Forward Proxy
1 基础理论
1.1 介绍
Squid是支持HTTP、HTTPS、FTP等协议的Web缓存服务器
1.2 作用
– Squid通过缓存和重用频繁请求的页面来减少带宽并缩短响应时间
– Squid拥有广泛的访问控制
1.3 适合的系统
– Unix
– Linux
– Windows
1.4 应用场景
– 为用户提供Web访问加速(提高性能与节省带宽)
– 将请求路由到其他服务器(优化网络吞吐量和缓存服务器的层次结构)
– 提供网页访问速度和减轻后端服务器的压力
– 构建Web的负载均衡集群
1.5 命中率
– Squid系统目前的命中率大约是75%
– Squid系统处于大流量环境,页面缓存可高达100%
2. 实践部分
2.1 系统环境配置
2.1.1 基本配置信息
Squid Server:
IP Address = 10.168.0.80
Gateway = 10.168.0.1
hostname = squid.cmdschool.org
Operating System = CentOS 7.x x86_64
Squid Client:
IP Address = 10.168.0.x
Gateway = 10.168.0.1
hostname = client.cmdschool.org
Operating System = CentOS 7.x x86_64
2.1.2 更新系统
yum -y update
2.1.3 删除firewalld
yum remove -y firewalld
2.1.4 安装iptables服务
yum install -y iptables-services
检查存在默认配置,
cat /etc/sysconfig/iptables
可见如下配置,
# sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
另外,建议直接添加如下端口的配置,
vi /etc/sysconfig/iptables
加入如下配置:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
确认以上配置无误,方可启动服务并配置服务自动运行,
systemctl start iptables.service systemctl enable iptables.service
2.1.5 关闭SELinux
setenforce 0 sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
2.1.6 配置时间同步
yum install -y chrony
确认以下时间服务器的配置符合环境需求,
grep ^server /etc/chrony.conf
可见如下服务配置,
server 0.centos.pool.ntp.org iburst server 1.centos.pool.ntp.org iburst server 2.centos.pool.ntp.org iburst server 3.centos.pool.ntp.org iburst
启动服务并配置自启动
systemctl start chronyd.service systemctl enable chronyd.service
2.2 软件配置
2.2.1 安装常用的工具
yum install -y vim bzip2 sudo wget
2.2.3 下载安装包
cd ~ wget http://www.squid-cache.org/Versions/v4/squid-4.6.tar.bz2
2.2.4 解压软件包
cd ~ tar -xf squid-4.6.tar.bz2
2.3 编译安装Squid
2.3.1 安装编译工具
yum install -y perl gcc gcc-c++ autoconf automake make
2.3.2 预编译
cd ~/squid-4.6
./configure --prefix=/usr \
--bindir=/usr/sbin \
--sbindir=/usr/sbin \
--sysconfdir=/etc/squid \
--libdir=/usr/lib64 \
--libexecdir=/usr/libexec/squid \
--mandir=/usr/share/man \
--includedir=/usr/include \
--datadir=/usr/share \
--localstatedir=/var \
--with-logdir=/var/log/squid \
--with-default-user=squid
我们可能需要根据需求解决以下依赖关系,
yum install -y libxml2-devel libcap-devel
如果从bzr引导和构建还需要如下依赖包,
yum install -y libtool-ltdl-devel
2.3.3 编译
make
2.3.4 安装
make install | tee install.log
2.3.5 创建运行用户
groupadd -g 23 squid useradd -u 23 -g 23 -d /var/spool/squid -s /sbin/nologin squid
2.4 测试Squid启动
2.4.1 创建缓存目录
squid -z
注:
– z参数,创建缓存目录并退出
另外,根据运行的错误提示,你可能需要解决一些问题,如创建cache日志文件,
touch /var/log/squid/cache.log chown :squid /var/log/squid/cache.log chmod g+w /var/log/squid/cache.log
2.4.2 尝试运行
squid -N -D -d1
注:
– 以上程序你可通过【Ctrl+C】结束进程
– N参数,主进程工作在前台并且不派生子进程
– D参数,标记进程为已过时并计划删除
– d参数,以调试指定的调试级别输出到标准错误流
另外,根据运行的提示解决,你可能需要解决以下错误,如创建access日志文件,
touch /var/log/squid/access.log chown :squid /var/log/squid/access.log chmod g+w /var/log/squid/access.log
2.4.3 尝试手动运行程序
squid -f /etc/squid/squid.conf
注:
– f参数,指定启动时读取的配置文件
2.4.4 确认运行状态
pgrep -a squid netstat -antp | grep squid
2.4.5 手动关闭进程
kill 2 `pgrep -u root squid`
注:以上命令结束进程比较缓慢,需要等待一会
2.5 配置Squid启动控制
2.5.1 创建启动脚本
vim /usr/lib/systemd/system/squid.service
加入如下配置:
[Unit] Description=Squid caching proxy After=syslog.target network.target nss-lookup.target [Service] Type=forking LimitNOFILE=16384 EnvironmentFile=/etc/sysconfig/squid ExecStartPre=/usr/libexec/squid/cache_swap.sh ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF ExecReload=/usr/sbin/squid $SQUID_OPTS -k reconfigure -f $SQUID_CONF ExecStop=/usr/sbin/squid -k shutdown -f $SQUID_CONF TimeoutSec=0 [Install] WantedBy=multi-user.target
2.5.2 创建环境配置
vim /etc/sysconfig/squid
加入如下配置:
# default squid options SQUID_OPTS="" # Time to wait for Squid to shut down when asked. Should not be necessary # most of the time. SQUID_SHUTDOWN_TIMEOUT=100 # default squid conf file SQUID_CONF="/etc/squid/squid.conf"
2.5.3 创建配置文件
vim /etc/squid/squid.conf
修改配置如下:
# # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
2.5.4 创建缓存转换脚本
vim /usr/libexec/squid/cache_swap.sh
创建如下配置:
#!/bin/bash
if [ -f /etc/sysconfig/squid ]; then
. /etc/sysconfig/squid
fi
SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"}
CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \
grep cache_dir | awk '{ print $3 }'`
for adir in $CACHE_SWAP; do
if [ ! -d $adir/00 ]; then
echo -n "init_cache_dir $adir... "
squid -N -z -F -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
fi
done
另外,你还需要修改该执行文件的权限,
chmod 755 /usr/libexec/squid/cache_swap.sh
2.5.5 重载是配置生效
systemctl daemon-reload
2.5.6 启动服务并配置自启动
systemctl start squid.service systemctl enable squid.service
如果遇到如下错误,
FATAL: Ipc::Mem::Segment::create failed to shm_open(/squid-cf__metadata.shm): (17) File exists
请执行如下操作即可解决,
rm -rf /dev/shm/squid-cf__*.shm
其他可选命令,
systemctl status squid.service systemctl stop squid.service systemctl restart squid.service
2.6 客户端测试
2.6.1 删除客户端的默认路由
route del default
注:以上是为了防止信息通过路由出局
2.6.2 指定代理服务器
export http_proxy="http://user1:passwd1@10.168.0.80:3128" export https_proxy="http://user1:passwd1@10.168.0.80:3128"
由于配置没有开启认证,请省略用户名和密码,
export http_proxy="http://10.168.0.80:3128" export https_proxy="http://10.168.0.80:3128"
2.6.3 测试代理通讯
curl http://www.cmdschool.org curl https://www.cmdschool.org
====================
Squid的编译:
—————-
https://wiki.squid-cache.org/SquidFaq/CompilingSquid
Squid的下载:
—————-
http://www.squid-cache.org/Versions/
没有评论