Squid proxy server detailed top-level deployment

Squid mainly provides the functions of cache acceleration and application layer filtering control.

1. Working mechanism

1. Instead of the client requesting data from the website, the real IP address of the user can be hidden.
2. Save the obtained web page data (static web elements) in the cache and send it to the client for a quick response the next time the same data is requested.

Two, the type of Squid proxy

Traditional agent:
For the Internet, you need to specify the address and port of the proxy server on the client.

Transparent proxy:
The client does not need to specify the address and port of the proxy server, but redirects Web access to the proxy server for processing through the default route and firewall policy.

Reverse proxy:
If the requested resource is cached in the Squid reverse proxy server, the requested resource will be returned directly to the client; otherwise, the reverse proxy server will request the resource from the backend WEB server, and then return the requested response to the client. At the same time, the response is cached locally for use by the next requester.

Three, experimental environment construction

Install Squid service

(1) Turn off the firewall

systemctl stop firewalld
systemctl disable firewalld
setenforce 0

(2) Compile and install Squid

yum -y install gcc gcc-c++ make
tar zxvf squid-3.5.28.tar.gz -C /opt/
cd /opt/squid-3.5.28

./configure --prefix=/usr/local/squid \
--sysconfdir=/etc \
--enable-arp-acl \
--enable-linux-netfilter \
--enable-linux-tproxy \
--enable-async-io=100 \
--enable-err-language="Simplify_Chinese" \
--enable-underscore \
--enable-poll \
--enable-gnuregex

make && make install

ln -s /usr/local/squid/sbin/* /usr/local/sbin/ #squid放入环境变量

useradd -M -s /sbin/nologin squid 

chown -R squid:squid /usr/local/squid/var/ #创建squid属主以属于组

(3) Modify Squid's configuration file

----56行插入----
http_access allow all				#放在 http_access deny all 之前，允许任意客户机使用代理服务
http_access deny all
http_port 3128						#用来指定代理服务监听的地址和端口(默认的端口号为 3128)

----61行插入----
cache_effective_user squid			#添加，指定程序用户，用来设置初始化、运行时缓存的账号,否则启动不成功
cache_effective_group squid			#添加，指定账号基本组

----68行修改----
coredump_dir /usr/local/squid/var/cache/squid		#指定缓存文件目录

(4) Squid operation control

#检查配置文件语法是否正确
squid -k parse

#启动 Squid
squid –z 					#-z 选项用来初始化缓存目录
squid						#启动 squid 服务

netstat -anpt | grep "squid"

(5) Create Squid service script

vim /etc/init.d/squid

#!/bin/bash
#chkconfig: 2345 90 25
PID="/usr/local/squid/var/run/squid.pid"
CONF="/etc/squid.conf"
CMD="/usr/local/squid/sbin/squid"

case "$1" in
   start)
     netstat -natp | grep squid &> /dev/null
     if [ $? -eq 0 ]
     then
       echo "squid is running"
       else
       echo "正在启动 squid..."
       $CMD
     fi
   ;;
   stop)
     $CMD -k kill &> /dev/null
     rm -rf $PID &> /dev/null
   ;;
   status)
     [ -f $PID ] &> /dev/null
        if [ $? -eq 0 ]
          then
            netstat -natp | grep squid
          else
            echo "squid is not running"
        fi
   ;;
   restart)
      $0 stop &> /dev/null
      echo "正在关闭 squid..."
         $0 start &> /dev/null
      echo "正在启动 squid..."
   ;;
   reload)
      $CMD -k reconfigure
   ;;
   check)
      $CMD -k parse
   ;;
   *)
      echo "用法：$0{start|stop|status|reload|check|restart}"
   ;;
esac

2345 is the default self-start level, if yes-means no self-start at any level; 90 is the start priority, 25 is the stop priority, and the priority range is 0-100. The higher the number, the lower the priority.

chmod +x /etc/init.d/squid
chkconfig --add squid
chkconfig --level 35 squid on

Build a traditional proxy server

vim /etc/squid.conf

http_access allow all
http_access deny all
http_port 3128
cache_effective_user squid
cache_effective_group squid

--63行--插入
cache_mem 64 MB				#指定缓存功能所使用的内存空间大小，便于保持访问较频繁的WEB对象，容量最好为4的倍数，单位为MB，建议设为物理内存的1/4
reply_body_max_size 10 MB			#允许用户下载的最大文件大小，以字节为单位，当下载超过指定大小的Web对象时，浏览器的报错页面中会出现“请求或访问太大”的提示默认设置0表示不进行限制
maximum_object_size 4096 KB			#允许保存到缓存空间的最大对象大小，以KB为单位，超过大小限制的文件将不被缓存，而是直接转发给用户

service squid restart 或者 systemctl restart squid

The firewall rules need to be modified in the production environment

iptables -F
iptables -I INPUT -p tcp --dport 3128 -j ACCEPT

Client proxy configuration

Open the browser, Tools -> Internet Options -> Connection -> LAN Settings -> Turn on the proxy server (address: Squid server IP address, port: 3128)

Note: The accessed wb server needs to have HTTP service.

View the new record of Squid access log

tail -f /usr/local/squid/var/logs/access.log

Build a transparent proxy server
(1) URL setting

Squid服务器：双网卡，内网ens33：192.168.90.10  外网ens36：12.0.0.1
Web 服务器：12.0.0.12
客户机：192.168.90.100

(2) Squid server configuration

vim /etc/squid.conf

http_access allow all
http_access deny all

----60行修改----
修改添加提供内网服务的IP地址，和支持透明代理选项 transparent
http_port 192.168.126.10:3128 transparent

systemctl restart squid

(3) Turn on routing forwarding to realize address forwarding of different network segments in this machine

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p

修改防火墙规则
iptables -F
iptables -t nat -F
iptables -t nat -I PREROUTING -i ens33 -s 192.168.90.0/24 -p tcp --dport 126 -j REDIRECT --to 3128	#用于转发http协议
iptables -t nat -I PREROUTING -i ens33 -s 192.168.90.0/24 -p tcp --dport 443 -j REDIRECT --to 3128	#用于转发https协议
iptables -I INPUT -p tcp --dport 3128 -j ACCEPT

(4) Web server configuration

yum install -y httpd
systemctl start httpd

Visit http://12.0.0.12 after turning off the proxy server function previously set in the client's browser

Four, ACL access control

In the configuration file squid.conf, ACL access control is achieved through the following two steps:
(1) Use the acl configuration item to define the conditions that need to be controlled;
(2) Use the http_access configuration item to "allow" or "allow" the defined list Access control denied.

1. Define an access control list

格式：
acl 列表名称 列表类型 列表内容 …

vim /etc/squid.conf
......
acl localhost src 192.168.90.10/32 					#源地址为 192.168.90.10
acl MYLAN src 192.168.90.0/24 192.168.1.0/24		#客户机网段
acl destionhost dst 192.168.90.13/32				#目标地址为 192.168.90.13
acl MC20 maxconn 20									#最大并发连接 20
acl PORT port 21									#目标端口 21
acl DMBLOCK dstdomain .qq.com						#目标域，匹配域内所有站点
acl BURL url_regex -i ^rtsp:// ^emule://			#以 rtsp://、emule:// 开头的 URL，-i表示忽略大小写
acl PURL urlpath_regex -i \.mp3$ \.mp4$ \.rmvb$		#以 .mp3、.mp4、.rmvb 结尾的 URL 路径
acl WORKTIME time MTWHF 08:30-17:30					#时间为周一至周五 8:30~17:30，“MTWHF”为每个星期的英文首字母

2. Start object list management

mkdir /etc/squid
vim /etc/squid/dest.list
192.168.90.20             #配置允许或者拒绝的ip地址，是web服务器的地址
192.168.1.0/24

Note: Remember to configure the proxy when doing ACL

vim /etc/squid.conf
......
acl destionhost dst "/etc/squid/dest.list"			#调用指定文件中的列表内容
......
http_access deny(或allow) destionhost				#注意，如果是拒绝列表，需要放在http_access allow all前面

service squid reload #重载一下配置

Five, Squid log analysis

1. Install the image processing software package

yum install -y pcre-devel gd gd-devel

mkdir /usr/local/sarg
tar zxvf sarg-2.3.7.tar.gz -C /opt/

cd /opt/sarg-2.3.7
./configure --prefix=/usr/local/sarg --sysconfdir=/etc/sarg --enable-extraprotection
make && make install


./configure --prefix=/usr/local/sarg
–sysconfdir=/etc/sarg \ #配置文件目录，默认是/usr/loca/etc
–enable-extraprotection #额外安全防护

2. Modify the configuration file

vim /etc/sarg/sarg.conf

--7行--取消注释
access_log /usr/local/squid/var/logs/access.log		#指定访问日志文件
--25行--取消注释
title "Squid User Access Reports"					#网页标题
--120行--取消注释
output_dir /var/www/html/sarg						#报告输出目录
--178行--取消注释
user_ip no											#使用用户名显示
--184行--取消注释，修改
topuser_sort_field connect reverse					#top排序中，指定连接次数采用降序排列，升序是normal
--190行--取消注释，修改
user_sort_field connect reverse						#对于用户访问记录，连接次数按降序排序
--206行--取消注释，修改
exclude_hosts /usr/local/sarg/noreport				#指定不计入排序的站点列表的文件
--257行--取消注释
overwrite_report no									#同名同日期的日志是否覆盖
--289行--取消注释，修改
mail_utility mailq.postfix							#发送邮件报告命令
--434行--取消注释，修改
charset UTF-8										#指定字符集UTF-8
--518行--取消注释
weekdays 0-6										#top排行的星期周期
--525行--取消注释
hours 0-23											#top排行的时间周期
--633行--取消注释
www_document_root /var/www/html		

3. Start verification

#添加不计入站点文件，添加的域名将不被显示在排序中
touch /usr/local/sarg/noreport

ln -s /usr/local/sarg/bin/sarg /usr/local/bin
sarg --help

运行
sarg				#启动一次记录

Six, Squid reverse proxy

If the requested resource is cached in the Squid reverse proxy server, the requested resource will be returned directly to the client; otherwise, the reverse proxy server will request the resource from the backend Web server, and then return the requested response to the client. At the same time, the response is cached locally for use by the next requester.

1. Working mechanism

• Cache web page objects to reduce repeated requests
• Rotate Internet requests or distribute them to intranet Web servers according to weight
• Proxy user requests, avoid users directly accessing the Web server, and improve security

2. Modify the configuration file

vim /etc/squid.conf
......

--60行--修改，插入
http_port 192.168.90.10:80 accel vhost vport
cache_peer 192.168.90.20 parent 80 0 no-query originserver round-robin max_conn=30 weight=1 name=web1
cache_peer 192.168.90.40 parent 80 0 no-query originserver round-robin max_conn=30 weight=1 name=web2
cache_peer_domain web1 web2 www.benet.com
#表示对www.chenwei.com的请求，squid向192.168.126.11和192.168.126.12的80端口发出请求

3. Back-end wb server settings

yum install -y httpd

systemctl start httpd

wb1配置：
echo "this is benet" >> /var/www/html/index.html

wb2配置：
echo "this is accp" >> /var/www/html/index.html

4. The domain name mapping configuration of the client

修改 C:\Windows\System32\drivers\etc\hosts 文件
192.168.126.10 www.chenwei.com

5. Client proxy configuration

Open the browser, Tools -> Internet Options -> Connection -> LAN Settings -> Turn on the proxy server (address: Squid server IP address, port: 80)

Client visit www.benet.com, and then refresh