命令解决依赖关系,
dnf install -y libtdb-devel
2.3.3 编译
make
2.3.4 安装
make install | tee install.log
安装完毕后,你可以使用如下命令确认安装,
squid -v
2.3.5 创建运行用户
groupadd -g 23 squid useradd -u 23 -g 23 -d /var/spool/squid -s /sbin/nologin squid
2.4 测试Squid启动
2.4.1 创建缓存目录
squid -z
注:
– z参数,创建缓存目录并退出
另外,根据运行的错误提示,你可能需要解决一些问题,如创建cache日志文件,
touch /var/log/squid/cache.log chown :squid /var/log/squid/cache.log chmod g+w /var/log/squid/cache.log
2.4.2 尝试运行
squid -N -D -d1
注:
– 以上程序你可通过【Ctrl+C】结束进程
– N参数,主进程工作在前台并且不派生子进程
– D参数,标记进程为已过时并计划删除
– d参数,以调试指定的调试级别输出到标准错误流
另外,根据运行的提示解决,你可能需要解决以下错误,如创建access日志文件,
touch /var/log/squid/access.log chown :squid /var/log/squid/access.log chmod g+w /var/log/squid/access.log
2.4.3 尝试手动运行程序
squid -f /etc/squid/squid.conf
注:
– f参数,指定启动时读取的配置文件
2.4.4 确认运行状态
pgrep -a squid netstat -antp | grep squid
2.4.5 手动关闭进程
kill 2 `pgrep -u root squid`
注:以上命令结束进程比较缓慢,需要等待一会
2.5 配置Squid启动控制
2.5.1 创建启动脚本
vim /usr/lib/systemd/system/squid.service
创建如下配置,
[Unit]
Description=Squid caching proxy
Documentation=man:squid(8)
After=network.target network-online.target nss-lookup.target
[Service]
Type=forking
LimitNOFILE=16384
PIDFile=/run/squid.pid
EnvironmentFile=/etc/sysconfig/squid
ExecStartPre=/usr/libexec/squid/cache_swap.sh
ExecStartPost=/bin/sleep 0.2
ExecStart=/usr/sbin/squid $SQUID_OPTS -f ${SQUID_CONF}
ExecReload=/usr/bin/kill -HUP $MAINPID
KillMode=mixed
NotifyAccess=all
[Install]
WantedBy=multi-user.target
2.5.2 创建环境配置
vim /etc/sysconfig/squid
可见如下配置,
# default squid options SQUID_OPTS="" # default squid conf file SQUID_CONF="/etc/squid/squid.conf"
2.5.3 确认配置文件
cat /etc/squid/squid.conf
可见如下配置,
# # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # This default configuration only allows localhost requests because a more # permissive Squid installation could introduce new attack vectors into the # network by proxying external TCP connections to unprotected services. http_access allow localhost # The two deny rules below are unnecessary in this default configuration # because they are followed by a "deny all" rule. However, they may become # critically important when you start allowing external requests below them. # Protect web applications running on the same server as Squid. They often # assume that only local users can access them at "localhost" ports. http_access deny to_localhost # Protect cloud servers that provide local users with sensitive info about # their server via certain well-known link-local (a.k.a. APIPA) addresses. http_access deny to_linklocal # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # For example, to allow access from your local networks, you may uncomment the # following rule (and/or add rules that match your definition of "local"): # http_access allow localnet # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/cache/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/cache/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
2.5.4 创建缓存转换脚本
mkdir -p /usr/libexec/squid vim /usr/libexec/squid/cache_swap.sh
创建如下配置:
#!/usr/bin/bash
if [ -f /etc/sysconfig/squid ]; then
. /etc/sysconfig/squid
fi
SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"}
CACHE_SWAP=`awk '/^[[:blank:]]*cache_dir/ { print $3 }' "$SQUID_CONF"`
init_cache_dirs=0
for adir in $CACHE_SWAP; do
if [ ! -d $adir/00 ]; then
echo -n "init_cache_dir $adir... "
init_cache_dirs=1
fi
done
if [ $init_cache_dirs -ne 0 ]; then
echo ""
squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1
fi
另外,你还需要修改该执行文件的权限,
chmod 755 /usr/libexec/squid/cache_swap.sh
2.5.5 重载使配置生效
systemctl daemon-reload
2.5.6 启动服务并配置自启动
systemctl start squid.service systemctl enable squid.service
其他可选命令,
systemctl status squid.service systemctl stop squid.service systemctl restart squid.service
2.6 客户端测试
2.6.1 删除客户端的默认路由
route del default
注:以上是为了防止信息通过路由出局
2.6.2 指定代理服务器
export http_proxy="http://user1:passwd1@10.168.0.80:3128" export https_proxy="http://user1:passwd1@10.168.0.80:3128"
由于配置没有开启认证,请省略用户名和密码,
export http_proxy="http://10.168.0.80:3128" export https_proxy="http://10.168.0.80:3128"
2.6.3 测试代理通讯
curl http://www.cmdschool.org curl https://www.cmdschool.org
====================
Squid的编译:
—————-
https://wiki.squid-cache.org/SquidFaq/CompilingSquid
https://wiki.squid-cache.org/KnowledgeBase/RedHat
Squid的下载:
—————-
http://www.squid-cache.org/Versions/
没有评论