squid既可以做正向代理,也可以做反向代理:
软件获取地址:
一、软件编译
(1)优化linux内核参数:文件描述符、对外端口连接范围、time_wait sockets快速回收等:
如果想永久变更需要修改/etc/security/limits.conf 文件,如下:
vi /etc/security/limits.conf
* hard nofile 102400
* soft nofile 102400
保存退出后重新登录,其最大文件描述符已经被永久更改了。
(2)安装依赖包, perl、gcc、awk、 gcc-c++、net-snmp、net-snmp-utils、libtool,利用rpm进行检查,如果系统没有预装,就利用yum安装;通互联网的话可以使用互联网的yum源,内网可以使用公司自己的,配置方法:在/etc/yum.repos.d目录就编辑一个文件CentOS.repo,就这几行:
(3)编译软件
把文件上传至服务器的opt目录,然后解压:tar –xzvf squid-3.5.19.tar.gz;进入解压后的目录,执行./configure -–prefix=/opt/squid_install --enable-useragent-log -- enable-referer-log -- enable-htcp ,如果中间无报错则执行make,如果make无报错则执行make install,整个过程大概需要半个小时。
注:
编译安装的原因:虽然RPM或者预编译的packages能节省一些时间(linux软件安装的三种方式的前两种),但它们也有一些弊端,他们可能包括了某些自己不需要的功能,而且,squid的./configure脚本侦察系统中的特定参数,这些在系统中的参数可能与编译它的机器的参数不同。
二、软件配置
软件部署到了/opt/squid_install/,目录结构:
./sbin ——启动命令执行文件
./etc ——配置文件
./var ——日志、cache
./bin ——清除缓存、计算命中率的命令
./share
./libexec
(1)正向代理配置(105网段的代理服务器供扫描器扫描使用)
默认安装完的配置是正向代理的基础配置,可以修改部分参数,如:port、cache_dir、access_log、logfile_rotate、 cache_mem、acl等等;
(2)反向代理配置(106网段的代理服务器供外部互联网用户访问使用)
cache_peer 172.16.1.197 parent 8080 0 no-query originserver round-robin
http_port 8081 accel vhost vport
http_access allow all——这行到到http_access deny all的上面
如果有多个代理节点,可以配置负载均衡环境。
(3)acl配置
acl adserver src 192.168.106.0/24
http_access deny adserver
可以对源地址、目的地址的访问设置访问控制列表。
三、运行测试
1、修改完配置文件之后,执行检查配置文件:./squid –k parse (每次修改配置文件都要执行一次)
2、如果是首次运行,必须执行创建cache:./squid
–z
3、启动:./squid
如果是重启、关闭等,就用./squid –k shutdown等,一般常用的有:-k rotate,-k reconfigure, 其中注意事项是,squid启动、关闭时,都需要10秒左右的时间,执行的时候不要太着急,注意看cache_log。
4、日志查询
tail –f ./access_log
tail –f ./cache_log
可以看到系统是否有异常和代理访问执行情况:
四、启动过程
-
[mss@lossan etc]$ ../sbin/squid -k parse
-
2016/09/06 15:57:07| Startup: Initializing Authentication Schemes ...
-
2016/09/06 15:57:07| Startup: Initialized Authentication Scheme 'basic'
-
2016/09/06 15:57:07| Startup: Initialized Authentication Scheme 'digest'
-
2016/09/06 15:57:07| Startup: Initialized Authentication Scheme 'negotiate'
-
2016/09/06 15:57:07| Startup: Initialized Authentication Scheme 'ntlm'
-
2016/09/06 15:57:07| Startup: Initialized Authentication.
-
2016/09/06 15:57:07| Processing Configuration File: /opt/proxy_security/squid_intall/etc/squid.conf (depth 0)
-
2016/09/06 15:57:07| Processing: acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
-
2016/09/06 15:57:07| Processing: acl localnet src fc00::/7 # RFC 4193 local private network range
-
2016/09/06 15:57:07| Processing: acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
-
2016/09/06 15:57:07| Processing: acl SSL_ports port 443
-
2016/09/06 15:57:07| Processing: acl Safe_ports port 80 # http
-
2016/09/06 15:57:07| Processing: acl Safe_ports port 21 # ftp
-
2016/09/06 15:57:07| Processing: acl Safe_ports port 443 # https
-
2016/09/06 15:57:07| Processing: acl Safe_ports port 70 # gopher
-
2016/09/06 15:57:07| Processing: acl Safe_ports port 210 # wais
-
2016/09/06 15:57:07| Processing: acl Safe_ports port 1025-65535 # unregistered ports
-
2016/09/06 15:57:07| Processing: acl Safe_ports port 280 # http-mgmt
-
2016/09/06 15:57:07| Processing: acl Safe_ports port 488 # gss-http
-
2016/09/06 15:57:07| Processing: acl Safe_ports port 591 # filemaker
-
2016/09/06 15:57:07| Processing: acl Safe_ports port 777 # multiling http
-
2016/09/06 15:57:07| Processing: acl CONNECT method CONNECT
-
2016/09/06 15:57:07| Processing: http_access deny !Safe_ports
-
2016/09/06 15:57:07| Processing: http_access deny CONNECT !SSL_ports
-
2016/09/06 15:57:07| Processing: http_access allow localhost manager
-
2016/09/06 15:57:07| Processing: http_access deny manager
-
2016/09/06 15:57:07| Processing: http_access allow localnet
-
2016/09/06 15:57:07| Processing: http_access allow localhost
-
2016/09/06 15:57:07| Processing: http_access deny all
-
2016/09/06 15:57:07| Processing: http_port 3128
-
2016/09/06 15:57:07| Processing: coredump_dir /opt/proxy_security/squid_intall/var/cache/squid
-
2016/09/06 15:57:07| Processing: refresh_pattern ^ftp: 1440 20% 10080
-
2016/09/06 15:57:07| Processing: refresh_pattern ^gopher: 1440 0% 1440
-
2016/09/06 15:57:07| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
-
2016/09/06 15:57:07| Processing: refresh_pattern . 0 20% 4320
-
2016/09/06 15:57:07| Processing: access_log /opt/proxy_security/squid_intall/var/logs/access.log
-
2016/09/06 15:57:07| Processing: cache_log /opt/proxy_security/squid_intall/var/logs/cache.log
-
2016/09/06 15:57:07| Processing: logfile_rotate 10
-
2016/09/06 15:57:07| Processing: cache_mgr yangkai#chinamobilesz.com
-
2016/09/06 15:57:07| Processing: request_header_max_size 64 KB
-
2016/09/06 15:57:07| Processing: request_body_max_size 0
-
2016/09/06 15:57:07| Processing: cache_mem 20000 MB
-
2016/09/06 15:57:07| Processing: workers 8
-
2016/09/06 15:57:07| Processing: cpu_affinity_map process_numbers=1,2,3,4,5,6,7,8 cores=1,2,3,4,5,6,7,8
-
-
-
----------------------------------------------------------------------------------------------------------------------------------
-
[msss@le-scan logs]$ tail -f cache.log
-
2016/09/06 15:57:26| Set Current Directory to /opt/proxy_security/squid_intall/var/cache/squid
-
2016/09/06 15:57:26 kid9| Logfile: opening log /opt/proxy_security/squid_intall/var/logs/access.log
-
2016/09/06 15:57:26 kid9| WARNING: log name now starts with a module name. Use 'stdio:/opt/proxy_security/squid_intall/var/logs/access.log'
-
2016/09/06 15:57:26 kid9| Squid plugin modules loaded: 0
-
2016/09/06 15:57:26 kid9| Adaptation support is off.
-
2016/09/06 15:57:26 kid9| Store logging disabled
-
2016/09/06 15:57:26 kid9| DNS Socket created at [::], FD 8
-
2016/09/06 15:57:26 kid9| DNS Socket created at 0.0.0.0, FD 9
-
2016/09/06 15:57:26 kid9| Adding nameserver 8.8.8.8 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid9| Adding nameserver 114.114.114.114 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid6| Logfile: opening log /opt/proxy_security/squid_intall/var/logs/access.log
-
2016/09/06 15:57:26 kid6| WARNING: log name now starts with a module name. Use 'stdio:/opt/proxy_security/squid_intall/var/logs/access.log'
-
2016/09/06 15:57:26 kid6| Squid plugin modules loaded: 0
-
2016/09/06 15:57:26 kid6| Adaptation support is off.
-
2016/09/06 15:57:26 kid6| Store logging disabled
-
2016/09/06 15:57:26 kid7| Logfile: opening log /opt/proxy_security/squid_intall/var/logs/access.log
-
2016/09/06 15:57:26 kid2| Logfile: opening log /opt/proxy_security/squid_intall/var/logs/access.log
-
2016/09/06 15:57:26 kid2| WARNING: log name now starts with a module name. Use 'stdio:/opt/proxy_security/squid_intall/var/logs/access.log'
-
2016/09/06 15:57:26 kid7| WARNING: log name now starts with a module name. Use 'stdio:/opt/proxy_security/squid_intall/var/logs/access.log'
-
2016/09/06 15:57:26 kid2| Squid plugin modules loaded: 0
-
2016/09/06 15:57:26 kid4| Logfile: opening log /opt/proxy_security/squid_intall/var/logs/access.log
-
2016/09/06 15:57:26 kid7| Squid plugin modules loaded: 0
-
2016/09/06 15:57:26 kid2| Adaptation support is off.
-
2016/09/06 15:57:26 kid7| Adaptation support is off.
-
2016/09/06 15:57:26 kid4| WARNING: log name now starts with a module name. Use 'stdio:/opt/proxy_security/squid_intall/var/logs/access.log'
-
2016/09/06 15:57:26 kid3| Logfile: opening log /opt/proxy_security/squid_intall/var/logs/access.log
-
2016/09/06 15:57:26 kid7| Store logging disabled
-
2016/09/06 15:57:26 kid4| Squid plugin modules loaded: 0
-
2016/09/06 15:57:26 kid2| Store logging disabled
-
2016/09/06 15:57:26 kid4| Adaptation support is off.
-
2016/09/06 15:57:26 kid3| WARNING: log name now starts with a module name. Use 'stdio:/opt/proxy_security/squid_intall/var/logs/access.log'
-
2016/09/06 15:57:26 kid7| DNS Socket created at [::], FD 11
-
2016/09/06 15:57:26 kid4| Store logging disabled
-
2016/09/06 15:57:26 kid2| DNS Socket created at [::], FD 11
-
2016/09/06 15:57:26 kid7| DNS Socket created at 0.0.0.0, FD 13
-
2016/09/06 15:57:26 kid2| DNS Socket created at 0.0.0.0, FD 13
-
2016/09/06 15:57:26 kid3| Squid plugin modules loaded: 0
-
2016/09/06 15:57:26 kid8| Logfile: opening log /opt/proxy_security/squid_intall/var/logs/access.log
-
2016/09/06 15:57:26 kid3| Adaptation support is off.
-
2016/09/06 15:57:26 kid4| DNS Socket created at [::], FD 11
-
2016/09/06 15:57:26 kid2| Adding nameserver 8.8.8.8 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid8| WARNING: log name now starts with a module name. Use 'stdio:/opt/proxy_security/squid_intall/var/logs/access.log'
-
2016/09/06 15:57:26 kid3| Store logging disabled
-
2016/09/06 15:57:26 kid4| DNS Socket created at 0.0.0.0, FD 13
-
2016/09/06 15:57:26 kid7| Adding nameserver 8.8.8.8 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid2| Adding nameserver 114.114.114.114 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid3| DNS Socket created at [::], FD 11
-
2016/09/06 15:57:26 kid8| Squid plugin modules loaded: 0
-
2016/09/06 15:57:26 kid6| DNS Socket created at [::], FD 11
-
2016/09/06 15:57:26 kid3| DNS Socket created at 0.0.0.0, FD 13
-
2016/09/06 15:57:26 kid8| Adaptation support is off.
-
2016/09/06 15:57:26 kid5| Logfile: opening log /opt/proxy_security/squid_intall/var/logs/access.log
-
2016/09/06 15:57:26 kid3| Adding nameserver 8.8.8.8 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid6| DNS Socket created at 0.0.0.0, FD 13
-
2016/09/06 15:57:26 kid8| Store logging disabled
-
2016/09/06 15:57:26 kid5| WARNING: log name now starts with a module name. Use 'stdio:/opt/proxy_security/squid_intall/var/logs/access.log'
-
2016/09/06 15:57:26 kid3| Adding nameserver 114.114.114.114 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid5| Squid plugin modules loaded: 0
-
2016/09/06 15:57:26 kid6| Adding nameserver 8.8.8.8 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid5| Adaptation support is off.
-
2016/09/06 15:57:26 kid2| HTCP Disabled.
-
2016/09/06 15:57:26 kid8| DNS Socket created at [::], FD 11
-
2016/09/06 15:57:26 kid5| Store logging disabled
-
2016/09/06 15:57:26 kid8| DNS Socket created at 0.0.0.0, FD 13
-
2016/09/06 15:57:26 kid6| Adding nameserver 114.114.114.114 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid5| DNS Socket created at [::], FD 11
-
2016/09/06 15:57:26 kid8| Adding nameserver 8.8.8.8 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid5| DNS Socket created at 0.0.0.0, FD 13
-
2016/09/06 15:57:26 kid7| Adding nameserver 114.114.114.114 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid5| Adding nameserver 8.8.8.8 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid8| Adding nameserver 114.114.114.114 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid5| Adding nameserver 114.114.114.114 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid6| HTCP Disabled.
-
2016/09/06 15:57:26 kid4| Adding nameserver 8.8.8.8 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid3| HTCP Disabled.
-
2016/09/06 15:57:26 kid4| Adding nameserver 114.114.114.114 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid5| HTCP Disabled.
-
2016/09/06 15:57:26 kid8| HTCP Disabled.
-
2016/09/06 15:57:26 kid7| HTCP Disabled.
-
2016/09/06 15:57:26 kid4| HTCP Disabled.
-
2016/09/06 15:57:26 kid1| Logfile: opening log /opt/proxy_security/squid_intall/var/logs/access.log
-
2016/09/06 15:57:26 kid1| WARNING: log name now starts with a module name. Use 'stdio:/opt/proxy_security/squid_intall/var/logs/access.log'
-
2016/09/06 15:57:26 kid1| Squid plugin modules loaded: 0
-
2016/09/06 15:57:26 kid1| Adaptation support is off.
-
2016/09/06 15:57:26 kid1| Store logging disabled
-
2016/09/06 15:57:26 kid1| DNS Socket created at [::], FD 11
-
2016/09/06 15:57:26 kid1| DNS Socket created at 0.0.0.0, FD 13
-
2016/09/06 15:57:26 kid1| Adding nameserver 8.8.8.8 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid1| Adding nameserver 114.114.114.114 from /etc/resolv.conf
-
2016/09/06 15:57:26 kid1| HTCP Disabled.
-
2016/09/06 15:57:26 kid2| Finished loading MIME types and icons.
-
2016/09/06 15:57:26 kid8| Finished loading MIME types and icons.
-
2016/09/06 15:57:26 kid5| Finished loading MIME types and icons.
-
2016/09/06 15:57:26 kid7| Finished loading MIME types and icons.
-
2016/09/06 15:57:26 kid6| Finished loading MIME types and icons.
-
2016/09/06 15:57:26 kid1| Finished loading MIME types and icons.
-
2016/09/06 15:57:26 kid4| Finished loading MIME types and icons.
-
2016/09/06 15:57:26 kid3| Finished loading MIME types and icons.
-
2016/09/06 15:57:26 kid9| Finished loading MIME types and icons.
-
2016/09/06 15:57:26 kid2| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 18 flags=1
-
2016/09/06 15:57:26 kid8| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 18 flags=1
-
2016/09/06 15:57:26 kid7| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 18 flags=1
-
2016/09/06 15:57:26 kid5| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 18 flags=1
-
2016/09/06 15:57:26 kid6| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 18 flags=1
-
2016/09/06 15:57:26 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 18 flags=1
-
2016/09/06 15:57:26 kid4| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 18 flags=1
-
2016/09/06 15:57:26 kid3| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 18 flags=1
阅读(2243) | 评论(0) | 转发(0) |