Squid proxy server application (traditional mode and transparent mode actual operation configuration)

Preface

Also commonly known as CDN, the full name of CDN is Content Delivery Network, that is, content delivery network. CDN is an intelligent virtual network built on the basis of the existing network, relying on edge servers deployed in various places, through the load balancing, content distribution, scheduling and other functional modules of the central platform, so that users can obtain the required content nearby and reduce network congestion. Improve user access response speed and hit rate. The key technologies of CDN mainly include content storage and distribution technology.

One: Overview of Caching Proxy

1.1: The working mechanism of Web proxy

• Cache web page objects to reduce repeated requests

• We all know that web information can only be obtained by accessing a web server. If the number of visits is hundreds or thousands... the server may still be able to withstand it. If the number of concurrent visits is tens of thousands, the server with better performance may not be able to withstand this. Huge access request. So in order to alleviate the pressure on the server, there is a Squid proxy server. In other words, the user does not directly access the web server, but through the squid proxy server, the proxy visits the web, and the web page is cached in the proxy. In this way, the user avoids directly accessing the web server and will greatly reduce the delay on the web side caused by a large number of visits.
  

1.2: Basic types of agents

• Traditional proxy: applicable to the Internet, the server needs to be clearly specified
• Transparent proxy: The client does not need to specify the address and port of the proxy server, but redirects Web access to the proxy server for processing through the default route and firewall policy

1.3: The benefits of using a proxy

• Improve web access speed
• Hide the real IP address of the client

Two: build squid experimental configuration

2.1: Experimental environment

• Three centos 7
  • One as Squid proxy server: 20.0.0.51
  • One as a web server: 20.0.0.52
  • One as a client: 20.0.0.20

2.2: Experimental purpose

• By looking at the log file, you can see the address conversion, from the client IP to the squid proxy server address, and then hide the source IP address

2.3: Experimental steps

• Prepare squid package
• Unzip the squid installation package

tar zxvf squid-3.4.6.tar.gz -C /opt/

• Install the compilation environment

[root@squid ~]# cd /opt/squid-3.4.6/
[root@squid squid-3.4.6]# yum install gcc gcc-c++ -y

• Compile and install

[root@squid squid-3.4.6]# ./configure --prefix=/usr/local/squid \  '安装路径'
--sysconfdir=/etc \  '配置文件目录'
--enable-arp-acl \   '开启ACL'
--enable-linux-netfilter \  '内核过滤'
--enable-linux-tproxy \'透明模式'
--enable-async-io=100 \'io优化吞吐量'
--enable-err-language="Simplify_Chinese" \
--enable-underscore \'支持下划线字符'
--enable-poll \'poll功能模块'
--enable-gnuregex '支持正则'
[root@squid squid-3.4.6]# make && make install

• Path optimization and creation of program users

[root@squid squid-3.4.6]# ln -s /usr/local/squid/sbin/* /usr/local/sbin  '做软链接，优化路径'
[root@squid squid-3.4.6]# useradd -M -s /sbin/nologin/ squid  '创建程序用户'
[root@squid squid-3.4.6]# chown -R squid.squid /usr/local/squid/var  '修改目录属主，属组'

• Modify the main configuration file

[root@squid squid-3.4.6]# vim /etc/squid.conf
'在3128端口下添加'
cache_effective_user squid
cache_effective_group squid

• Check the file configuration syntax and initialize the cache directory

[root@squid squid-3.4.6]# squid -k parse   '检测语法'
[root@squid squid-3.4.6]# squid -z '初始化缓存目录'
[root@squid squid-3.4.6]# squid '启动服务'

• Configure squid startup script

[root@squid squid-3.4.6]# cd /etc/init.d
[root@squid init.d]# vim squid
#!/bin/bash
#chkconfig: 2345 90 25
PID="/usr/local/squid/var/run/squid.pid"
CONF="/etc/squid.conf"
CMD="/usr/local/squid/sbin/squid"

case "$1" in
        start)
            netstat -natp | grep squid  &> /dev/null
            if [ $? -eq 0 ]
            then
 	echo "squid is running"
            else
 	echo "正在启动 squid..."
                $CMD
            fi
         ;;
         stop)
            $CMD -k kill  &> /dev/null
            rm -rf $PID &> /dev/null
         ;;
         status)
            [ -f $PID ] &> /dev/null
                if [ $? -eq 0 ]
                then
                    netstat -natp | grep squid
                else
                    echo "squid is not running"
                fi
          ;;
          restart)
             $0 stop  &> /dev/null
             echo "正在关闭 squid..."
                  $0 start &> /dev/null
             echo "正在启动 squid..."
          ;;
          reload)
              $CMD -k reconfigure
          ;;
          check)
              $CMD -k parse
          ;;
          *)
               echo "用法：$0{start|stop|status|reload|check|restart}"
          ;;
esac

• Add script permissions, add services and open services

[root@squid init.d]# chmod +x squid
[root@squid init.d]# ls
functions  netconsole  network  README  squid
[root@squid init.d]# chkconfig --add squid
[root@squid init.d]# chkocnfig --level 35 squid on  '开机自启动'
[root@squid init.d]# service squid stop
[root@squid init.d]# netstat -ntap |grep 3128
[root@squid init.d]# service squid start
正在启动 squid...
[root@squid init.d]# netstat -ntap |grep 3128
tcp6       0      0 :::3128                 :::*                    LISTEN      47369/(squid-1)     

2.4: Squid traditional proxy mode configuration

• Modify the main configuration file

vim /etc/squid.conf
http_access allow all   
http_access deny all   '在这一行上添加'
'在3128端口下面加'
cache_mem 64 MB
reply_body_max_size 10 MB
maximum_object_size 4096 KB

• Clear firewall rules and set firewall rules

[root@squid init.d]# iptables -F
[root@squid init.d]# setenforce 0
[root@squid init.d]# iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
[root@squid init.d]# service squid reload    '重新加载服务'

2.5: Client configuration

• Need to develop proxy server address and port

2.6: Web server and configuration

[root@web ~]# yum install httpd -y
[root@web ~]# systemctl start httpd
[root@web ~]# netstat -ntap | grep 80
[root@web ~]# cd /var/log/httpd/
[root@web httpd]# cat access_log   '查看日志'

• The client accesses the web server address to generate logs

2.7: Transparent mode configuration

• Schematic diagram

• There is no need to specify the address and port in the configuration transparent mode, which should be removed here

• Configure dual network cards, set network card parameters, select host-only mode

[root@localhost ~]# cd /etc/sysconfig/network-scripts/
[root@localhost network-scripts]# cp -p ifcfg-ens33 ifcfg-ens36
[root@localhost network-scripts]# vim ifcfg-ens36
IPADDR=20.0.10.1

• Enable routing and forwarding function

[root@localhost network-scripts]# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
[root@localhost network-scripts]# sysctl -p
net.ipv4.ip_forward = 1

• Configure Squid to support transparent proxy

[root@localhost network-scripts]# vim /etc/squid.conf
http_port 20.0.10.1:3128 transparent
[root@localhost network-scripts]# squid -k parse

• Set up firewall rules

[root@localhost network-scripts]# iptables -t nat -I PREROUTING -i ens36 -s 20.0.10.0/24 -p tcp --dport 80 -j REDIRECT --to 3128  '80表示http端口'
[root@localhost network-scripts]# iptables -t nat -I PREROUTING -i ens36 -s 20.0.10.0/24 -p tcp --dport 443 -j REDIRECT --to 3128   '443表示https的端口'
iptables -I INPUT -p tcp --dport 3128 -j ACCEPT   '如过之前没有做过，需要敲，这边是基于上一个实验，不需要'

• Reload service

[root@localhost network-scripts]# service squid reload
[root@localhost network-scripts]# netstat -ntap | grep squid
tcp        0      0 20.0.10.1:3128          0.0.0.0:*               LISTEN      47369/(squid-1)   

• View web server logs