Chinaunix首页 | 论坛 | 博客
  • 博客访问: 604890
  • 博文数量: 33
  • 博客积分: 3063
  • 博客等级: 少校
  • 技术积分: 565
  • 用 户 组: 普通用户
  • 注册时间: 2012-03-05 13:40
文章分类

全部博文(33)

文章存档

2012年(33)

分类: LINUX

2012-03-14 15:54:26

目标:在网关上为内网提供普通代理以及透明代理服务,以ip地址为访问控制条件,不需要其他访问控制。

#安装

#如果是FreeBSD,建议安装如下ports:
cd /usr/ports/devel/autoconf
make clean
make install clean

cd /usr/ports/devel/automake
make clean
make install clean

#首先,配置好你的网络,保证安装squid的主机能正常上网;
ping
#用域名是为了测试DNS解析;

#以下以root身份执行。
#获得最新stable源码


mkdir -p /usr/local/src/distfiles
cd /usr/local/src/distfiles
#FreeBSD
fetch /Versi ... -2.5.STABLE1.tar.gz
#Linux
wget /Versi ... -2.5.STABLE1.tar.gz

tar xfz squid-2.5.STABLE1.tar.gz -C ..

cd ../squid-2.5.STABLE1
./configure --prefix=/usr/local/squid
make
make install

#权限改变是必要的;参考squid.conf
#cache_effective_user nobody
#cache_effective_group nobody
#默认使用
chown -R nobody:nobody /usr/local/squid/var

#按照你的需要配置;
#vi /usr/local/squid/etc/squid.conf
# TAG: http_port
# Usage: port
# hostname:port
# 1.2.3.4:port
#Default:
# http_port 3128
http_port 60080
#逃避讨厌的代理扫描,使用一个自定义的端口;

#设置不代理的url,一些动态网页,比如江湖、聊天室。
# TAG: no_cache
# A list of ACL elements which, if matched, cause the request to
# not be satisfied from the cache and the reply to not be cached.
# In other words, use this to force certain objects to never be cached.
#
# You must use the word 'DENY' to indicate the ACL names which should
# NOT be cached.
#
#We recommend you to use the following two lines.
acl QUERY urlpath_regex cgi-bin \? asp php shtml php3 cgi
no_cache deny QUERY


# ACCESS CONTROLS
# -----------------------------------------------------------------------------

# TAG: acl
# Defining an Access List
#
# acl aclname acltype string1 ...
# acl aclname acltype "file" ...
#
# when using "file", the file should contain one item per line
#定义内网(假设有172.16.0.0/16;192.168.0.0/16;10.0.0.0/8);
acl lan-a src 172.16.0.0/16
acl lan-b src 192.168.0.0/16
acl lan-c src 10.0.0.0/8

#squid的默认配置是拒绝所有连接;
#Default:
# http_access deny all
#
#对上述内网地址开放
http_access allow lan-a
http_access allow lan-b
http_access allow lan-c

#Recommended minimum configuration:
#

#以下设置透明代理,如果你不用透明代理,可以跳过。
#在网关的防火墙上设置重定向,把内网对80的访问请求重定向到squid:
#Ipfilter rules
#rdr $LAN_NIC 0/0 port 80 ->; $SQUID_HOST_ADDR port $SQUID_PROXY_PORT tcp
#Iptables rules
#iptables -t nat -A PREROUTING -i $LAN_NIC -p tcp -m tcp --dport 80 -j DNAT --to $SQUID_HOST_ADDR:$SQUID_PROXY_PORT
#限定对指定来源的请求做重定向;
#iptables -t nat -A PREROUTING -i $LAN_NIC -p tcp -m tcp -s $INTERNAL_NETWORK/$INTERNAL_MASK --dport 80 -j DNAT --to $SQUID_HOST_ADDR:$SQUID_PROXY_PORT
#启用透明代理
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
#作透明代理的同时缓存
#注意下面一行,默认是off的.
httpd_accel_uses_host_header on


#初始化缓冲目录
/usr/local/squid/sbin/squid -z

#开机关机管理脚本
#vi /usr/local/sbin/squid.sh

#!/bin/sh
case "$1" in

start)
if [ -x /usr/local/squid/sbin/squid ]; then
/usr/local/squid/sbin/squid && echo . && echo 'Squid proxy server started.'
fi
;;

stop)
killall squid && echo . && echo 'Squid proxy server stopped.'
;;
restart)
echo .
echo "Restart Squid proxy server ......"
$0 stop
sleep 30
$0 start
;;
*)
echo "$0 start | stop | restart"
;;

esac
#end of /usr/local/sbin/squid.sh

chmod 700 /usr/local/sbin/squid.sh

#开机自动执行
#FreeBSD
ln -s /usr/local/sbin/squid.sh /usr/local/etc/rc.d
#Linux
ln -s /usr/local/sbin/squid.sh /etc/rc.d/rc3.d/S99Squid-prxoy
#注意:有些linux发行版本默认安装有squid,如果你不喜欢默认的,砍吧。

最后就是squid的配置,这需要仔细说一下,随RH发布的squid的配置有问题,性能受限。建议先卸除,到下载最新的2.5stable1。然后重新编译,编译前需做以下准备工作:
1。编辑/usr/include/bits/types.h中__FD_SETSIZE值至32768
2。ulimit -HSn 32768
然后到squid src包目录编译squid ,./configure, make all, make install.....
squid会安装在缺省的/usr/local/squid下,squid的可执行文件在安装目录的bin子目录下,配置文件在etc子目录下

Squid配置文件为:/usr/local/squid/etc/squid.conf,以下为我的配置:
http_port 8080
cache_mem 32 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
cache_dir ufs /usr/local/squid/cache 10000 16 256
cache_access_log /usr/local/squid/logs/access.log
cache_log /usr/local/squid/logs/cache.log
dns_nameservers 202.96.209.5
unlinkd_program /usr/local/squid/bin/unlinkd
acl acllist src 192.168.9.0/255.255.255.0
acl regular_days time MTWHF 8:00-19:00
acl movie urlpath_regex "/etc/squid/banned.list"(把过滤关键字写到文件中去)
acl banned url_regex iij4u.or.jp(做些控制)
acl cache_prevent1 url_regex cgi-bin /?
acl cache_prevent2 url_regex Servlet
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access deny movie regular_days
no_cache deny cache_prevent1
no_cache deny cache_prevent2
http_access deny banned
http_access allow all
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
icp_access allow all
http_access allow manager localhost
http_access deny manager
http_access allow localhost
http_access deny all
client_lifetime 2 hours
half_closed_clients off
cache_effective_user squid
cache_effective_group squid(请注意squid对cache及log目录有读写权)
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

同时在/etc/init.d中的启动脚本里加上这句ulimit -HSn 32768
这样squid启动时在cache.log中就可以看到如此语句:
2003/03/05 09:30:53| Starting Squid Cache version 2.5.STABLE1-20030303 for i686-pc-linux-gnu...
2003/03/05 09:30:53| Process ID 12939
2003/03/05 09:30:53| With 32768 file descriptors available

此时的squid拥有32768个file descriptors(缺省为1024),如果用户很多,缺省值会成为瓶颈,极度影响squid的速度(它会报错说running out of file descriptors),我曾经在板上发问,结果没人理我:-((,还是自力更生,丰衣足食。

启动squid:/usr/local/squid/bin/squid -D
阅读(5805) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~