Article Directory
1. Transparent agency
1. Topological diagram
2. Environment
- The client does not need to specify the ip address and listening port number of the proxy server. It feels that it communicates directly with the public network, but it must point the gateway address to the internal network interface ip address of the proxy server.
- Features: It is transparent to users, that is, users are not aware of the existence of firewalls. Commonly used in the front end of a server cluster.
- In order to realize the transparent mode, the firewall must work without an IP address, and there is no need to set an IP address for it, and the user does not know the IP address of the firewall.
Advantages: It not only increases the security of the network, but also reduces the complexity of user management.
3. Deployment operation
1. Open the browser-settings page-preferences-advanced-network-connection settings-do not use proxy
2. Turn off squid service
[root@squid ~]# systemctl stop squid 关闭服务
3. Turn on the routing function
[root@squid ~]# vi /etc/sysctl.conf
[root@squid ~]# sysctl -p
添加
net.ipv4.ip_forward=1
4. Set the network manager to point to the ip of the same network segment as Squid
[root@client ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens33
[root@client ~]# systemctl restart network
[root@client ~]# route -n #查看路由
5. Add routing on web1
[root@web1 ~]# route add -net 192.168.1.0/24 gw 192.168.2.10
[root@web1 ~]# route -n
6. Test the client to access the web server
[root@client ~]# ping 192.168.2.11
[root@client ~]# ping 192.168.2.12
Configure the transparent proxy server Configure
on Squid
1. Edit the configuration file
[root@squid ~]# vi /etc/squid.conf
[root@squid ~]# systemctl start squid #启动squid服务
[root@squid ~]# netstat -anpt | grep squid #查看端口状
修改
http_port 192.168.1.10:3128 transparent #接收客户端的地址
[root@squid ~]# iptables -F 清空所有规则
[root@squid ~]# iptables -t nat -I PREROUTING -i ens33 -s 192.168.1.0/24 -p tcp --dport=80 -j REDIRECT --to 3128
#插入一条规则入站时,入站网卡ens33源地址192.168.1.0/24协议名tcp目标端口80,重定向到3128端口
[root@squid ~]# iptables -t nat -I PREROUTING -i ens33 -s 192.168.1.0/24 -p tcp --dport=443 -j REDIRECT --to 3128
[root@squid ~]# iptables -I INPUT -p tcp --dport=3128 -j ACCEPT
[root@squid ~]# iptables -t nat -L #查看nat表中的规则
[root@squid ~]# iptables -L #列出所有表中的链,指定链中的规则
Before the client visits, make sure that the apache service of web1 and web2 has
web1 enabled
[root@web1 ~]# systemctl start httpd
[root@web1 ~]# curl http://localhost
<h1>This is Web1</h1>
web2
[root@web2 ~]# systemctl start httpd
[root@web2 ~]# curl http://localhost
<h1>This is Web2</h1>
Test:
192.168.2.11
192.168.2.12
view log
[root@web1 ~]# tail -f /var/log/httpd/access_log
[root@web2 ~]# tail -f /var/log/httpd/access_log
View log on squid
[root@squid ~]# tail -f /usr/local/squid/var/logs/access.log