如何编译部署Squid?

Forward Proxy

1 基础理论

1.1 介绍

Squid是支持HTTP、HTTPS、FTP等协议的Web缓存服务器

1.2 作用

– Squid通过缓存和重用频繁请求的页面来减少带宽并缩短响应时间
– Squid拥有广泛的访问控制

1.3 适合的系统

– Unix
– Linux
– Windows

1.4 应用场景

– 为用户提供Web访问加速(提高性能与节省带宽)
– 将请求路由到其他服务器(优化网络吞吐量和缓存服务器的层次结构)
– 提供网页访问速度和减轻后端服务器的压力
– 构建Web的负载均衡集群

1.5 命中率

– Squid系统目前的命中率大约是75%
– Squid系统处于大流量环境,页面缓存可高达100%

2. 实践部分

2.1 系统环境配置

2.1.1 基本配置信息

Squid Server:
IP Address = 10.168.0.80
Gateway = 10.168.0.1
hostname = squid.cmdschool.org
Operating System = CentOS 7.x x86_64

Squid Client:
IP Address = 10.168.0.x
Gateway = 10.168.0.1
hostname = client.cmdschool.org
Operating System = CentOS 7.x x86_64

2.1.2 更新系统

yum -y update

2.1.3 删除firewalld

yum remove -y firewalld

2.1.4 安装iptables服务

yum install -y iptables-services

检查存在默认配置,

cat /etc/sysconfig/iptables

可见如下配置,

# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

另外,建议直接添加如下端口的配置,

vi /etc/sysconfig/iptables

加入如下配置:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT

确认以上配置无误,方可启动服务并配置服务自动运行,

systemctl start iptables.service
systemctl enable iptables.service

2.1.5 关闭SELinux

setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config

2.1.6 配置时间同步

yum install -y chrony

确认以下时间服务器的配置符合环境需求,

grep ^server /etc/chrony.conf

可见如下服务配置,

server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

启动服务并配置自启动

systemctl start chronyd.service
systemctl enable chronyd.service

2.2 软件配置

2.2.1 安装常用的工具

yum install -y vim bzip2 sudo wget

2.2.3 下载安装包

cd ~
wget http://www.squid-cache.org/Versions/v4/squid-4.6.tar.bz2

2.2.4 解压软件包

cd ~
tar -xf squid-4.6.tar.bz2

2.3 编译安装Squid

2.3.1 安装编译工具

yum install -y perl gcc gcc-c++ autoconf automake make

2.3.2 预编译

cd ~/squid-4.6
./configure --prefix=/usr \
            --bindir=/usr/sbin \
            --sbindir=/usr/sbin \
            --sysconfdir=/etc/squid \
            --libdir=/usr/lib64  \
            --libexecdir=/usr/libexec/squid \
            --mandir=/usr/share/man \
            --includedir=/usr/include \
            --datadir=/usr/share \
            --localstatedir=/var \
            --with-logdir=/var/log/squid  \
            --with-default-user=squid

我们可能需要根据需求解决以下依赖关系,

yum install -y libxml2-devel libcap-devel

如果从bzr引导和构建还需要如下依赖包,

yum install -y libtool-ltdl-devel

2.3.3 编译

make

2.3.4 安装

make install | tee install.log

2.3.5 创建运行用户

groupadd  -g 23 squid
useradd -u 23 -g 23 -d /var/spool/squid -s /sbin/nologin squid

2.4 测试Squid启动

2.4.1 创建缓存目录

squid -z

注:
– z参数,创建缓存目录并退出
另外,根据运行的错误提示,你可能需要解决一些问题,如创建cache日志文件,

touch /var/log/squid/cache.log
chown :squid /var/log/squid/cache.log
chmod g+w /var/log/squid/cache.log

2.4.2 尝试运行

squid -N -D -d1

注:
– 以上程序你可通过【Ctrl+C】结束进程
– N参数,主进程工作在前台并且不派生子进程
– D参数,标记进程为已过时并计划删除
– d参数,以调试指定的调试级别输出到标准错误流
另外,根据运行的提示解决,你可能需要解决以下错误,如创建access日志文件,

touch /var/log/squid/access.log
chown :squid /var/log/squid/access.log
chmod g+w /var/log/squid/access.log

2.4.3 尝试手动运行程序

squid -f /etc/squid/squid.conf

注:
– f参数,指定启动时读取的配置文件

2.4.4 确认运行状态

pgrep -a squid
netstat -antp | grep squid

2.4.5 手动关闭进程

kill 2 `pgrep -u root squid`

注:以上命令结束进程比较缓慢,需要等待一会

2.5 配置Squid启动控制

2.5.1 创建启动脚本

vim /usr/lib/systemd/system/squid.service

加入如下配置:

[Unit]
Description=Squid caching proxy
After=syslog.target network.target nss-lookup.target

[Service]
Type=forking
LimitNOFILE=16384
EnvironmentFile=/etc/sysconfig/squid
ExecStartPre=/usr/libexec/squid/cache_swap.sh
ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF
ExecReload=/usr/sbin/squid $SQUID_OPTS -k reconfigure -f $SQUID_CONF
ExecStop=/usr/sbin/squid -k shutdown -f $SQUID_CONF
TimeoutSec=0

[Install]
WantedBy=multi-user.target

2.5.2 创建环境配置

vim /etc/sysconfig/squid

加入如下配置:

# default squid options
SQUID_OPTS=""

# Time to wait for Squid to shut down when asked. Should not be necessary
# most of the time.
SQUID_SHUTDOWN_TIMEOUT=100

# default squid conf file
SQUID_CONF="/etc/squid/squid.conf"

2.5.3 创建配置文件

vim /etc/squid/squid.conf

修改配置如下:

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

2.5.4 创建缓存转换脚本

vim /usr/libexec/squid/cache_swap.sh

创建如下配置:

#!/bin/bash
if [ -f /etc/sysconfig/squid ]; then
        . /etc/sysconfig/squid
fi

SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"}

CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \
        grep cache_dir | awk '{ print $3 }'`

for adir in $CACHE_SWAP; do
        if [ ! -d $adir/00 ]; then
                echo -n "init_cache_dir $adir... "
                squid -N -z -F -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
        fi
done

另外,你还需要修改该执行文件的权限,

chmod 755 /usr/libexec/squid/cache_swap.sh

2.5.5 重载是配置生效

systemctl daemon-reload

2.5.6 启动服务并配置自启动

systemctl start squid.service
systemctl enable squid.service

如果遇到如下错误,

FATAL: Ipc::Mem::Segment::create failed to shm_open(/squid-cf__metadata.shm): (17) File exists

请执行如下操作即可解决,

rm -rf /dev/shm/squid-cf__*.shm

其他可选命令,

systemctl status squid.service
systemctl stop squid.service
systemctl restart squid.service

2.6 客户端测试

2.6.1 删除客户端的默认路由

route del default

注:以上是为了防止信息通过路由出局

2.6.2 指定代理服务器

export http_proxy="http://user1:passwd1@10.168.0.80:3128"
export https_proxy="http://user1:passwd1@10.168.0.80:3128"

由于配置没有开启认证,请省略用户名和密码,

export http_proxy="http://10.168.0.80:3128"
export https_proxy="http://10.168.0.80:3128"

2.6.3 测试代理通讯

curl http://www.cmdschool.org
curl https://www.cmdschool.org

====================

Squid的编译:
—————-
https://wiki.squid-cache.org/SquidFaq/CompilingSquid

Squid的下载:
—————-
http://www.squid-cache.org/Versions/

没有评论

发表回复

Forward Proxy
如何熟悉Squid的SSL碰撞II?

1 基础知识 1.1 Squid SSL碰撞的介绍 Squid SSL碰撞本质上是使用CA证书(根证 …

Forward Proxy
如何设置Squid目标地址访问控制?

1 前言 一个问题,一篇文章,一出故事。 由于公司的原本堆叠的正向代理的上层代理费用到期而撤销,原本 …

Forward Proxy
如何基于openSSH部署Socks代理服务?

1 前言 一个问题,一篇文章,一出故事。 笔者需要实现Socks代理服务以便于内网的电脑客户端可以通 …