1、squid簡介
squid可做加速的代理服務器。
例如公司有一個人要訪問一個新的外網,另外的人也要訪問這個頁面,同一個公司用的是同一個網線,如果很多人訪問這個網站,會佔用很大的流量帶寬,對於公司來說就是資源的浪費。如果把訪問的網頁緩存下來放在本地,後面的人訪問本地的資源,就能節省很大的帶寬資源。還可降低服務器的IO。
假如你訪問的是外國的網,可以在公司搭建一個squid代理服務器,可以將服務器訪問的網頁緩存在服務器上。
可以做正向代理和反向代理。
正向代理:客戶端(內網)--->squid---->服務器
反向代理:服務器--->squid---->客戶端(內網)
2、安裝squid
平臺:centos6.4
[root@localhost ~]# yum install -y squid
[root@localhost ~]# squid -v //查看版本以及編譯參數 Squid Cache: Version 3.1.10 configure options: '--build=i386-redhat-linux-gnu'
編寫配置文件
[root@localhost ~]# vim /etc/squid/squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all http_port 3128 hierarchy_stoplist cgi-bin ? cache_dir ufs /var/spool/squid 100 16 256 //本地緩存目錄 cache_mem 128 MB cache_log /var/log/squid.log //日誌文件 access_log /var/log/squid/access.log squid coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
創建緩存目錄
[root@localhost ~]# mkdir /data/cache [root@localhost ~]# chown -R squid:squid /data/cache [root@localhost ~]# squid -z //初始化緩存目錄 [root@localhost ~]# ls /data/cache/ //生成目錄 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
[root@localhost ~]# touch /var/log/squid.log //創建日誌文件 [root@localhost ~]# chmod 777 /var/log/squid.log
啓動squid
[root@localhost ~]# /etc/init.d/squid start Starting squid: . [ OK ]
[root@localhost ~]# squid -k check //檢查配置文件是否有錯 [root@localhost ~]# squid -k rec //重新加載配置文件 [root@localhost ~]# squid -k shutdown //關閉squid,關閉速度比較慢
3、正向代理
設置IE瀏覽器的代理服務器:Internet選項--連接--設置--局域網設置--選擇爲LAN使用代理服務器--高級--(http 192.168.0.104 3128)--去掉套接字,對所有協議使用
IE瀏覽器訪問網站正常
[root@localhost ~]# tcpdump -nn //通過了squid訪問 10:13:11.093638 IP 192.168.0.102.50317 > 192.168.0.104.22: Flags [.], ack 156352, win 4264, length 0 10:13:11.094024 IP 192.168.0.104.22 > 192.168.0.102.50317: Flags [P.], seq 156352:156784, ack 2401, win 583, length 432
在squid上配置iptables禁止3128端口,IE瀏覽器無法正常訪問
[root@localhost ~]# iptables -I INPUT -p tcp --dport 3128 -j REJECT
squid可以控制員工上網,控制上網行爲。
測試緩存
[root@localhost ~]# curl -xlocalhost:3128 http://www.lishiming.net/static/p_w_picpath/common/logo.png -I HTTP/1.0 200 OK Server: nginx/1.2.9 Date: Wed, 23 Apr 2014 02:19:05 GMT Content-Type: p_w_picpath/png Content-Length: 7222 Last-Modified: Sat, 12 Oct 2013 01:13:07 GMT Expires: Fri, 23 May 2014 02:19:05 GMT Cache-Control: max-age=2592000 Accept-Ranges: bytes X-Cache: MISS from localhost.localdomain //沒有從本地匹配到 X-Cache-Lookup: MISS from localhost.localdomain:3128 Via: 1.0 localhost.localdomain (squid/3.1.10) Connection: keep-alive [root@localhost ~]# [root@localhost ~]# curl -xlocalhost:3128 http://www.lishiming.net/static/p_w_picpath/common/logo.png -I HTTP/1.0 200 OK Server: nginx/1.2.9 Date: Wed, 23 Apr 2014 02:19:05 GMT Content-Type: p_w_picpath/png Content-Length: 7222 Last-Modified: Sat, 12 Oct 2013 01:13:07 GMT Expires: Fri, 23 May 2014 02:19:05 GMT Cache-Control: max-age=2592000 Accept-Ranges: bytes Age: 8 X-Cache: HIT from localhost.localdomain //從本地緩存 X-Cache-Lookup: HIT from localhost.localdomain:3128 Via: 1.0 localhost.localdomain (squid/3.1.10) Connection: keep-alive
設置白名單和黑名單,限制上網的網站
[root@localhost ~]# vim /etc/squid/squid.conf //設置白名單,下面的網站可以訪問 acl http proto HTTP acl good_domain dstdomain .lishiming.net .aminglinux.com http_access allow http good_domain //好的域名允許訪問 http_access deny http !good_domain //不是好的域名不可訪問 http_access allow localnet //寫在此句前面 http_access allow localhost http_access deny all
[root@localhost ~]# vim /etc/squid/squid.conf //設置黑名單,下面的網站不訪問 acl http proto HTTP acl bad_domain dstdomain .sina.com .baidu.com http_access deny http bad_domain http_access allow localnet http_access allow localhost http_access deny all
4、反向代理
[root@localhost ~]# vim /etc/squid/squid.conf http_port 80 accel vhost vport //修改port cache_peer 123.125.119.147 parent 80 0 originserver name=a cache_peer 61.135.169.125 parent 80 0 originserver name=b cache_peer_domain a www.qq.com cache_peer_domain b www.baidu.com //需要指定web服務器後端的IP、域名和端口,反向代理qq和baidu服務器
[root@localhost ~]# vim /etc/hosts 127.0.0.1 www.qq.com www.baidu.com www.aminglinux.com www.sina.com
測試反向代理 [root@localhost ~]# curl www.qq.com -I HTTP/1.0 200 OK //訪問正常 Server: squid/3.2.1 Date: Wed, 23 Apr 2014 02:48:54 GMT Content-Type: text/html; charset=GB2312 Vary: Accept-Encoding Expires: Wed, 23 Apr 2014 02:49:54 GMT Cache-Control: max-age=60 Vary: Accept-Encoding X-Cache: HIT from beijing.qq.com X-Cache: MISS from localhost.localdomain X-Cache-Lookup: MISS from localhost.localdomain:80 Via: 1.0 localhost.localdomain (squid/3.1.10) Connection: keep-alive [root@localhost ~]# curl -x127.0.0.1:80 www.sohu.com -I HTTP/1.0 503 Service Unavailable //訪問失敗 Server: squid/3.1.10 Mime-Version: 1.0 Date: Wed, 23 Apr 2014 02:49:55 GMT Content-Type: text/html Content-Length: 3433 X-Squid-Error: ERR_CANNOT_FORWARD 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from localhost.localdomain X-Cache-Lookup: MISS from localhost.localdomain:80 Via: 1.0 localhost.localdomain (squid/3.1.10) Connection: keep-alive