Linux基礎學習-使用Squid部署代理緩存服務

使用Squid部署代理緩存服務

Squid是Linux系統中最爲流行的一款高性能代理服務軟件,一般做爲Web網站的前置緩存服務,可以代替用戶向網站服務器請求頁面數據並進行緩存.Squid服務配置簡單、效率高、更能豐富，能夠基於多種條件禁止用戶訪問存在威脅或不適宜的網站資源,所以能夠保護企業內網的安全,提高用戶的網絡體驗,幫助節省網絡帶寬.

配置Squid服務程序

首先準備兩臺虛擬機,一臺用作Squid服務器,一臺用做Squid客戶端.

主機	操做系統	IP地址
Squid服務器	RHEL7	172.16.10.20
Squid客戶端	CentOS7	172.16.10.10

[root@Squid-Server ~]# ping www.baidu.com
PING www.a.shifen.com (61.135.169.121) 56(84) bytes of data.
64 bytes from 61.135.169.121 (61.135.169.121): icmp_seq=1 ttl=128 time=38.0 ms
64 bytes from 61.135.169.121 (61.135.169.121): icmp_seq=2 ttl=128 time=37.9 ms


//安裝Squid服務
[root@Squid-Server ~]# yum install squid
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
dvd                                                                | 4.1 kB  00:00:00     
Resolving Dependencies
--> Running transaction check
---> Package squid.x86_64 7:3.5.20-10.el7 will be installed
--> Processing Dependency: perl(DBI) for package: 7:squid-3.5.20-10.el7.x86_64
--> Processing Dependency: perl(Digest::MD5) for package: 7:squid-3.5.20-10.el7.x86_64
--> Processing Dependency: squid-migration-script for package: 7:squid-3.5.20-10.el7.x86_64
--> Processing Dependency: libecap.so.3()(64bit) for package: 7:squid-3.5.20-10.el7.x86_64
--> Running transaction check
---> Package libecap.x86_64 0:1.0.0-1.el7 will be installed
---> Package perl-DBI.x86_64 0:1.627-4.el7 will be installed
--> Processing Dependency: perl(RPC::PlClient) >= 0.2000 for package: perl-DBI-1.627-4.el7.x86_64
--> Processing Dependency: perl(RPC::PlServer) >= 0.2001 for package: perl-DBI-1.627-4.el7.x86_64
---> Package perl-Digest-MD5.x86_64 0:2.52-3.el7 will be installed
--> Processing Dependency: perl(Digest::base) >= 1.00 for package: perl-Digest-MD5-2.52-3.el7.x86_64
---> Package squid-migration-script.x86_64 7:3.5.20-10.el7 will be installed
--> Running transaction check
---> Package perl-Digest.noarch 0:1.17-245.el7 will be installed
---> Package perl-PlRPC.noarch 0:0.2020-14.el7 will be installed
--> Processing Dependency: perl(Net::Daemon) >= 0.13 for package: perl-PlRPC-0.2020-14.el7.noarch
--> Processing Dependency: perl(Compress::Zlib) for package: perl-PlRPC-0.2020-14.el7.noarch
--> Processing Dependency: perl(Net::Daemon::Log) for package: perl-PlRPC-0.2020-14.el7.noarch
--> Processing Dependency: perl(Net::Daemon::Test) for package: perl-PlRPC-0.2020-14.el7.noarch
--> Running transaction check
---> Package perl-IO-Compress.noarch 0:2.061-2.el7 will be installed
--> Processing Dependency: perl(Compress::Raw::Bzip2) >= 2.061 for package: perl-IO-Compress-2.061-2.el7.noarch
--> Processing Dependency: perl(Compress::Raw::Zlib) >= 2.061 for package: perl-IO-Compress-2.061-2.el7.noarch
---> Package perl-Net-Daemon.noarch 0:0.48-5.el7 will be installed
--> Running transaction check
---> Package perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7 will be installed
---> Package perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================
 Package                         Arch           Version                 Repository   Size
==========================================================================================
Installing:
 squid                           x86_64         7:3.5.20-10.el7         dvd         3.1 M
Installing for dependencies:
 libecap                         x86_64         1.0.0-1.el7             dvd          21 k
 perl-Compress-Raw-Bzip2         x86_64         2.061-3.el7             dvd          32 k
 perl-Compress-Raw-Zlib          x86_64         1:2.061-4.el7           dvd          57 k
 perl-DBI                        x86_64         1.627-4.el7             dvd         802 k
 perl-Digest                     noarch         1.17-245.el7            dvd          23 k
 perl-Digest-MD5                 x86_64         2.52-3.el7              dvd          30 k
 perl-IO-Compress                noarch         2.061-2.el7             dvd         260 k
 perl-Net-Daemon                 noarch         0.48-5.el7              dvd          51 k
 perl-PlRPC                      noarch         0.2020-14.el7           dvd          36 k
 squid-migration-script          x86_64         7:3.5.20-10.el7         dvd          48 k

Transaction Summary
==========================================================================================
Install  1 Package (+10 Dependent packages)

Total download size: 4.4 M
Installed size: 14 M
Is this ok [y/d/N]: y
Downloading packages:
------------------------------------------------------------------------------------------
Total                                                      10 MB/s | 4.4 MB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64                            1/11 
  Installing : perl-Digest-1.17-245.el7.noarch                                       2/11 
  Installing : perl-Digest-MD5-2.52-3.el7.x86_64                                     3/11 
  Installing : 1:perl-Compress-Raw-Zlib-2.061-4.el7.x86_64                           4/11 
  Installing : perl-IO-Compress-2.061-2.el7.noarch                                   5/11 
  Installing : libecap-1.0.0-1.el7.x86_64                                            6/11 
  Installing : 7:squid-migration-script-3.5.20-10.el7.x86_64                         7/11 
  Installing : perl-Net-Daemon-0.48-5.el7.noarch                                     8/11 
  Installing : perl-PlRPC-0.2020-14.el7.noarch                                       9/11 
  Installing : perl-DBI-1.627-4.el7.x86_64                                          10/11 
  Installing : 7:squid-3.5.20-10.el7.x86_64                                         11/11 
  Verifying  : perl-Net-Daemon-0.48-5.el7.noarch                                     1/11 
  Verifying  : 7:squid-migration-script-3.5.20-10.el7.x86_64                         2/11 
  Verifying  : perl-Digest-MD5-2.52-3.el7.x86_64                                     3/11 
  Verifying  : libecap-1.0.0-1.el7.x86_64                                            4/11 
  Verifying  : perl-IO-Compress-2.061-2.el7.noarch                                   5/11 
  Verifying  : 1:perl-Compress-Raw-Zlib-2.061-4.el7.x86_64                           6/11 
  Verifying  : perl-Digest-1.17-245.el7.noarch                                       7/11 
  Verifying  : perl-DBI-1.627-4.el7.x86_64                                           8/11 
  Verifying  : perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64                            9/11 
  Verifying  : perl-PlRPC-0.2020-14.el7.noarch                                      10/11 
  Verifying  : 7:squid-3.5.20-10.el7.x86_64                                         11/11 

Installed:
  squid.x86_64 7:3.5.20-10.el7                                                            

Dependency Installed:
  libecap.x86_64 0:1.0.0-1.el7                                                            
  perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7                                            
  perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7                                             
  perl-DBI.x86_64 0:1.627-4.el7                                                           
  perl-Digest.noarch 0:1.17-245.el7                                                       
  perl-Digest-MD5.x86_64 0:2.52-3.el7                                                     
  perl-IO-Compress.noarch 0:2.061-2.el7                                                   
  perl-Net-Daemon.noarch 0:0.48-5.el7                                                     
  perl-PlRPC.noarch 0:0.2020-14.el7                                                       
  squid-migration-script.x86_64 7:3.5.20-10.el7                                           

Complete!

參數	做用
http_port 3128	監聽的端口號
cache_mem 64M	內存緩衝區的大小
cache_dir ufs /var/spool/squid 2000 16 256	硬盤緩衝區的大小
cache_effective_user squid	設置緩存的有效用戶
cache_effective_group squid	設置緩存的有效用戶組
dns_nameservers [IP地址]	通常不設置,而是用服務器默認的DNS地址
cache_access_log /var/log/squid/access.log	訪問日誌文件的保存路徑
cache_log /var/log/squid/cache.log	緩存日誌文件的保存路徑
visible_hostname [Name]	設置Squid服務器的名稱

標準正向代理

//啓動服務加入開機啓動項
[root@Squid-Server ~]# systemctl restart squid
[root@Squid-Server ~]# systemctl enable squid
Created symlink from /etc/systemd/system/multi-user.target.wants/squid.service to /usr/lib/systemd/system/squid.service.

 52 http_access allow localnet
 53 http_access allow localhost
 54 
 55 # And finally deny all other access to this proxy
 56 http_access deny all
 57 
 58 # Squid normally listens to port 3128
 59 http_port 3128

若是你開啓了防火牆和Selinux又更改了默認端口號須要對端口進行放行

//查看
semanage port -l | grep squid_port_t
//添加新的端口號
semanage port -a -t squid_port_t -p tcp 10000
//再次查看
semanage port -l | grep squid_port_t

實驗1: 只容許IP地址爲172.16.10.10的客戶端使用服務器上的Squid服務程序提供的代理服務,禁止其他全部主機代理請求

#################################################################
 27 acl client src 172.16.10.10
 28 #################################################################
 29 #
 30 # Recommended minimum Access Permission configuration:
 31 #
 32 # Deny requests to certain unsafe ports
 33 #################################################################
 34 http_access allow client
 35 http_access deny all
 36 #################################################################
 37 http_access deny !Safe_ports

更改客戶端的IP地址,再次嘗試聯網發現沒法上網了,代理服務器拒絕鏈接.

實驗2: 禁止全部客戶端訪問網址中包含linux關鍵詞的網站.

#################################################################
 27 #acl client src 172.16.10.10
 28 acl deny_keyword url_regex -i linux
 29 #################################################################
 30 #
 31 # Recommended minimum Access Permission configuration:
 32 #
 33 # Deny requests to certain unsafe ports
 34 #################################################################
 35 #http_access allow client
 36 http_access deny deny_keyword
 37 #http_access deny all

訪問含有linux關鍵字的網址時被拒絕.

實驗3: 禁止全部客戶端訪問某個特定的網站

#################################################################
 27 #acl client src 172.16.10.10
 28 #acl deny_keyword url_regex -i linux
 29 acl deny_url url_regex http://www.linuxidc.com
 30 #################################################################
 31 #
 32 # Recommended minimum Access Permission configuration:
 33 #
 34 # Deny requests to certain unsafe ports
 35 #################################################################
 36 #http_access allow client
 37 #http_access deny deny_keyword
 38 http_access deny deny_url
 39 #http_access deny all
 40 #################################################################
 41 http_access deny !Safe_ports
 42 
 43 # Deny CONNECT to other than secure SSL ports
 44 http_access deny CONNECT !SSL_ports

訪問指定網址被拒絕.訪問其餘網址正常訪問.

實驗4: 禁止員工在企業網內部下載帶有某些後綴的文件

#################################################################
#acl client src 172.16.10.10
#acl deny_keyword url_regex -i linux
#acl deny_url url_regex http://www.linuxidc.com
acl badfile urlpath_regex -i \.rar$ \.avi$
#################################################################
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
#################################################################
#http_access allow client
#http_access deny deny_keyword
#http_access deny deny_url
#http_access deny all
http_access deny badfile
#################################################################
http_access deny !Safe_ports

透明正向代理

//客戶端取消代理,網關指向squid服務器地址
[root@Squid-Server ~]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
[root@Squid-Server ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@Squid-Server ~]# iptables -t nat -A POSTROUTING -p udp --dport 53 -o ens35 -j MASQUERADE
此處網卡爲對外的網卡

 72 http_port 3128 transparent
 73 
 74 # Uncomment and adjust the following to add a disk cache directory.
 75 cache_dir ufs /var/spool/squid 100 16 256
[root@Squid-Server ~]# squid -k parse
[root@Squid-Server ~]# squid -z
2018/08/23 10:39:30| Squid is already running!  Process ID 2299
[root@Squid-Server ~]# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128
[root@Squid-Server ~]# iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -o ens35 -j SNAT --to 192.168.56.15
//此處網卡爲對外的網卡
[root@Squid-Server ~]# service iptables save

反向代理

//主機設爲NAT或者DHCP模式,配置文件編輯以下
http_port 192.168.56.15:80 vhost
cache_peer 39.104.16.126 parent 80 0 originserver

當你訪問本機IP時訪問的倒是目標站點