Squid traditional proxy + transparent proxy

Squid proxy overview

Squid is a high-performance proxy cache server. Squid supports FTP, gopher, HTTPS and HTTP protocols. Unlike general proxy caching software, Squid uses a separate, non-modular, I/O-driven process to handle all client requests.
Flow chart↓

1. Save web page objects to reduce repeated requests
2. It implements its function in this way, accepts requests from objects that people need to download and handles these requests appropriately
3. In other words, if a person wants to download a web page, he asks Squid to get the page for him. Squid then connects to the remote server (for example: http://squid.nlanr.net/) and sends a request to this page
4. Squid explicitly aggregates the data to the client machine and copies it at the same time. The next time someone needs the same page, Squid can simply read it from the disk, and the data will be transferred to the client immediately.

Common types of squid

Traditional proxy
Common proxy service, applicable to the Internet, the server must be clearly specified

Transparent proxy
Client does not need to specify the address and port of the proxy server, it is through the default route, the firewall redirects the web to the proxy

Using a proxy can increase the speed of web access, and at the same time, it can hide the real IP address of the client, thereby playing a certain protective role.
On the other hand, Squid can also filter for the target to be accessed, the address of the client, and the time period of the visit control.

bring it on! Show! !

Traditional proxy experiment

Experiment description
Squid server IP: 20.0.0.11
Web server IP: 20.0.0.3
Access test client: 20.0.0.101

Deploy the service on the squid server

[root@localhost bao]# ls
squid-3.4.6.tar.gz
[root@localhost bao]# tar zxvf squid-3.4.6.tar.gz
[root@localhost squid-3.4.6]# yum -y install \   ##安装C语言环境
> gcc gcc-c++ 
[root@localhost squid-3.4.6]# ./configure \
> --prefix=/usr/local/squid \    ##安装路径
> --sysconfdir=/etc \			 ##配制文件路径
> --enable-arp-acl \			 ##支持ACL访问控制列表
> --enable-linux-netfilter \	 ##支持网络筛选
> --enable-linux-tproxy \		 ##支持透明模式
> --enable-async-io=100 \		 ##I/O优化
> --enable-err-language="Simplify_Chinses" \  ##以中文显示报错信息
> --enable-underscore \			 ##支持带有下划线
> --enable-poll \				 ##开启 poll ，优化性能
> --enable-gnuregex				 ##支持正则
[root@localhost squid-3.4.6]# make && make install
[root@localhost squid-3.4.6]# ln -s /usr/local/squid/sbin/* /usr/local/sbin/   ##创建软连接，方便用户使用
[root@localhost squid-3.4.6]# useradd -M -s /sbin/nologin squid
[root@localhost squid-3.4.6]# chown -R squid:squid /usr/local/squid/var/

Optimization service

[root@localhost squid-3.4.6]# cd /etc/   ##刚安装时设置在 /etc下的配置文件
[root@localhost etc]# ll |grep squid
-rw-r--r--.  1 root root     2347 9月   6 11:05 squid.conf
-rw-r--r--.  1 root root     2347 9月   6 11:05 squid.conf.default
-rw-r--r--.  1 root root   281814 9月   6 11:05 squid.conf.documented
[root@localhost etc]# vim squid.conf
56 http_access allow all   ##把deny 改成 allow

58 # Squid normally listens to port 3128  ##默认端口 3128
59 http_port 3128
60 cache_effective_user squid    ##添加用户
61 cache_effective_group squid   ##添加组
[root@localhost etc]# squid -k parse  ##检查语法
[root@localhost etc]# squid -z  ##初始化缓存目录
[root@localhost etc]# 2020/09/06 11:20:54 kid1| Set Current Directory to /usr/local/squid/var/cache/squid
2020/09/06 11:20:54 kid1| Creating missing swap directories
2020/09/06 11:20:54 kid1| No cache_dir stores are configured.
##kao！这边要自己回车，我等了好久，以为报错了！！！
[root@localhost etc]# 
[root@localhost etc]# squid   ##启动服务
[root@localhost etc]# netstat -ntap |grep 3128
tcp6       0      0 :::3128                 :::*                    LISTEN      106428/(squid-1)  

Add squid to service management

[root@localhost etc]# vim /etc/init.d/squid
#!/bin/bash
#chkconfig: 2345 90 25  ##启动级别
PID="/usr/local/squid/var/run/squid.pid"   ##PID文件进程号
CONF="/etc/squid.conf"   ##主配置文件
CMD="/usr/local/squid/sbin/squid"   ##启动命令

case "$1" in
start)
                netstat -ntap | grep squid &> /dev/null
                if [ $? -eq 0 ]
                then 
                 echo "squid is running"
                 else
                 echo "正在启动 squid...." 
                 $CMD
                fi
                ;;
stop)
                $CMD -k kill &> /dev/null   ##关闭squid
                rm -rf $PID &> /dev/null   ##删除PID文件
                ;;
status)1
                [ -f $PID ] &> /dev/null
                 if [ $? -eq 0 ]
                                then
                                 netstat -ntap | grep squid
                                else
                                 echo "squid is not running"
                fi
                ;;
restart)
                $0 stop &> /dev/null
                echo "正在关闭 squid..."
                $0 start &> /dev/null
                echo "正在启动 squid..."
                ;;
reload)
                $CMD -k reconfigure  ##重载配置文件
                ;;
check)
                $CMD -k parse   ##检查语法
                ;;
*)
                echo "用法:$0{start|stop|reload|status|check|restart}"
                ;;
esac
[root@localhost etc]# chmod +x /etc/init.d/squid    ##加权
[root@localhost etc]# chkconfig --add squid 		##添加
[root@localhost etc]# chkconfig --level 35 squid on ##设置 3 5 自启

Configure traditional proxy

[root@localhost etc]# vim /etc/squid.conf
# Squid normally listens to port 3128
http_port 3128
cache_effective_user squid
cache_effective_group squid		##在下面添加
cache_mem 64 MB    ##缓存空间大小 64 M
reply_body_max_size 10 MB	##允许下载最大文件的大小，若为0，则不限制
maximum_object_size 4096 KB		##允许保存到缓存空间的最大对象的大小，以KB为单位，超过限制不会缓存，直接转到web端
[root@localhost etc]# service squid stop
[root@localhost etc]# netstat -ntap |grep 3128
[root@localhost etc]# service squid start
[root@localhost etc]# iptables -F
[root@localhost etc]# iptables -I INPUT -p tcp --dport 3128 -j ACCEPT  增加规则，方通 3128 端口
[root@localhost etc]# setenforce 0

Configure WEB server

[root@web01 ~]# yum -y install httpd
[root@web01 ~]# setenforce 0
[root@web01 ~]# systemctl stop firewalld
[root@web01 ~]# systemctl start httpd

Set the proxy of Squit on the client.
Open the IE browser and follow the steps below to set the

client to access the web 20.0.0.3

View log from WEB01 server

[root@web01 ~]# cd /var/log/httpd/
[root@web01 httpd]# ls
access_log  error_log
[root@web01 httpd]# cat access_log 
##查看到访问IP为squid的IP
20.0.0.11 - - [06/Sep/2020:13:57:31 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1" 404 240 "http://20.0.0.3/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363"
20.0.0.11 - - [06/Sep/2020:13:57:31 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363"

The traditional agent experiment is over and the function is successful

Transparent proxy experiment

According to the above IP address,
add a new network card to the squid server. The IP address is 192.168.10.10. Put it into LAN section 1 to
access the test machine. The IP address is changed to 192.168.10.20. The system closes the proxy setting and puts it into LAN section 1, gateway. Set to 192.168.10.10

[root@localhost etc]# cd /etc/sysconfig/network-scripts/
[root@localhost network-scripts]# cp ifcfg-ens33 ifcfg-ens37
[root@localhost network-scripts]# vim ifcfg-ens37
NAME=ens37
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.10.10
PREFIX=24
GATEWAY=192.168.10.10
DNS1=114.114.114.114
[root@localhost network-scripts]# systemctl restart network

Set up squid server

[root@localhost network-scripts]# vim /etc/sysctl.conf   ##路由转发设置
net.ipv4.ip_forward=1
[root@localhost network-scripts]# sysctl -p
net.ipv4.ip_forward = 1

Modify the main configuration file

[root@localhost network-scripts]# vim /etc/squid.conf
 58 # Squid normally listens to port 3128
 59 http_port 192.168.10.10:3128 transparent  ##改这行
 60 cache_effective_user squid
 61 cache_effective_group squid
 62 cache_mem 64 MB
[root@localhost network-scripts]# iptables -F
[root@localhost network-scripts]# iptables -t nat -F
[root@localhost network-scripts]# iptables -t nat -I PREROUTING -i ens37 -s 192.168.10.0/24 -p tcp --dport 80 -j REDIRECT --to 3128
[root@localhost network-scripts]# iptables -t nat -I PREROUTING -i ens37 -s 192.168.10.0/24 -p tcp --dport 443 -j REDIRECT --to 3128
[root@localhost network-scripts]# iptables -I INPUT -p tcp --dport 3128 -j ACCEPT

Set up on the WEB server

[root@localhost ~]# route add -net 192.168.10.0/24 gw 20.0.0.11
[root@localhost ~]# ping 192.168.10.20
PING 192.168.10.20 (192.168.10.20) 56(84) bytes of data.
64 bytes from 192.168.10.20: icmp_seq=1 ttl=127 time=0.793 ms
64 bytes from 192.168.10.20: icmp_seq=2 ttl=127 time=0.434 ms
^C
--- 192.168.10.20 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.434/0.613/0.793/0.181 ms

Experimental verification

View logs on apache

[root@localhost ~]# cat /var/log/httpd/access_log 
20.0.0.11 - - [06/Sep/2020:15:08:55 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1" 404 240 "http://20.0.0.3/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363"
20.0.0.11 - - [06/Sep/2020:15:08:55 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 238 "http://20.0.0.3/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363"

Experiment completed