Squid proxy server deployment
Article Directory
- Squid proxy server deployment
- 1. Squid proxy server
- Two, install the Squid service
- Third, build a traditional proxy server
- Fourth, build a transparent proxy server
-
- 1. Shut down, add a network card, note that the two network cards are set on different virtual network cards
- 2. Then configure the corresponding IP address and subnet mask for the dual network cards
- 3. The squid service has been installed (you must set up the yum source before installing the squid service), the installation operation is in accordance with the above installation, I am directly modifying the configuration file
- 4. Turn on routing forwarding to realize address forwarding of different network segments in this machine
- 5. Modify firewall rules
- 1. Set the ip address and specify the host-only mode VMnet0
- 2. Visit http://12.0.0.12
- 3. View the new record of Squid access log
- 4. View the new record of the Web access log, which shows that the external network port of the proxy server replaces the client's access
1. Squid proxy server
Squid mainly provides the functions of cache acceleration and application layer filtering control.
1. The working mechanism
of the proxy Instead of the client requesting data from the website, the user's real IP address can be hidden.
Save the obtained web page data (static web elements) in the cache and send it to the client for a quick response the next time the same data is requested.
2. The type of Squid proxy :
Traditional proxy : suitable for the Internet, you need to specify the address and port of the proxy server on the client.
Transparent proxy : The client does not need to specify the address and port of the proxy server, but redirects Web access to the proxy server for processing through the default route and firewall policy.
Reverse proxy : If the requested resource is cached in the Squid reverse proxy server, the requested resource will be directly returned to the client; otherwise, the reverse proxy server will request the resource from the background WEB server, and then return the response to the request To the client, the response is also cached locally for use by the next requester.
Two, install the Squid service
Software package used:
squid-3.5.28.tar.gz
sarg-2.3.7.tar.gz
package link :
extraction code: j2ev
Turn off the firewall first
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
1. Compile and install Squid
yum -y install gcc gcc-c++ make
cd /opt
tar zxvf squid-3.5.28.tar.gz
cd /opt/squid-3.5.28
./configure --prefix=/usr/local/squid \
--sysconfdir=/etc \
--enable-arp-acl \
--enable-linux-netfilter \
--enable-linux-tproxy \
--enable-async-io=100 \
--enable-err-language="Simplify_Chinese" \
--enable-underscore \
--disable-poll \
--enable-epoll \
--enable-gnuregex
make && make install
#--------模块解释--------------------------------------------------
--prefix=/usr/local/squid #指定安装目录路径
--sysconfdir=/etc #指定配置文件路径
--enable-arp-acl #MAC地址管控,防止客户端使用ip欺骗
--enable-linux-netfilter #使用内核过滤
--enable-linux-tproxy #支持透明模式
--enable-async-io=100 #异步io,提升存储性能
--enable-err-language="Simplify_Chinese" #错误信息的显示语言
--enable-underscore #允许URL中有下划线
--disable-poll \ #关闭默认使用的poll 模式
--enable-epoll \ #开启epoll模式,提升性能
--enable-gnuregex #使用GNU正则表达式
#----------------------------------------------------------------
ln -s /usr/local/squid/sbin/* /usr/local/sbin/
useradd -M -s /sbin/nologin squid
chown -R squid:squid /usr/local/squid/var/
#/usr/local/squid/var/ 此目录是用于存放缓存文件
2. Modify Squid's configuration file
vim /etc/squid.conf
......
#---------56行,插入----------------
http_access allow all #放在 http_access deny all 之前,允许任意客户机使用代理服务,控制规则自上而下匹配
http_access deny all
http_port 3128 #用来指定代理服务监听的地址和端口(默认的端口号为 3128)
#---------61行插入-----------------
cache_effective_user squid #添加,指定程序用户,用来设置初始化、运行时缓存的账号,否则启动不成功
cache_effective_group squid #添加,指定账号基本组
coredump_dir /usr/local/squid/var/cache/squid #指定缓存文件目录
3. Squid operation control
Check the configuration file syntax is correct
squid -k parse
Start Squid, the cache directory will be initialized automatically when the squid service is started for the first time
squid -z #-z 选项用来初始化缓存目录
squid #启动 squid 服务
netstat -anpt | grep "squid"
4. Create Squid service script
vim /etc/init.d/squid
#!/bin/bash
#chkconfig: 2345 90 25
PID="/usr/local/squid/var/run/squid.pid"
CONF="/etc/squid.conf"
CMD="/usr/local/squid/sbin/squid"
case "$1" in
start)
netstat -natp | grep squid &> /dev/null
if [ $? -eq 0 ]
then
echo "squid is running"
else
echo "正在启动 squid..."
$CMD
fi
;;
stop)
$CMD -k kill &> /dev/null
rm -rf $PID &> /dev/null
;;
status)
[ -f $PID ] &> /dev/null
if [ $? -eq 0 ]
then
netstat -natp | grep squid
else
echo "squid is not running"
fi
;;
restart)
$0 stop &> /dev/null
echo "正在关闭 squid..."
$0 start &> /dev/null
echo "正在启动 squid..."
;;
reload)
$CMD -k reconfigure
;;
check)
$CMD -k parse
;;
*)
echo "用法:$0{start|stop|status|reload|check|restart}"
;;
esac
Note: 2345 is the default self-starting level, if yes-it means no self-starting at any level; 90 is the start priority, 25 is the stop priority, the priority range is 0-100, the larger the number, the lower the priority
chmod +x /etc/init.d/squid
chkconfig --add squid
chkconfig --level 35 squid on
#查看squid服务在哪些级别中自启
chkconfig --list squid
Third, build a traditional proxy server
Environment setup
Host | operating system | IP address | Software, installation packages, tools |
---|---|---|---|
Squid-Server | CentOS7 | 192.168.2.4 | squid-3.5.28.tar.gz |
Web-Server | CentOS7 | 192.168.2.6 | httpd |
Client computer | Windows 10 | 192.168.2.20 |
Squid-Server:192.168.2.4
1. First compile and install squid, and then modify the configuration file
vim /etc/squid.conf
......
http_access allow all
http_access deny all
http_port 3128
cache_effective_user squid
cache_effective_group squid
#---------63行插入-----------------------------------------------
cache_mem 64 MB
reply_body_max_size 10 MB
maximum_object_size 4096 KB
#---------添加内容解释------------------------------------------
cache_mem 64 MB #指定缓存功能所使用的内存空间大小,便于保持访问较频繁的WEB对象,容量最好为4的倍数,单位为MB,建议设为物理内存的1/4
reply_body_max_size 10 MB #允许用户下载的最大文件大小,以字节为单位,当下载超过指定大小的Web对象时,浏览器的报错页面中会出现“请求或访问太大”的提示默认设置0表示不进行限制
maximum_object_size 4096 KB #允许保存到缓存空间的最大对象大小,以KB为单位,超过大小限制的文件将不被缓存,而是直接转发给用户
#-------------------------------------------------------------------
service squid restart
#或systemctl restart squid
2. The firewall rules need to be modified in the production environment
iptables -F
iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
iptables -L INPUT
Web-Server:192.168.2.6
systemctl stop firewalld.service
systemctl disable firewalld.service
setenforce 0
yum -y install httpd
systemctl start httpd
netstat -natp | grep 80
Client; 192.168.2.20
1. First configure the client IP address
2. Open the browser and configure the proxy function
Process: Open the IE browser, Tools -> Internet Options -> Connection -> LAN Settings -> Turn on the proxy server (Address: Squid server IP address, port: 3128)
Verification result:
Squid-Server: 192.168.2.4
View squid access log New record for
tail -f /usr/local/squid/var/logs/access.log
Web-Server: 192.168.2.6
View the new record of Web-Server access log
tail -f /var/log/httpd/access_log
Client; 192.168.2.20
enter the web server IP address in the browser to access, check the web server access log, it shows that the proxy server is accessing for the client.
http://192.168.2.6
Fourth, build a transparent proxy server
Environment setup:
Host | operating system | IP address | Software, installation packages, tools |
---|---|---|---|
Squid-Server | CentOS7 | ens33 192.168.2.4 ens37 12.0.0.1 |
squid-3.5.28.tar.gz |
Web-Server | CentOS7 | 12.0.0.12 | httpd |
Client computer | Windows 10 | 192.168.2.20 |
Squid-Server(ens33:192.168.2.4、ens37:12.0.0.1)
1. Shut down, add a network card, note that the two network cards are set on different virtual network cards
2. Then configure the corresponding IP address and subnet mask for the dual network cards
cd /etc/sysconfig/network-scripts/
vim ifcfg-ens33
IPADDR=192.168.2.4
NETMASK=255.255.255.0
cp ifcfg-ens33 ifcfg-ens37
vim ifcfg-ens37
IPADDR=12.0.0.1
NETMASK=255.255.255.0
systemctl restart network
ifconfig
3. The squid service has been installed (you must set up the yum source before installing the squid service), the installation operation is in accordance with the above installation, I am directly modifying the configuration file
vim /etc/squid.conf
......
http_access allow all
http_access deny all
#------60行修改添加提供内网服务的IP地址,和支持透明代理选项 transparent
http_port 192.168.2.4:3128 transparent
systemctl restart squid
netstat -natp | grep 3128
4. Turn on routing forwarding to realize address forwarding of different network segments in this machine
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p
5. Modify firewall rules
iptables -F
iptables -t nat -F
iptables -t nat -I PREROUTING -i ens33 -s 192.168.2.0/24 -p tcp --dport 80 -j REDIRECT --to 3128
iptables -t nat -I PREROUTING -i ens33 -s 192.168.2.0/24 -p tcp --dport 443 -j REDIRECT --to 3128
iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
iptables -L
iptables -L -t nat
Web-Server:12.0.0.12
systemctl stop firewalld.service
systemctl disable firewalld.service
setenforce 0
vim /etc/sysconfig/network-scripts/ifcfg-ens33
systemctl restart network
ifconfig
Client; 192.168.2.20
client-side test:
1. Set the ip address and specify the host-only mode VMnet0
Close agent
2. Visit http://12.0.0.12
3. View the new record of Squid access log
Squid-Server(ens33:192.168.2.4、ens37:12.0.0.1)
tail -f /usr/local/squid/var/logs/access.log
#Squid代理服务器上的日志可以检测到客户机ip以及访问的目标网站ip
4. View the new record of the Web access log, which shows that the external network port of the proxy server replaces the client's access
Web-Server:12.0.0.12
tail -f /var/log/httpd/access_log
#从日志内容可以看出是代理服务器外网口12.0.0.1访问web服务器12.0.0.12