編譯安裝Squid2.6
1,設置“文件描述符”,並設置用戶同時打開文件數量
# vi /usr/include/bits/typesizes.h
# vi /usr/include/linux/posix_types.h
把裏邊的 #define __FD_SETSIZE 1024 改成 65536
2,設置當前環境
# ulimit -Hs 65536
# ulimit -n 65536
H參數是硬性限制,s是堆棧上限,n是文件描述符上限。
3,優化cpu
以下參數可以在 http://gentoo-wiki.com/Safe_Cflags 查到自己的cpu參數
# export CHOST="i686-pc-linux-gnu"
# export CFLAGS="-march=pentium4 -O2 -pipe -fomit-frame-pointer"
# export CXXFLAGS="${CFLAGS}"
1:下載
Wget http://www.squid-cache.org/Versions/v3/3.1/squid-
Tar zxvf squid-
Cd squid-
2:編譯squid
./configure --prefix=/usr/local/squid --localstatedir=/var/log/squid1 --enable-gnuregex --enable-icmp --enable-kill-parent-hack --enable-snmp --disable-ident-lookups --enable-cahce-digests --enable-arp-acl --enable-default-err-languages="Simplify_Chinese" --enable-linux-netfilter --enable-auth-modules --enable-follow-x-forwarded-for --enable-storeio=aufs,ufs --with-maxfd=65536 --with-pthreads --enable-dlmalloc --enable-poll --enable-underscore --enable-stacktraces --enable-removal-policies=heap,lru --enable-delay-pools
參數詳解:
--prefix=/usr/local/squid1 \安裝路徑(注意因我的機器裝有兩種版本,所以命名不一樣)
--localstatedir=/var/log/squid \日誌文件的安裝路徑
--sysconfdir=/etc \ 配置文件的安裝路徑
--enable-gnuregex \ :由於Squid大量使用字符串處理做各種判斷,加入此項能更好的處理。
--enable-icmp \加入icmp支持
--enable-kill-parent-hack \:關掉suqid的時候,要不要連同父進程一起關掉,這個當然要啦
--enable-snmp \:此選項可以讓MRTG使用SNMP協議對服務器的流量狀態進行監測,因此必須選擇此項,使Squid支持SNMP接口。
--disable-ident-lookups \:防止系統使用RFC931規定的身份識別方法。
--enable-cahce-digests \:加快請求時,檢索緩存內容的速度。
--enable-arp-acl \:可以在規則設置中直接通過客戶端的MAC地址進行管理,防止客戶使用IP欺騙
--enable-default-err-languages="Simplify_Chinese" \ :指定出錯是顯示的錯誤頁面爲簡體中文
--enable-linux-netfilter \:可以支持透明代理
--enable-auth-modules 此編譯選項啓用認證模塊,可以對訪問代理用戶進行授權
--enable-follow-x-forwarded-for \
--enable-storeio=aufs,ufs \(支持的存儲模塊)
--with-maxfd=65536 \參數是增大squid文件描述符到65536
--with-pthreads \
--enable-dlmalloc \
--enable-poll \ 應啓用Poll()函數而不是select()函數,通常而言poll(輪詢)比select要好,但configure(腳本程序)已知Poll在某些平臺下失效, 若你認爲你比configure編譯配置腳本程序要聰明的話,可以用這個選項啓用Poll。總之就是用這個可以提升性能就是啦。
--enable-underscore \ :允許解析的URL中出現下劃先,因爲默認squid會認爲帶下劃線的URL地址是非法的,並拒絕訪問該地址。
--enable-stacktraces \
--enable-removal-policies=heap,lru \
--enable-delay-pools \此選項使能一個延時池,這樣能對某些特定的請求限制額定帶寬。
make
makeinstall
注意:如你安裝是squid2.6 在make 時會有報錯,
提示錯誤:squid undefined reference to `n_coss_dirs'
解決方法:
wget http://www.squid-cache.org/Versions/v2/2.6/changesets/11036.patch
cd squid-2.6.STABLE4
patch -p1 < ../11036.patch
./configure正常了。......
我這裏是安裝squid-
3:安裝後配置
我的配置文件如下,如不用我的配置文件,請一定要把
cache_effective_user nobody
cache_effective_group nobody
加到你自己的 /usr/local/squid/etc/squid.conf 裏,要不然以下編譯時會因權限問題,會出錯
由於經歷問題,只翻譯了部分,不過已經足夠用。加了限制速度內容,這樣可以更好的應用於網站及cdn節點,控制帶寬。
[root@www htdocs]# vi /usr/local/squid1/etc/squid.conf
http_port 192.168.18.122:3128 vhost vport
cache_peer 192.168.18.122 parent 80 0 no-query originserver weight=1 name=a4
cache_peer_domain a4 sjehzy.net
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8
acl to_localhost dst ::1/128
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl localnet src sjehzy.net
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
#http_port 3128
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
###
cache_mem 99 MB
max_open_disk_fds 0
maximum_object_size 20 MB
maximum_object_size_in_memory 20 MB
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /usr/local/squid1/log/cache 100 16 256
cache_swap_low 80
cache_swap_high 97
strip_query_terms off
request_header_max_size 10 kb
request_body_max_size 1 MB
memory_pools on
memory_pools_limit 150 MB
emulate_httpd_log o
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid1/log/cache
cache_store_log /usr/local/squid1/log/logs/store.log
###
emulate_httpd_log on
#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
cache_access_log /usr/local/squid1/log/logs/access.log
##
#error_directory /usr/local/squid/share/errors/Simplify_Chinese
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
###############################
#refresh_pattern ^ftp: 60 20% 10080
#refresh_pattern ^gopher: 60 0% 1440
#refresh_pattern ^gopher: 60 0% 1440
#refresh_pattern . 0 20% 1440
refresh_pattern -i \.css$ 360 50% 2880 reload-into-ims
refresh_pattern -i \.js$ 1440 50% 2880 reload-into-ims
refresh_pattern -i \.html$ 720 50% 1440 reload-into-ims
refresh_pattern -i \.jpg$ 1440 90% 2880 ignore-reload
refresh_pattern -i \.gif$ 1440 90% 2880 ignore-reload
refresh_pattern -i \.swf$ 1440 90% 2880 ignore-reload
refresh_pattern -i \.jpg$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.png$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.bmp$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.doc$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.ppt$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.xls$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.pdf$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.rar$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.zip$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.txt$ 1440 50% 2880 ignore-reload
###############################
cache_effective_user nobody
cache_effective_group nobody
cache_mgr [email protected]
###
dns_timeout 2 seconds
forward_timeout 30 seconds
connect_timeout 30 seconds
peer_connect_timeout 30 seconds
read_timeout 30 seconds
request_timeout 6 seconds
persistent_request_timeout 16 seconds
#
visible_hostname sjehzy.net
logfile_rotate 0
截止此處均是我的squid.conf文件內容。
4:安裝完成後相關創建文件與權限
#mkdir /usr/local/squid1/log/logs/store.log
# chown nobody:nobody /usr/local/squid1/log //用戶nobody用戶和組來運行squid
# mkdir /usr/local/squid1/log/cache //建立squid緩存目錄
# chown nobody:nobody /usr/local/squid1/log/cache //同樣,給權限
# cd /usr/local/squid/sbin
# ./squid -z //建立緩存目錄
# ls /var/spool/squid //查看是否建立成功
#//usr/local/squid1/sbin/squid –s //啓動squid
5:開機運行squid
# vi /etc/rc.local
將以下內容添加最下邊
ulimit -Hs 65536
ulimit -n 65536
/usr/local/squid/sbin/squid
存盤,退出,完結。
6:iptables 端口映射
iptables -t nat -A PREROUTING -s 192.168.1.225/32 -p tcp --dport 80 -j REDIRECT –to-ports 3128
或:
Vi /etc/sysconfig/iptables添加
-A PREROUTING -s ! 192.168.18.122 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
以下對以上信息解釋:
http_port 80 vhost vport=3128
http_port <host>:<port> [transparent] [vhost] [vport[=<port>]] [defaultsite=<host>] ...
配置 Squid 綁定的 HTTP 端口和 IP 地址,默認配置是 http_port 3180.
host 可以是 IP 地址或者主機名,如果指定主機名,Squid 嘗試獲取主機名對應的 IP 地址。如果沒有指定 host, Squid 將綁定所有地址的端口;
配置選項: transparent - 支持透明代理,不能與 vhost / vport 同時設置
vhost - 內容加速器主機
vport - 內容加速器端口,通常與 http_port 相同,可以使用 vport= 設置其他端口defaultsite= - 內容加速器的默認網址
acl apache rep_header Server ^Apache
#
broken_vary_encoding allow apache
cache_mem 2048 MB
#使用內存大小
maximum_object_size 409600 KB
#超過此文件大小的對象將不緩存
minimum_object_size 0 KB
#小於此大小文件將不被緩存
maximum_object_size_in_memory 512 KB
#內存中能緩存的最大文件大小
cache_dir ufs /var/spool/squid 20480 16 256
#緩存目錄設置
cache_swap_low 80
#當交換分區利用率到這個百分比,那麼開始替換
cache_swap_high 97
#當交換分區利用率到這個百分比,開始大量替換
strip_query_terms off
request_header_max_size 10 kb
request_body_max_size 0 kb
#設置HTTP請求的包頭和數據大小
memory_pools on
如果將該項設爲on,則squid將保留所有已經分配(但是未使用)的內存池以便在將來使用。
默認爲on .
memory_pools on
memory_pools_limit 150 MB
#用來存放請求URL的內存大小
編譯squid時加上--enable-follow-x-forwarded-for
然後在squid.conf中輸入一行:
follow_x_forwarded_for allow all
後端的Apache取日誌(httpd.conf):
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %h %T" combined
取到的就是用戶真實IP