Squid mainly provides the functions of cache acceleration and application layer filtering control.
1. Working mechanism
1. Instead of the client requesting data from the website, the real IP address of the user can be hidden.
2. Save the obtained web page data (static web elements) in the cache and send it to the client for a quick response the next time the same data is requested.
Two, the type of Squid proxy
Traditional agent:
For the Internet, you need to specify the address and port of the proxy server on the client.
Transparent proxy:
The client does not need to specify the address and port of the proxy server, but redirects Web access to the proxy server for processing through the default route and firewall policy.
Reverse proxy:
If the requested resource is cached in the Squid reverse proxy server, the requested resource will be returned directly to the client; otherwise, the reverse proxy server will request the resource from the backend WEB server, and then return the requested response to the client. At the same time, the response is cached locally for use by the next requester.
Three, experimental environment construction
Install Squid service
(1) Turn off the firewall
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
(2) Compile and install Squid
yum -y install gcc gcc-c++ make
tar zxvf squid-3.5.28.tar.gz -C /opt/
cd /opt/squid-3.5.28
./configure --prefix=/usr/local/squid \
--sysconfdir=/etc \
--enable-arp-acl \
--enable-linux-netfilter \
--enable-linux-tproxy \
--enable-async-io=100 \
--enable-err-language="Simplify_Chinese" \
--enable-underscore \
--enable-poll \
--enable-gnuregex
make && make install
ln -s /usr/local/squid/sbin/* /usr/local/sbin/ #squid放入环境变量
useradd -M -s /sbin/nologin squid
chown -R squid:squid /usr/local/squid/var/ #创建squid属主以属于组
(3) Modify Squid's configuration file
----56行插入----
http_access allow all #放在 http_access deny all 之前,允许任意客户机使用代理服务
http_access deny all
http_port 3128 #用来指定代理服务监听的地址和端口(默认的端口号为 3128)
----61行插入----
cache_effective_user squid #添加,指定程序用户,用来设置初始化、运行时缓存的账号,否则启动不成功
cache_effective_group squid #添加,指定账号基本组
----68行修改----
coredump_dir /usr/local/squid/var/cache/squid #指定缓存文件目录
(4) Squid operation control
#检查配置文件语法是否正确
squid -k parse
#启动 Squid
squid –z #-z 选项用来初始化缓存目录
squid #启动 squid 服务
netstat -anpt | grep "squid"
(5) Create Squid service script
vim /etc/init.d/squid
#!/bin/bash
#chkconfig: 2345 90 25
PID="/usr/local/squid/var/run/squid.pid"
CONF="/etc/squid.conf"
CMD="/usr/local/squid/sbin/squid"
case "$1" in
start)
netstat -natp | grep squid &> /dev/null
if [ $? -eq 0 ]
then
echo "squid is running"
else
echo "正在启动 squid..."
$CMD
fi
;;
stop)
$CMD -k kill &> /dev/null
rm -rf $PID &> /dev/null
;;
status)
[ -f $PID ] &> /dev/null
if [ $? -eq 0 ]
then
netstat -natp | grep squid
else
echo "squid is not running"
fi
;;
restart)
$0 stop &> /dev/null
echo "正在关闭 squid..."
$0 start &> /dev/null
echo "正在启动 squid..."
;;
reload)
$CMD -k reconfigure
;;
check)
$CMD -k parse
;;
*)
echo "用法:$0{start|stop|status|reload|check|restart}"
;;
esac
2345 is the default self-start level, if yes-means no self-start at any level; 90 is the start priority, 25 is the stop priority, and the priority range is 0-100. The higher the number, the lower the priority.
chmod +x /etc/init.d/squid
chkconfig --add squid
chkconfig --level 35 squid on
Build a traditional proxy server
vim /etc/squid.conf
http_access allow all
http_access deny all
http_port 3128
cache_effective_user squid
cache_effective_group squid
--63行--插入
cache_mem 64 MB #指定缓存功能所使用的内存空间大小,便于保持访问较频繁的WEB对象,容量最好为4的倍数,单位为MB,建议设为物理内存的1/4
reply_body_max_size 10 MB #允许用户下载的最大文件大小,以字节为单位,当下载超过指定大小的Web对象时,浏览器的报错页面中会出现“请求或访问太大”的提示默认设置0表示不进行限制
maximum_object_size 4096 KB #允许保存到缓存空间的最大对象大小,以KB为单位,超过大小限制的文件将不被缓存,而是直接转发给用户
service squid restart 或者 systemctl restart squid
The firewall rules need to be modified in the production environment
iptables -F
iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
Client proxy configuration
Open the browser, Tools -> Internet Options -> Connection -> LAN Settings -> Turn on the proxy server (address: Squid server IP address, port: 3128)
Note: The accessed wb server needs to have HTTP service.
View the new record of Squid access log
tail -f /usr/local/squid/var/logs/access.log
Build a transparent proxy server
(1) URL setting
Squid服务器:双网卡,内网ens33:192.168.90.10 外网ens36:12.0.0.1
Web 服务器:12.0.0.12
客户机:192.168.90.100
(2) Squid server configuration
vim /etc/squid.conf
http_access allow all
http_access deny all
----60行修改----
修改添加提供内网服务的IP地址,和支持透明代理选项 transparent
http_port 192.168.126.10:3128 transparent
systemctl restart squid
(3) Turn on routing forwarding to realize address forwarding of different network segments in this machine
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p
修改防火墙规则
iptables -F
iptables -t nat -F
iptables -t nat -I PREROUTING -i ens33 -s 192.168.90.0/24 -p tcp --dport 126 -j REDIRECT --to 3128 #用于转发http协议
iptables -t nat -I PREROUTING -i ens33 -s 192.168.90.0/24 -p tcp --dport 443 -j REDIRECT --to 3128 #用于转发https协议
iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
(4) Web server configuration
yum install -y httpd
systemctl start httpd
Visit http://12.0.0.12 after turning off the proxy server function previously set in the client's browser
Four, ACL access control
In the configuration file squid.conf, ACL access control is achieved through the following two steps:
(1) Use the acl configuration item to define the conditions that need to be controlled;
(2) Use the http_access configuration item to "allow" or "allow" the defined list Access control denied.
1. Define an access control list
格式:
acl 列表名称 列表类型 列表内容 …
vim /etc/squid.conf
......
acl localhost src 192.168.90.10/32 #源地址为 192.168.90.10
acl MYLAN src 192.168.90.0/24 192.168.1.0/24 #客户机网段
acl destionhost dst 192.168.90.13/32 #目标地址为 192.168.90.13
acl MC20 maxconn 20 #最大并发连接 20
acl PORT port 21 #目标端口 21
acl DMBLOCK dstdomain .qq.com #目标域,匹配域内所有站点
acl BURL url_regex -i ^rtsp:// ^emule:// #以 rtsp://、emule:// 开头的 URL,-i表示忽略大小写
acl PURL urlpath_regex -i \.mp3$ \.mp4$ \.rmvb$ #以 .mp3、.mp4、.rmvb 结尾的 URL 路径
acl WORKTIME time MTWHF 08:30-17:30 #时间为周一至周五 8:30~17:30,“MTWHF”为每个星期的英文首字母
2. Start object list management
mkdir /etc/squid
vim /etc/squid/dest.list
192.168.90.20 #配置允许或者拒绝的ip地址,是web服务器的地址
192.168.1.0/24
Note: Remember to configure the proxy when doing ACL
vim /etc/squid.conf
......
acl destionhost dst "/etc/squid/dest.list" #调用指定文件中的列表内容
......
http_access deny(或allow) destionhost #注意,如果是拒绝列表,需要放在http_access allow all前面
service squid reload #重载一下配置
Five, Squid log analysis
1. Install the image processing software package
yum install -y pcre-devel gd gd-devel
mkdir /usr/local/sarg
tar zxvf sarg-2.3.7.tar.gz -C /opt/
cd /opt/sarg-2.3.7
./configure --prefix=/usr/local/sarg --sysconfdir=/etc/sarg --enable-extraprotection
make && make install
./configure --prefix=/usr/local/sarg
–sysconfdir=/etc/sarg \ #配置文件目录,默认是/usr/loca/etc
–enable-extraprotection #额外安全防护
2. Modify the configuration file
vim /etc/sarg/sarg.conf
--7行--取消注释
access_log /usr/local/squid/var/logs/access.log #指定访问日志文件
--25行--取消注释
title "Squid User Access Reports" #网页标题
--120行--取消注释
output_dir /var/www/html/sarg #报告输出目录
--178行--取消注释
user_ip no #使用用户名显示
--184行--取消注释,修改
topuser_sort_field connect reverse #top排序中,指定连接次数采用降序排列,升序是normal
--190行--取消注释,修改
user_sort_field connect reverse #对于用户访问记录,连接次数按降序排序
--206行--取消注释,修改
exclude_hosts /usr/local/sarg/noreport #指定不计入排序的站点列表的文件
--257行--取消注释
overwrite_report no #同名同日期的日志是否覆盖
--289行--取消注释,修改
mail_utility mailq.postfix #发送邮件报告命令
--434行--取消注释,修改
charset UTF-8 #指定字符集UTF-8
--518行--取消注释
weekdays 0-6 #top排行的星期周期
--525行--取消注释
hours 0-23 #top排行的时间周期
--633行--取消注释
www_document_root /var/www/html
3. Start verification
#添加不计入站点文件,添加的域名将不被显示在排序中
touch /usr/local/sarg/noreport
ln -s /usr/local/sarg/bin/sarg /usr/local/bin
sarg --help
运行
sarg #启动一次记录
Six, Squid reverse proxy
If the requested resource is cached in the Squid reverse proxy server, the requested resource will be returned directly to the client; otherwise, the reverse proxy server will request the resource from the backend Web server, and then return the requested response to the client. At the same time, the response is cached locally for use by the next requester.
1. Working mechanism
- Cache web page objects to reduce repeated requests
- Rotate Internet requests or distribute them to intranet Web servers according to weight
- Proxy user requests, avoid users directly accessing the Web server, and improve security
2. Modify the configuration file
vim /etc/squid.conf
......
--60行--修改,插入
http_port 192.168.90.10:80 accel vhost vport
cache_peer 192.168.90.20 parent 80 0 no-query originserver round-robin max_conn=30 weight=1 name=web1
cache_peer 192.168.90.40 parent 80 0 no-query originserver round-robin max_conn=30 weight=1 name=web2
cache_peer_domain web1 web2 www.benet.com
#表示对www.chenwei.com的请求,squid向192.168.126.11和192.168.126.12的80端口发出请求
3. Back-end wb server settings
yum install -y httpd
systemctl start httpd
wb1配置:
echo "this is benet" >> /var/www/html/index.html
wb2配置:
echo "this is accp" >> /var/www/html/index.html
4. The domain name mapping configuration of the client
修改 C:\Windows\System32\drivers\etc\hosts 文件
192.168.126.10 www.chenwei.com
5. Client proxy configuration
Open the browser, Tools -> Internet Options -> Connection -> LAN Settings -> Turn on the proxy server (address: Squid server IP address, port: 80)
Client visit www.benet.com, and then refresh