Squid安装配置工作记录
背景环境:开发人员不能上外网,但又有一些比较特殊的站点需要用到,所有用squid进行透明代理上网,之前想到haproxy,后来查阅资料貌似haproxy只能转发不能代理上网。
搭建前提:squid搭建透明代理上网,理论上需要两张网卡,两个Ip,两个ip在不同的网段,一个ip可以连接外网上网,一个ip连接内网。
[root@linux-virsh-106 log]# ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:E1:9A:69 inet addr:192.168.1.107 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fee1:9a69/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:382562 errors:0 dropped:0 overruns:0 frame:0 TX packets:65671 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:78070930 (74.4 MiB) TX bytes:5258206 (5.0 MiB) eth1 Link encap:Ethernet HWaddr 00:0C:29:E1:9A:73 inet addr:192.168.10.26 Bcast:192.168.10.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fee1:9a73/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:320136 errors:0 dropped:0 overruns:0 frame:0 TX packets:81908 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:22754485 (21.7 MiB) TX bytes:59173280 (56.4 MiB)
这里我选用了eth0 192.168.1.107可以和外网联通,eth1 192.168.10.26和内网联通
关于ip的配置在/etc/sysconfig/network-scripts/修改 ifcfg-eth0和ifcfg-eth1即可 修改完重启网卡就行了。 [root@linux-virsh-106 network-scripts]# cat ifcfg-eth0 # Intel Corporation 82545EM Gigabit Ethernet Controller (Copper) DEVICE=eth0 BOOTPROTO=static #BROADCAST=192.168.1.255 HWADDR=00:0C:29:E1:9A:69 IPADDR=192.168.1.107 IPV6INIT=yes IPV6_AUTOCONF=yes NETMASK=255.255.255.0 #NETWORK=192.168.1.0 GATEWAY=192.168.1.1 ONBOOT=yes [root@linux-virsh-106 network-scripts]# cat ifcfg-eth1 # Intel Corporation 82545EM Gigabit Ethernet Controller (Copper) DEVICE=eth1 BOOTPROTO=static ONBOOT=yes #HWADDR=00:0c:29:e1:9a:73 IPADDR=192.168.10.26 NETMASK=255.255.255.0
网卡设置好了,开始设置iptables的参数 [root@linux-virsh-106 network-scripts]# echo "1" >> /proc/sys/net/ipv4/ip_forward [root@linux-virsh-106 network-scripts]# service iptables start [root@linux-virsh-106 network-scripts]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@linux-virsh-106 network-scripts]# iptables -F [root@linux-virsh-106 network-scripts]# iptables -t nat -F [root@linux-virsh-106 network-scripts]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@linux-virsh-106 network-scripts]# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 192.168.1.107 [root@linux-virsh-106 network-scripts]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128 [root@linux-virsh-106 network-scripts]# service iptables save 将当前规则保存到 /etc/sysconfig/iptables: [确定] [root@linux-virsh-106 network-scripts]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128 Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.10.0/24 anywhere to:192.168.1.107 Chain OUTPUT (policy ACCEPT) target prot opt source destination
安装squid [root@linux-virsh-106 network-scripts]# yum install squid
配置squid
[root@linux-virsh-106 network-scripts]# cd /etc/squid/ [root@linux-virsh-106 squid]# ls cachemgr.conf errors icons mib.txt mime.conf mime.conf.default msntauth.conf msntauth.conf.default squid.conf squid.conf.bak20140120 squid.conf.bak2014012002 squid.conf.default
提取出配置文件中有用的信息 [root@linux-virsh-106 squid]# grep -v "^#" squid.conf.bak20140120 |grep -v "^$" >> squid.conf
启动squid [root@linux-virsh-106 squid]# service squid start 启动 squid:. [确定]
[root@linux-virsh-106 squid]# netstat -ntl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:1004 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN tcp 0 0 :::22 :::* LISTEN
基本工作已经完成,现在根据自己的需求配置squid [root@linux-virsh-106 squid]# cat squid.conf acl lan src 192.168.10.0/24 #这个是内网ip要连接的地址 acl all src 0.0.0.0/0.0.0.0 #自己添加的可以允许访问的url acl url1 url_regex -i qq.com acl url2 url_regex -i pengyou.com acl url3 url_regex -i baidu.com acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow url1 http_access allow url2 http_access allow url3 http_access deny all icp_access allow all #在端口的后面要加上transparent,否则无法转发 http_port 3128 transparent #visible_hostname 也是要自己添加上去 visible_hostname 192.168.10.26 hierarchy_stoplist cgi-bin ? access_log /var/log/squid/access.log squid acl QUERY urlpath_regex cgi-bin \? cache deny QUERY refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl apache rep_header Server ^Apache broken_vary_encoding allow apache coredump_dir /var/spool/squid
根据自己需求在iptables添加端口信息 [root@linux-virsh-106 squid]# iptables -t nat -A PREROUTING -p tcp --dport 8003 -j REDIRECT --to-port 3128
腾讯云开发者
