Linux_SquidProxyServer代理服務器

目錄

• 目錄
• Squid proxy server
  • Web proxy server operating principle
  • Squid features
  • Setup squid server
  • Setup transparent proxy
  • Squit authentication
  • Setup the Reverse Proxy Server
  • Case set the transparent proxy

Squid proxy server

Squid是基於Unix的代理服務器(proxy server)，支持緩存多種不一樣的網絡對象，包括那些經過HTTP和FTP訪問的對象。緩存頻繁訪問的網頁、媒體文件等，實現加速應答時間並減小帶寬堵塞。Squid經過追蹤網絡中的對象來實現做用。Squid最初擔當中介，僅僅是把客戶請求傳遞到服務器並存儲請求對象的副本。若是同一個用戶或同一批用戶再次請求還緩存(cache)在Squid中的相同對象時，Squid可以當即服務，加速下載並保存帶寬。Squid代理服務器提供更快的下載速度、縮短延遲時間，尤爲是在提供豐富媒體和流式視頻方面。網站經營者將頻繁地把Squid代理服務器做爲內容加速器、頻繁查看內容的緩存和網絡服務器的容位負載。內容發佈網絡和媒體公司會採用Squid代理服務器，並在整個網絡中部署它們來改善瀏覽者的訪問體驗，特別是對流式內容的負載平衡(load balancing)和處理訪問高峯等方面的優化有顯著效果。
Squid can proxy http ftp ssl protocol.
Effect:Proxy server helps client users to gets and cache the data from targeted host. Realize more fast and more secure what access web protal.

Web proxy server operating principle

Cache web element object(static text,picture),reduce multiple request.
1. Forward Proxy(SNAT)
2. Reverse Proxy(DNAT)
Achieve firewall function via domain name limit(application layer).
Forward proxy:
1. Typical proxy: need setup proxy’s ip and port by manual in the browser.
2. Transparent proxy: host gateway IP assign to proxy server

Squid features

Software:squid-3.1.10-1.e16_2.4.X86_64
Service:squid
Configure file:/etc/squid/squid.conf
Squid control module store dirextory: /usr/lib64/squid/
Config option:

http_port     squidServerIP:3128
cache_mem     64 MB     #one half as cache(64MB) when the mem > 2G
cache_dir    nfs        /var/spool/squid    100        16        256
        #100 -->  Total disk space < 100M
        #16  -->  Total directory < 16
        #256 --> Total level2 directory in the level1 directory
visible_hostname    proxy.fan.com   #if have not hostname and this option, the proxy server can not start.
dns_testnames    www.baidu.com
reply_body_max_size    10 MB     #forbid download the file when the file size greater than 10MB
minimum_object_size    0kb         #don't cache data when the data count less than Xkb, 0 the meaning is no limit. maximum_object_size 4096kb #don't cache date when the data greater than Xkb

ACL list control mode.
1. Format:

acl    listName listType listContent
http_access  allow/deny  listName
http_access  allow/deny  "url"   #import url of ACLlist file,Create file for store ACLList when the ACLList have too much.

Example:Deny cache web paper

acl deny php,...
cache_deny:deny php

Acl list type:

src:source address     #Can define network segment example:IP or continuous IP. 192.168.1.10-192.168.1.20/24
dst:destination address
port:destination port
srcdomain:source domain
dstdomain:destination domain
time:access time,general the parameter is range, example:09:30-17:30
maxconn:max concurrency connect
url_regex:destination url address, example : ^rtsp://     #Beginning with this type
urlpath_regex:complete destination url path, example: -i Sex adult

Setup squid server

step1. General squid

yum install -y squid

step2. Edit configuration file
vim /etc/squid/squid.conf

http_port 10.20.0.210(proxyServerIP):3182
reply_body_max_size 10MB
cache_dir    nfs        /var/spool/squid    100        16        256
visible_hostname  proxy.fan.com

Attention:Frist make DNS analysis as IP in the client then send the data package to squid server, but squid do not proxy DNS server, so should be setup SDNA and use it to connect DNS in the squid server.

Setup transparent proxy

Transparent proxy can’t support 443 port
step1.Edit config file
vim /etc/squid/squid.conf

http_port ServerIP:3128        transparent

step2. Set the iptables rules

iptables -t nat -A PREROUTING -i eth1 -s 192.168.4.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128

Attention:

iptables -t nat -A PREROUTING -i eth1 -s 192.168.4.0/24 -p tcp --dport 443 -j REDIRECT --to-port 3128
#Will 80 port access session assign to squid server's 3128 port, resolve way is use the SNAT.

step3. Set the ACL rules

acl worktime time D 9:00-17:30
acl burl urlpath_regex -i game \.mp3$
http_deny burl
http_access allow localnet worktime

Squit authentication

Transparent proxy don’t use authentication ,but the classical proxy can.
step1. Add authentition module.

/usr/lib64/squid/ncsa_auth --> authentication mudule

step2. Set authentication parameter in the main config file.
step3. Set authentication ACL

acl auth_user proxy_auth REQUIRED
http_access allow auth_user

step4. Create authentication account
vim squid.conf

acc auth_user proxy_auth REQUIRED
http_access auth_user
auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/auth_user.txt   #Frist line in the config file. Specify user list file for ncsa_auth authentication module

htpasswd -c /etc/squid/auth_user.txt jmilk    #create user list file, you have to install httpd service to use command htpasswd
cat /etc/squid/auth_user.txt

vim /etc/squid/squid.conf

auth_param basic children 5 --> deal with 5 concurrent authentication 
auth_param basic realm Squid proxy-caching web  --> welcome page
auth_param basic credentialstt2 2 hours  --> timeout

step5. Set the speed limit for every IP.

delay_pools 1   #relay pool number
delay_class 1 3
            #1 --> relay pool number
            #3 --> specify network type to B;1: one IP;2:type C;3:type B;4: type A
delay_access 1 allow localnet      #usr acl:localnet
delay_parameters 1 -1/-1 20000/20000(byte)
            #-1/-1  --> all network segment
            #20000/20000 --> no limit download speed before 200M/speed limit beyond 200M

Setup the Reverse Proxy Server

Web 服務器容易出現負載瓶頸，有下面解決辦法
1. Web服務器集羣
2. 使用反向代理服務器
反向代理服務器：相似DNS以緩存的方式，減輕web server的壓力
Listen 80
no set ACL, allow all
step1.
vim squid.conf

http_port ProxyServerIP:80 vhost
cache_peer WebServerIP parent 80 0 originserer
http_access allow

Case: set the transparent proxy

vim squid.conf

http_port squidServerIP:3128 transparent
visible_hostname transparent.fan.com
cache_dir ufs /var/spool/squid 100 16 256
cache_mem 1024 MB

對超過3MB大小的文件不作緩存，禁止下載超過100M的文件

maximum_object__size 3 MB
reply_body_max_size 100 MB

啓用網址過濾，禁止訪問帶有」Sex」,」adult」字樣的連接

acl burl urlpath_regex -i Sex adult
        #-i --> key word
http_access deny burl

配置Squid使用基本的身份認證，而且建立用戶jmilk，只有經過身份認證後才能夠使用squid上網。(透明代理不支持，只有傳統代理支持)
vim squid.conf

acl auth_user proxy_auth REQUIREP|-i userName     #支持所設定的用戶|支持用戶列表
http_access allow auth_user
htpasswd -c /etc/squid/auth_user.txt jmilk
cat /etc/squid/auth_user.txt

vim squid.conf

auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/auth_user.txt    #put it in frist line
auth_param basic children 5              #一次能夠處理5個併發認證
auth_param basic realm Hellow!           #設定歡迎頁面
auth_param basic credentialsttl 2 hours  #一次用戶認證的有效時間

設置客戶端192.168.1.52在上班時間的最高下載速度爲150k/s

acl worktime time D 9:00-24:00  #D (週一到週五) DSA全周
acl lan src 192.168.1.52/32
delay_pools 1                   #限速池1，爲每一個限速對象定序號
delay_class 1 2                 #聲明1號池的IP類型爲C類IP地址
delay_access 1 allow worktime lan    
delay_parameters 1 -1/-1 150000/2000000