The Squid service program will request the required data such as pages and pictures from the source server of the website according to the received user request, and store the data returned by the server on the server running the Squid service program. When a user requests the same data again, the local data of the storage server can be directly delivered to the user, which not only reduces the waiting time of the user, but also relieves the load pressure of the website server.
The Squid service program has the characteristics of simple configuration, high efficiency, and rich functions. It can support data caching of multiple protocols such as HTTP, FTP, and SSL. It can perform content filtering and filtering based on access control lists (ACL) and access permission lists (ARL). The authority management function can also prohibit users from accessing threatened or inappropriate website resources based on a variety of conditions, so it can protect the security of the corporate intranet, improve the user's network experience, and help save network bandwidth.
The forward proxy mode refers to allowing users to obtain resources such as website pages through the Squid service program, and restricting user access to the website based on the access control list (ACL) function. The specific service methods are divided into standard proxy mode and transparency. Agency mode. The standard forward proxy mode is to cache website data locally on the server to improve the efficiency when data resources are accessed again, but users must fill in the proxy server’s IP address and port number information in the browser and other software when surfing the Internet, otherwise the default is not Use proxy services. The role of the transparent forward proxy mode is basically the same as the standard forward proxy mode. The difference is that the user does not need to manually specify the IP address and port number of the proxy server, so this proxy service is relatively transparent to the user.
Reverse proxy mode refers to allowing multiple node hosts to reverse cache website data, thereby speeding up user access. Generally speaking, a large number of static resources such as text and pictures are generally loaded on the website, and they are relatively stable data information. When a user initiates an access request for these static resources on the website page, we can use the Squid service Reverse proxy mode provided by the program to respond. Moreover, if the reverse proxy server happens to have static resources that the user wants to access, then these cached static resources are directly sent to the user, which not only speeds up the user’s website access speed, but also reduces the website server to a certain extent Load pressure.
In order to be able to communicate with each other, both virtual machines need to be set to host-only mode, and the newly added network card device is selected to be in bridge mode, otherwise the two virtual machines cannot access the external network
Use the ping command to check that the Squid server can access the external network
[root@localhost ~]# ping www.baidu.com
PING www.a.shifen.com (14.215.177.38) 56(84) bytes of data.
64 bytes from 14.215.177.38: icmp_seq=1 ttl=128 time=5.98 ms
64 bytes from 14.215.177.38: icmp_seq=2 ttl=128 time=5.85 ms
64 bytes from 14.215.177.38: icmp_seq=3 ttl=128 time=6.36 ms
^C
--- www.a.shifen.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 5.853/6.065/6.362/0.234 ms
[root@localhost ~]#Install Squid server program
[root@localhost ~]# yum install squid
已加载插件:langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
正在解决依赖关系
--> 正在检查事务
---> 软件包 squid.x86_64.7.3.3.8-26.el7 将被 安装
--> 正在处理依赖关系 perl(DBI),它被软件包 7:squid-3.3.8-26.el7.x86_64 需要
--> 正在处理依赖关系 perl(Digest::MD5),它被软件包 7:squid-3.3.8-26.el7.x86_64 需要
--> 正在处理依赖关系 libecap.so.2()(64bit),它被软件包 7:squid-3.3.8-26.el7.x86_64 需要
--> 正在检查事务
---> 软件包 libecap.x86_64.0.0.2.0-9.el7 将被 安装
---> 软件包 perl-DBI.x86_64.0.1.627-4.el7 将被 安装
--> 正在处理依赖关系 perl(RPC::PlClient) >= 0.2000,它被软件包 perl-DBI-1.627-4.el7.x86_64 需要
--> 正在处理依赖关系 perl(RPC::PlServer) >= 0.2001,它被软件包 perl-DBI-1.627-4.el7.x86_64 需要
---> 软件包 perl-Digest-MD5.x86_64.0.2.52-3.el7 将被 安装
--> 正在处理依赖关系 perl(Digest::base) >= 1.00,它被软件包 perl-Digest-MD5-2.52-3.el7.x86_64 需要
--> 正在检查事务
---> 软件包 perl-Digest.noarch.0.1.17-245.el7 将被 安装
---> 软件包 perl-PlRPC.noarch.0.0.2020-14.el7 将被 安装
--> 正在处理依赖关系 perl(Net::Daemon) >= 0.13,它被软件包 perl-PlRPC-0.2020-14.el7.noarch 需要
--> 正在处理依赖关系 perl(Compress::Zlib),它被软件包 perl-PlRPC-0.2020-14.el7.noarch 需要
--> 正在处理依赖关系 perl(Net::Daemon::Log),它被软件包 perl-PlRPC-0.2020-14.el7.noarch 需要
--> 正在处理依赖关系 perl(Net::Daemon::Test),它被软件包 perl-PlRPC-0.2020-14.el7.noarch 需要
--> 正在检查事务
---> 软件包 perl-IO-Compress.noarch.0.2.061-2.el7 将被 安装
--> 正在处理依赖关系 perl(Compress::Raw::Bzip2) >= 2.061,它被软件包 perl-IO-Compress-2.061-2.el7.noarch 需要
--> 正在处理依赖关系 perl(Compress::Raw::Zlib) >= 2.061,它被软件包 perl-IO-Compress-2.061-2.el7.noarch 需要
---> 软件包 perl-Net-Daemon.noarch.0.0.48-5.el7 将被 安装
--> 正在检查事务
---> 软件包 perl-Compress-Raw-Bzip2.x86_64.0.2.061-3.el7 将被 安装
---> 软件包 perl-Compress-Raw-Zlib.x86_64.1.2.061-4.el7 将被 安装
--> 解决依赖关系完成
依赖关系解决
================================================================================
Package 架构 版本 源 大小
================================================================================
正在安装:
squid x86_64 7:3.3.8-26.el7 yum 2.6 M
为依赖而安装:
libecap x86_64 0.2.0-9.el7 yum 20 k
perl-Compress-Raw-Bzip2 x86_64 2.061-3.el7 yum 32 k
perl-Compress-Raw-Zlib x86_64 1:2.061-4.el7 yum 57 k
perl-DBI x86_64 1.627-4.el7 yum 802 k
perl-Digest noarch 1.17-245.el7 yum 23 k
perl-Digest-MD5 x86_64 2.52-3.el7 yum 30 k
perl-IO-Compress noarch 2.061-2.el7 yum 260 k
perl-Net-Daemon noarch 0.48-5.el7 yum 51 k
perl-PlRPC noarch 0.2020-14.el7 yum 36 k
事务概要
================================================================================
安装 1 软件包 (+9 依赖软件包)
总下载量:3.9 M
安装大小:12 M
Is this ok [y/d/N]: y
Downloading packages:
--------------------------------------------------------------------------------
总计 6.3 MB/s | 3.9 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安装 : libecap-0.2.0-9.el7.x86_64 1/10
正在安装 : perl-Digest-1.17-245.el7.noarch 2/10
正在安装 : perl-Digest-MD5-2.52-3.el7.x86_64 3/10
正在安装 : 1:perl-Compress-Raw-Zlib-2.061-4.el7.x86_64 4/10
正在安装 : perl-Net-Daemon-0.48-5.el7.noarch 5/10
正在安装 : perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64 6/10
正在安装 : perl-IO-Compress-2.061-2.el7.noarch 7/10
正在安装 : perl-PlRPC-0.2020-14.el7.noarch 8/10
正在安装 : perl-DBI-1.627-4.el7.x86_64 9/10
正在安装 : 7:squid-3.3.8-26.el7.x86_64 10/10
yum/productid | 1.6 kB 00:00
验证中 : perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64 1/10
验证中 : perl-Net-Daemon-0.48-5.el7.noarch 2/10
验证中 : perl-Digest-MD5-2.52-3.el7.x86_64 3/10
验证中 : perl-PlRPC-0.2020-14.el7.noarch 4/10
验证中 : 1:perl-Compress-Raw-Zlib-2.061-4.el7.x86_64 5/10
验证中 : perl-Digest-1.17-245.el7.noarch 6/10
验证中 : 7:squid-3.3.8-26.el7.x86_64 7/10
验证中 : libecap-0.2.0-9.el7.x86_64 8/10
验证中 : perl-DBI-1.627-4.el7.x86_64 9/10
验证中 : perl-IO-Compress-2.061-2.el7.noarch 10/10
已安装:
squid.x86_64 7:3.3.8-26.el7
作为依赖被安装:
libecap.x86_64 0:0.2.0-9.el7
perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7
perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7
perl-DBI.x86_64 0:1.627-4.el7
perl-Digest.noarch 0:1.17-245.el7
perl-Digest-MD5.x86_64 0:2.52-3.el7
perl-IO-Compress.noarch 0:2.061-2.el7
perl-Net-Daemon.noarch 0:0.48-5.el7
perl-PlRPC.noarch 0:0.2020-14.el7
完毕!
[root@localhost ~]# 
After the installation is complete, restart the Squid service program
[root@localhost ~]# systemctl restart squid
[root@localhost ~]# systemctl enable squid
Created symlink from /etc/systemd/system/multi-user.target.wants/squid.service to /usr/lib/systemd/system/squid.service.
[root@localhost ~]# systemctl enable squid
[root@localhost ~]# Forward proxy
Open any browser in the windows 7 system and perform the following operations
Fill in the IP address of the Squid server
Now users can use the proxy service provided by the Squid service program to go online
The Squid service program uses port numbers such as 3128, 3401, and 4827 by default. In order to prevent people from being "snatched", the default port numbers can be modified to other values to achieve a certain degree of protection. Find the configuration file in the directory with the same name of the Squid service program under the /etc directory, and modify the proxy service port (http_port parameter) of the Squid service program to the new value
[root@localhost ~]# vim /etc/squid/squid.conf
Restart the Squid service program
[root@localhost ~]# systemctl restart squid
[root@localhost ~]# systemctl enable squid
[root@localhost ~]#Add the new port number to the allowed list of the Squid server program in the SElinux domain
[root@localhost ~]# semanage port -l | grep squid_port_t
squid_port_t tcp 3128, 3401, 4827
squid_port_t udp 3401, 4827
[root@localhost ~]# semanage port -a -t squid_port_t -p tcp 10086
[root@localhost ~]# semanage port -l | grep squid_port_t
squid_port_t tcp 10086, 3128, 3401, 4827
squid_port_t udp 3401, 4827
[root@localhost ~]# ACL access control
In daily work, company office computers generally access the Internet through the company's internal gateway server. When the Squid service program is deployed as the company network gateway server, the Squid service program's access control list (ACL) function will play its role . It can cache data or restrict user access based on specified policy conditions.
Only the client with the IP address of 192.168.168.129 is allowed to use the proxy service provided by the Squid service program on the server, and all other host proxy requests are prohibited.
[root@localhost ~]# vim /etc/squid/squid.conf
Restart the Squid service program
[root@localhost ~]# systemctl restart squidBecause the IP address does not comply with the allowed policy, the access request is denied
Prohibit all clients from accessing websites that contain baidu keywords in the URL
[root@localhost ~]# vim /etc/squid/squid.conf
Restart the Squid service program
[root@localhost ~]# systemctl restart squidThe result when the client visits the website with baidu keywords and without baidu keywords respectively
Prevent all clients from accessing a specific website
In addition to prohibiting all clients from accessing URLs that contain baidu keywords, in order to avoid misblocking, you can also prohibit clients from accessing a specific URL
[root@localhost ~]# vim /etc/squid/squid.conf
In order to make the experimental effect more obvious, I will compare the HTTP protocol with the HTTPS protocol.
Employees are prohibited from downloading files with certain suffixes within the corporate network
In the corporate network, there will always be people who use the high-speed bandwidth of the corporate network to download resources (such as songs, movies, etc.) privately. By prohibiting all users from accessing .rar or .avi, .mp3 and other suffix file requests, they can prevent them from continuing Download resources
[root@localhost ~]# vim /etc/squid/squid.conf
Restart the Squid service program
[root@localhost ~]# systemctl restart squidReverse proxy
The principle is to hand over part of the user request originally initiated to the website origin server to the Squid server cache node for processing. But the disadvantages of this technology are also obvious. If someone reverse proxy their domain name and server to a well-known website, theoretically speaking, when users visit this domain name, they will also see that well-known website. The same content. Therefore, many websites currently ban the reverse proxy function by default. Websites with CDN (Content Delivery Network) service enabled can also avoid this kind of theft.
[root@localhost ~]# vim /etc/squid/squid.conf
………………省略部分输出信息………………
57
58 # Squid normally listens to port 3128
59 http_port 你的桥接网卡IP地址:80 vhost
60 cache_peer 网站源服务器IP地址 parent 80 0 originserver
61
………………省略部分输出信息………………
[root@localhost ~]# systemctl restart squid