Linux基础入门教程-使用Squid部署代理缓存服务
使用Squid部署代理缓存服务
Squid是Linux系统中最为流行的一款高性能代理服务软件,通常作为Web网站的前置缓存服务,能够代替用户向网站服务器请求页面数据并进行缓存。Squid服务配置简单、效率高、更能丰富,可以基于多种条件禁止用户访问存在威胁或不适宜的网站资源,因此可以保护企业内网的安全,提升用户的网络体验,帮助节省网络带宽.
配置Squid服务程序
首先准备两台虚拟机,一台用做Squid服务器,一台用作Squid客户端.
主机 | 操作系统 | IP地址 |
|---|---|---|
Squid服务器 | RHEL7 | 172.16.10.20 |
Squid客户端 | CentOS7 | 172.16.10.10 |
[root@Squid-Server ~]# ping www.baidu.com PING www.a.shifen.com (61.135.169.121) 56(84) bytes of data. 64 bytes from 61.135.169.121 (61.135.169.121): icmp_seq=1 ttl=128 time=38.0 ms 64 bytes from 61.135.169.121 (61.135.169.121): icmp_seq=2 ttl=128 time=37.9 ms
//安装Squid服务 [root@Squid-Server ~]# yum install squid Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. dvd | 4.1 kB 00:00:00 Resolving Dependencies --> Running transaction check ---> Package squid.x86_64 7:3.5.20-10.el7 will be installed --> Processing Dependency: perl(DBI) for package: 7:squid-3.5.20-10.el7.x86_64 --> Processing Dependency: perl(Digest::MD5) for package: 7:squid-3.5.20-10.el7.x86_64 --> Processing Dependency: squid-migration-script for package: 7:squid-3.5.20-10.el7.x86_64 --> Processing Dependency: libecap.so.3()(64bit) for package: 7:squid-3.5.20-10.el7.x86_64 --> Running transaction check ---> Package libecap.x86_64 0:1.0.0-1.el7 will be installed ---> Package perl-DBI.x86_64 0:1.627-4.el7 will be installed --> Processing Dependency: perl(RPC::PlClient) >= 0.2000 for package: perl-DBI-1.627-4.el7.x86_64 --> Processing Dependency: perl(RPC::PlServer) >= 0.2001 for package: perl-DBI-1.627-4.el7.x86_64 ---> Package perl-Digest-MD5.x86_64 0:2.52-3.el7 will be installed --> Processing Dependency: perl(Digest::base) >= 1.00 for package: perl-Digest-MD5-2.52-3.el7.x86_64 ---> Package squid-migration-script.x86_64 7:3.5.20-10.el7 will be installed --> Running transaction check ---> Package perl-Digest.noarch 0:1.17-245.el7 will be installed ---> Package perl-PlRPC.noarch 0:0.2020-14.el7 will be installed --> Processing Dependency: perl(Net::Daemon) >= 0.13 for package: perl-PlRPC-0.2020-14.el7.noarch --> Processing Dependency: perl(Compress::Zlib) for package: perl-PlRPC-0.2020-14.el7.noarch --> Processing Dependency: perl(Net::Daemon::Log) for package: perl-PlRPC-0.2020-14.el7.noarch --> Processing Dependency: perl(Net::Daemon::Test) for package: perl-PlRPC-0.2020-14.el7.noarch --> Running transaction check ---> Package perl-IO-Compress.noarch 0:2.061-2.el7 will be installed --> Processing Dependency: perl(Compress::Raw::Bzip2) >= 2.061 for package: perl-IO-Compress-2.061-2.el7.noarch --> Processing Dependency: perl(Compress::Raw::Zlib) >= 2.061 for package: perl-IO-Compress-2.061-2.el7.noarch ---> Package perl-Net-Daemon.noarch 0:0.48-5.el7 will be installed --> Running transaction check ---> Package perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7 will be installed ---> Package perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7 will be installed --> Finished Dependency Resolution
Dependencies Resolved
========================================================================================== Package Arch Version Repository Size ========================================================================================== Installing: squid x86_64 7:3.5.20-10.el7 dvd 3.1 M Installing for dependencies: libecap x86_64 1.0.0-1.el7 dvd 21 k perl-Compress-Raw-Bzip2 x86_64 2.061-3.el7 dvd 32 k perl-Compress-Raw-Zlib x86_64 1:2.061-4.el7 dvd 57 k perl-DBI x86_64 1.627-4.el7 dvd 802 k perl-Digest noarch 1.17-245.el7 dvd 23 k perl-Digest-MD5 x86_64 2.52-3.el7 dvd 30 k perl-IO-Compress noarch 2.061-2.el7 dvd 260 k perl-Net-Daemon noarch 0.48-5.el7 dvd 51 k perl-PlRPC noarch 0.2020-14.el7 dvd 36 k squid-migration-script x86_64 7:3.5.20-10.el7 dvd 48 k
Transaction Summary ========================================================================================== Install 1 Package (+10 Dependent packages)
Total download size: 4.4 M Installed size: 14 M Is this ok [y/d/N]: y Downloading packages: ------------------------------------------------------------------------------------------ Total 10 MB/s | 4.4 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64 1/11 Installing : perl-Digest-1.17-245.el7.noarch 2/11 Installing : perl-Digest-MD5-2.52-3.el7.x86_64 3/11 Installing : 1:perl-Compress-Raw-Zlib-2.061-4.el7.x86_64 4/11 Installing : perl-IO-Compress-2.061-2.el7.noarch 5/11 Installing : libecap-1.0.0-1.el7.x86_64 6/11 Installing : 7:squid-migration-script-3.5.20-10.el7.x86_64 7/11 Installing : perl-Net-Daemon-0.48-5.el7.noarch 8/11 Installing : perl-PlRPC-0.2020-14.el7.noarch 9/11 Installing : perl-DBI-1.627-4.el7.x86_64 10/11 Installing : 7:squid-3.5.20-10.el7.x86_64 11/11 Verifying : perl-Net-Daemon-0.48-5.el7.noarch 1/11 Verifying : 7:squid-migration-script-3.5.20-10.el7.x86_64 2/11 Verifying : perl-Digest-MD5-2.52-3.el7.x86_64 3/11 Verifying : libecap-1.0.0-1.el7.x86_64 4/11 Verifying : perl-IO-Compress-2.061-2.el7.noarch 5/11 Verifying : 1:perl-Compress-Raw-Zlib-2.061-4.el7.x86_64 6/11 Verifying : perl-Digest-1.17-245.el7.noarch 7/11 Verifying : perl-DBI-1.627-4.el7.x86_64 8/11 Verifying : perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64 9/11 Verifying : perl-PlRPC-0.2020-14.el7.noarch 10/11 Verifying : 7:squid-3.5.20-10.el7.x86_64 11/11
Installed: squid.x86_64 7:3.5.20-10.el7
Dependency Installed: libecap.x86_64 0:1.0.0-1.el7 perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7 perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7 perl-DBI.x86_64 0:1.627-4.el7 perl-Digest.noarch 0:1.17-245.el7 perl-Digest-MD5.x86_64 0:2.52-3.el7 perl-IO-Compress.noarch 0:2.061-2.el7 perl-Net-Daemon.noarch 0:0.48-5.el7 perl-PlRPC.noarch 0:0.2020-14.el7 squid-migration-script.x86_64 7:3.5.20-10.el7
Complete!
参数 | 作用 |
|---|---|
http_port 3128 | 监听的端口号 |
cache_mem 64M | 内存缓冲区的大小 |
cache_dir ufs /var/spool/squid 2000 16 256 | 硬盘缓冲区的大小 |
cache_effective_user squid | 设置缓存的有效用户 |
cache_effective_group squid | 设置缓存的有效用户组 |
dns_nameservers [IP地址] | 一般不设置,而是用服务器默认的DNS地址 |
cache_access_log /var/log/squid/access.log | 访问日志文件的保存路径 |
cache_log /var/log/squid/cache.log | 缓存日志文件的保存路径 |
visible_hostname [Name] | 设置Squid服务器的名称 |
标准正向代理 //启动服务加入开机启动项 [root@Squid-Server ~]# systemctl restart squid [root@Squid-Server ~]# systemctl enable squid Created symlink from /etc/systemd/system/multi-user.target.wants/squid.service to /usr/lib/systemd/system/squid.service.
52 http_access allow localnet 53 http_access allow localhost 54 55 # And finally deny all other access to this proxy 56 http_access deny all 57 58 # Squid normally listens to port 3128 59 http_port 3128
如果你开启了防火墙和Selinux又更改了默认端口号需要对端口进行放行 //查看 semanage port -l | grep squid_port_t //添加新的端口号 semanage port -a -t squid_port_t -p tcp 10000 //再次查看 semanage port -l | grep squid_port_t
实验1: 只允许IP地址为172.16.10.10的客户端使用服务器上的Squid服务程序提供的代理服务,禁止其余所有主机代理请求 ################################################################# 27 acl client src 172.16.10.10 28 ################################################################# 29 # 30 # Recommended minimum Access Permission configuration: 31 # 32 # Deny requests to certain unsafe ports 33 ################################################################# 34 http_access allow client 35 http_access deny all 36 ################################################################# 37 http_access deny !Safe_ports
更改客户端的IP地址,再次尝试联网发现无法上网了,代理服务器拒绝连接.
实验2: 禁止所有客户端访问网址中包含linux关键词的网站. ################################################################# 27 #acl client src 172.16.10.10 28 acl deny_keyword url_regex -i linux 29 ################################################################# 30 # 31 # Recommended minimum Access Permission configuration: 32 # 33 # Deny requests to certain unsafe ports 34 ################################################################# 35 #http_access allow client 36 http_access deny deny_keyword 37 #http_access deny all
访问含有linux关键字的网址时被拒绝.
实验3: 禁止所有客户端访问某个特定的网站 ################################################################# 27 #acl client src 172.16.10.10 28 #acl deny_keyword url_regex -i linux 29 acl deny_url url_regex http://www.linuxidc.com 30 ################################################################# 31 # 32 # Recommended minimum Access Permission configuration: 33 # 34 # Deny requests to certain unsafe ports 35 ################################################################# 36 #http_access allow client 37 #http_access deny deny_keyword 38 http_access deny deny_url 39 #http_access deny all 40 ################################################################# 41 http_access deny !Safe_ports 42 43 # Deny CONNECT to other than secure SSL ports 44 http_access deny CONNECT !SSL_ports
访问指定网址被拒绝.访问其他网址正常访问.
实验4: 禁止员工在企业网内部下载带有某些后缀的文件
#################################################################
#acl client src 172.16.10.10
#acl deny_keyword url_regex -i linux
#acl deny_url url_regex http://www.linuxidc.com
acl badfile urlpath_regex -i \.rar$ \.avi$
#################################################################
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
#################################################################
#http_access allow client
#http_access deny deny_keyword
#http_access deny deny_url
#http_access deny all
http_access deny badfile
#################################################################
http_access deny !Safe_ports
透明正向代理 //客户端取消代理,网关指向squid服务器地址 [root@Squid-Server ~]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf [root@Squid-Server ~]# sysctl -p net.ipv4.ip_forward = 1 [root@Squid-Server ~]# iptables -t nat -A POSTROUTING -p udp --dport 53 -o ens35 -j MASQUERADE 此处网卡为对外的网卡
72 http_port 3128 transparent 73 74 # Uncomment and adjust the following to add a disk cache directory. 75 cache_dir ufs /var/spool/squid 100 16 256 [root@Squid-Server ~]# squid -k parse [root@Squid-Server ~]# squid -z 2018/08/23 10:39:30| Squid is already running! Process ID 2299 [root@Squid-Server ~]# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 [root@Squid-Server ~]# iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -o ens35 -j SNAT --to 192.168.56.15 //此处网卡为对外的网卡 [root@Squid-Server ~]# service iptables save
反向代理 //主机设为NAT或者DHCP模式,配置文件编辑如下 http_port 192.168.56.15:80 vhost cache_peer 39.104.16.126 parent 80 0 originserver
当你访问本机IP时访问的却是目标站点