squid代理服務器

一、squid簡介

官網http://www.squid-cache.org/

squid可作加速的代理服務器。

例如公司有一我的要訪問一個新的外網，另外的人也要訪問這個頁面，同一個公司用的是同一個網線，若是不少人訪問這個網站，會佔用很大的流量帶寬，對於公司來講就是資源的浪費。若是把訪問的網頁緩存下來放在本地，後面的人訪問本地的資源，就能節省很大的帶寬資源。還可下降服務器的IO。

假如你訪問的是外國的網，能夠在公司搭建一個squid代理服務器，能夠將服務器訪問的網頁緩存在服務器上。

能夠作正向代理和反向代理。

正向代理：客戶端（內網）--->squid---->服務器

反向代理：服務器--->squid---->客戶端（內網）

二、安裝squid

平臺：centos6.4

[root@localhost ~]# yum install -y squid

[root@localhost ~]# squid -v  //查看版本以及編譯參數
Squid Cache: Version 3.1.10
configure options:  '--build=i386-redhat-linux-gnu'

編寫配置文件

[root@localhost ~]# vim /etc/squid/squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
cache_dir ufs /var/spool/squid 100 16 256  //本地緩存目錄
cache_mem 128 MB
cache_log /var/log/squid.log //日誌文件
access_log /var/log/squid/access.log squid
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

建立緩存目錄

[root@localhost ~]# mkdir /data/cache
[root@localhost ~]# chown -R squid:squid /data/cache
[root@localhost ~]# squid -z  //初始化緩存目錄
[root@localhost ~]# ls /data/cache/    //生成目錄
00  01  02  03  04  05  06  07  08  09  0A  0B  0C  0D  0E  0F

[root@localhost ~]# touch /var/log/squid.log  //建立日誌文件
[root@localhost ~]# chmod 777 /var/log/squid.log

啓動squid

[root@localhost ~]# /etc/init.d/squid start
Starting squid: .                                          [  OK  ]

[root@localhost ~]# squid -k check    //檢查配置文件是否有錯
[root@localhost ~]# squid -k rec   //從新加載配置文件
[root@localhost ~]# squid -k shutdown   //關閉squid，關閉速度比較慢

三、正向代理

設置IE瀏覽器的代理服務器：Internet選項--鏈接--設置--局域網設置--選擇爲LAN使用代理服務器--高級--（http 192.168.0.104 3128）--去掉套接字，對全部協議使用

IE瀏覽器訪問網站正常

[root@localhost ~]# tcpdump -nn   //經過了squid訪問
10:13:11.093638 IP 192.168.0.102.50317 > 192.168.0.104.22: Flags [.], ack 156352, win 4264, length 0
10:13:11.094024 IP 192.168.0.104.22 > 192.168.0.102.50317: Flags [P.], seq 156352:156784, ack 2401, win 583, length 432

在squid上配置iptables禁止3128端口，IE瀏覽器沒法正常訪問

[root@localhost ~]# iptables -I INPUT -p tcp --dport 3128 -j REJECT

squid能夠控制員工上網，控制上網行爲。

測試緩存

[root@localhost ~]# curl -xlocalhost:3128 http://www.lishiming.net/static/p_w_picpath/common/logo.png -I
HTTP/1.0 200 OK
Server: nginx/1.2.9
Date: Wed, 23 Apr 2014 02:19:05 GMT
Content-Type: p_w_picpath/png
Content-Length: 7222
Last-Modified: Sat, 12 Oct 2013 01:13:07 GMT
Expires: Fri, 23 May 2014 02:19:05 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
X-Cache: MISS from localhost.localdomain  //沒有從本地匹配到
X-Cache-Lookup: MISS from localhost.localdomain:3128
Via: 1.0 localhost.localdomain (squid/3.1.10)
Connection: keep-alive
[root@localhost ~]#
[root@localhost ~]# curl -xlocalhost:3128 http://www.lishiming.net/static/p_w_picpath/common/logo.png -I
HTTP/1.0 200 OK
Server: nginx/1.2.9
Date: Wed, 23 Apr 2014 02:19:05 GMT
Content-Type: p_w_picpath/png
Content-Length: 7222
Last-Modified: Sat, 12 Oct 2013 01:13:07 GMT
Expires: Fri, 23 May 2014 02:19:05 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
Age: 8
X-Cache: HIT from localhost.localdomain  //從本地緩存
X-Cache-Lookup: HIT from localhost.localdomain:3128
Via: 1.0 localhost.localdomain (squid/3.1.10)
Connection: keep-alive

設置白名單和黑名單，限制上網的網站

[root@localhost ~]# vim /etc/squid/squid.conf
//設置白名單，下面的網站能夠訪問
acl http proto HTTP
acl good_domain dstdomain .lishiming.net .aminglinux.com
http_access allow http good_domain    //好的域名容許訪問
http_access deny http !good_domain    //不是好的域名不可訪問
http_access allow localnet   //寫在此句前面
http_access allow localhost
http_access deny all

[root@localhost ~]# vim /etc/squid/squid.conf
//設置黑名單，下面的網站不訪問
acl http proto HTTP
acl bad_domain dstdomain .sina.com .baidu.com
http_access deny http bad_domain
http_access allow localnet
http_access allow localhost
http_access deny all

四、反向代理

[root@localhost ~]# vim /etc/squid/squid.conf
http_port 80 accel vhost vport   //修改port
cache_peer 123.125.119.147 parent 80 0 originserver name=a
cache_peer 61.135.169.125 parent 80 0 originserver name=b
cache_peer_domain a www.qq.com
cache_peer_domain b www.baidu.com
//須要指定web服務器後端的IP、域名和端口，反向代理qq和baidu服務器

[root@localhost ~]# vim /etc/hosts
127.0.0.1 www.qq.com www.baidu.com www.aminglinux.com www.sina.com

測試反向代理
[root@localhost ~]# curl www.qq.com -I
HTTP/1.0 200 OK  //訪問正常
Server: squid/3.2.1
Date: Wed, 23 Apr 2014 02:48:54 GMT
Content-Type: text/html; charset=GB2312
Vary: Accept-Encoding
Expires: Wed, 23 Apr 2014 02:49:54 GMT
Cache-Control: max-age=60
Vary: Accept-Encoding
X-Cache: HIT from beijing.qq.com
X-Cache: MISS from localhost.localdomain
X-Cache-Lookup: MISS from localhost.localdomain:80
Via: 1.0 localhost.localdomain (squid/3.1.10)
Connection: keep-alive
[root@localhost ~]# curl -x127.0.0.1:80 www.sohu.com -I
HTTP/1.0 503 Service Unavailable  //訪問失敗
Server: squid/3.1.10
Mime-Version: 1.0
Date: Wed, 23 Apr 2014 02:49:55 GMT
Content-Type: text/html
Content-Length: 3433
X-Squid-Error: ERR_CANNOT_FORWARD 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from localhost.localdomain
X-Cache-Lookup: MISS from localhost.localdomain:80
Via: 1.0 localhost.localdomain (squid/3.1.10)
Connection: keep-alive