Squid正向代理(編譯安裝)

tps://www.aliyun.com/product/cas?source=5176.11533457&userCode=kv73ipbs&type=copymysql

https://www.aliyun.com/product/cas?source=5176.11533457&userCode=kv73ipbs&type=copy

https://www.aliyun.com/product/cas?source=5176.11533457&userCode=kv73ipbs&type=copyhttps://www.aliyun.com/product/cas?source=5176.11533457&userCode=kv73ipbs&type=copylinux

編譯安裝

版本爲squid-3.5.27web

系統爲Centos6.5sql

依賴環境

yum install -y perl gcc*autoconf automake make sudo wget libxml2-devel libcap-devel libtool-ltdl-devel

 

解壓

[root@uu ~]# mkdir /application

[root@uu ~]# cd /application/

[root@uu application]# rz

[root@uu application]# tar zxvf squid-3.5.27.tar.gz
View Code

關於軟鏈接

  編譯軟件時指定版本號(/appiication/app1.1.1),訪問時但願去掉版本號(/application/app,),能夠設置軟連接到編譯的路徑。 全部程序都訪問軟連接文件(/application/app,),當軟件升級高版本後,只需刪除連接文件重建到高版本路徑的軟連接接口(/application/app,)。apache

作軟鏈接vim

[root@uu application]# ln -s squid-3.5.27 squidcentos

編譯

./configure --prefix=/application/squid --disable-loadable-modules --enable-gnuregex --enable-icmp --enable-linux-netfilter --enable-err-language="zh-cn" --enable-default-err-language="zh-cn" --enable-kill-parent-hack --enable-cache-digests --enable-dlmalloc--enable-poll --enable-async-io=240 --enable-arp-acl--mandir=/usr/share/man/ --with-large-files --with-fd=20480 --with-large-files --enable-arp-acl
View Code

註釋緩存

--enable-arp-aclruby

經過IP地址來識別用戶很不可靠,比IP地址更好的是網卡的MAC物理地址。要在Squid中使用MAC地址識別,bash

配置文件中加入:

acl advance arp 00:01:02:1f:2c:3e 00:01:02:3c:1a:8b ...

驗證

echo $?

PS

Squid自己會被安裝到/application/sbin下
Squid的cache目錄默認爲/application/squid/cache
Squid的log目錄默認爲/application/squid/logs
squid的配置文件目錄默認爲/application/etc/squid

編譯安裝的註釋

l  --enable-async-io=80

這個主要是設置async模式來運行squid,個人理解是設置用線程來運行squid,若是服務器配置很不錯,有1G以上內存,cpu使用SMP的方式的話能夠考慮設成160或者更高。若是服務器比較糟糕就根據實際狀況設了。另外此項還另cache文件支持aufs。80這個值是根據160的配置狀況本身肯定的。

l  --enable-epoll LINUX2.6

內核中提升I/O性能的新方法。

l  --enable-poll

應啓用Poll()函數而不是select()函數,一般而言poll(輪詢)比 select要好,但configure(腳本程序)已知Poll在某些平臺下失效, 若你認爲你比configure編譯配置腳本程序要聰明的話,能夠用這個選項啓用Poll。總之就是用這個能夠提高性能就是啦。沒有看得很明白,可是我本身感受是否是epoll更先進一點。反正我用epoll取代了poll。

epoll是Linux內核爲處理大批量句柄而做了改進的poll,是Linux下多路複用IO接口select/poll的加強版本,它能顯著減小程序在大量併發鏈接中只有少許活躍的狀況下的系統CPU利用率。

l  --disable-internal-dns

Squid代理服務器在程序內部實現DNS解析,不會檢查/etc/hosts文件,直接根據/etc/resolv.conf中的DNS服務器。個人實踐:1、配置參數中dns_children 必需要依賴於disable-internal-dns。2、默認是檢查/etc/hosts文件的。默認值是hosts_file /etc/hosts。若是要不檢查,必須顯示指定hosts_file none。

l  --with_filedescriptors=20480

增長併發是同時打開文件的文件描述符數量,默認是1024,通常不夠。會在cache_log中造成WARNING: your cache is running out of the filedescriptors!的警告信息。另外個人實踐:必須在配置文件中顯示指定max_filedescriptors 20480,先後兩個值並不必定要相等,前面是編譯時設定的最大值,後面配置文件中的值不大於該值便可。

l  --enable-kill-parent-hack

關掉suqid的時候,要不要連同父進程一塊兒關掉,這個固然要啦。固然要,就要吧。之前發生過關閉SQUID不正常,沒法刪除pid文件什麼的,多是和這個選項有關。(2.7也支持本選項)

l  --enable-underscore

在3.0裏再也不須要也再也不支持這個安裝選項(2.7也不支持了)。在配置文件中有allow_underscore

這個選項。默認是容許域名中支持下劃線了。

l  --enable-err-language="zh-cn" --enable-default-err-language="zh-cn"

原來是--enable-err-language="Simplify_Chinese" --enable-default-err-language="Simplify_Chinese"
View Code

安裝

注意

squid 3.1.5之後版本,默認編譯時,會出現以下錯誤,能夠禁用eCAP(--disable-loadable-modules)

>     ../libltdl/libltdl/lt_error.h:35:31: error: libltdl/lt_system.h: No such file or directory
>     make[3]: *** [LoadableModule.o] Error 1
>     make[3]: Leaving directory `/application/src/squid/squid-3.1.6/src’
>     make[2]: *** [all-recursive] Error 1
>     make[2]: Leaving directory `/application/src/squid/squid-3.1.6/src’
>     make[1]: *** [all] Error 2
>     make[1]: Leaving directory `/application/src/squid/squid-3.1.6/src’
>     make: *** [all-recursive] Error 1
View Code

或者:

In file included from LoadableModule.cc:18:

../libltdl/ltdl.h:106: 錯誤:‘LT_DLSYM_CONST’沒有命名一個類型

LoadableModule.cc: In constructor ‘LoadableModule::LoadableModule(const String&)’:

LoadableModule.cc:33: 錯誤:‘lt__PROGRAM__LTX_preloaded_symbols’在此做用域中還沒有聲明

make[3]: *** [LoadableModule.o] 錯誤 1

make[3]: Leaving directory `/application/squid-3.5.27/src'

make[2]: *** [all-recursive] 錯誤 1

make[2]: Leaving directory `/application/squid-3.5.27/src'

make[1]: *** [all] 錯誤 2

make[1]: Leaving directory `/application/squid-3.5.27/src'

make: *** [all-recursive] 錯誤 1

若是你用的是centos系統的最小化安裝,可能沒有安裝c語言編譯器,須要手動安裝,如安裝過程當中出現如下錯誤:

-bash: make: command not found

這是由於沒有安裝編譯器,用如下命令安裝:yum install gcc* gcc-*。安裝後,再次make就能夠了
View Code

make

[root@uu squid-3.5.27]##make

sed " s%@DEFAULT_ERROR_DIR@%%g; s%@DEFAULT_MIME_TABLE@%%g; s%@""PACKAGE_STRING""@%Squid Web Proxy 3.5.27%g; s%@SYSCONFDIR@%/application/squid/etc%g; " < ./cachemgr.cgi.8.in > cachemgr.cgi.8

make[2]: Leaving directory `/application/squid-3.5.27/tools'

make[1]: Leaving directory `/application/squid-3.5.27/tools'

Making all in test-suite

make[1]: Entering directory `/application/squid-3.5.27/test-suite'

make[1]: Nothing to be done for `all'.

make[1]: Leaving directory `/application/squid-3.5.27/test-suite'

make[1]: Entering directory `/application/squid-3.5.27'

make[1]: Nothing to be done for `all-am'.

make[1]: Leaving directory `/application/squid-3.5.27'

[root@uu squid-3.5.27]# echo $?

0
View Code

make install

[root@uu squid-3.5.27]# make install

make[3]: Leaving directory `/application/squid-3.5.27/tools'

make[2]: Leaving directory `/application/squid-3.5.27/tools'

make[1]: Leaving directory `/application/squid-3.5.27/tools'

Making install in test-suite

make[1]: Entering directory `/application/squid-3.5.27/test-suite'

make[2]: Entering directory `/application/squid-3.5.27/test-suite'

make[2]: Nothing to be done for `install-exec-am'.

make[2]: Nothing to be done for `install-data-am'.

make[2]: Leaving directory `/application/squid-3.5.27/test-suite'

make[1]: Leaving directory `/application/squid-3.5.27/test-suite'

make[1]: Entering directory `/application/squid-3.5.27'

make[2]: Entering directory `/application/squid-3.5.27'

make[2]: Nothing to be done for `install-exec-am'.

make[2]: Nothing to be done for `install-data-am'.

make[2]: Leaving directory `/application/squid-3.5.27'

make[1]: Leaving directory `/application/squid-3.5.27'

[root@uu squid-3.5.27]# echo $?    

0
View Code

到此爲止,squid3.5.5已經安裝到/application/squid目錄下了,運行

配置文件

>/application/squid/etc/squid.conf

vim /application/squid/etc/squid.conf

 

[root@uu etc]# cat squid.conf

http_port 3128

cache_mem 64 MB 

maximum_object_size 400 MB   

minimum_object_size 0 KB   

maximum_object_size_in_memory 4096 KB

 

cache_dir aufs /application/squid/var/cache/squid 1024 16 256   

cache_mem 128 MB  

cache_log /application/squid/var/logs/cache.log   

#logfile_rotate 60  

#cache_swap_high 95  

#cache_swap_low 90 

 

request_entities off

#ident_timeout 10 seconds #設置squid等待用戶認證請求的時間。缺省值爲10秒。[–enable-ident-lookups]

cache_effective_user nobody

cache_effective_group nobody

httpd_suppress_version_string on

 

 

 

#acl manager proto cache_object

#acl localhost src 127.0.0.1/32 ::1

#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 10.0.0.0/8

acl SSL_ports port 443

acl Safe_ports port 80         

acl Safe_ports port 443        

acl CONNECT method CONNECT

acl http proto HTTP

acl good_domain dstdomain yyt.etcsd.com

http_access allow manager localhost

http_access allow http good_domain

http_access deny http !good_domain

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow all

 

coredump_dir /application/squid/var/cache/squid

 

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

visible_hostname pstation

cache_mgr 15666661331@163.com
View Code

錯誤提示

去掉manager和127.0.0.1的行

UPGRADE: ACL 'manager' is now a built-in ACL. Remove it from your config file.

2018/01/19 13:04:31| Processing: acl localhost src 127.0.0.1/32 ::1

2018/01/19 13:04:31| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'

2018/01/19 13:04:31| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable

2018/01/19 13:04:31| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'

2018/01/19 13:04:31| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'

2018/01/19 13:04:31| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable

2018/01/19 13:04:31| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'

2018/01/19 13:04:31| WARNING: (B) '::1' is a subnetwork of (A) '::1'

2018/01/19 13:04:31| WARNING: because of this '::1' is ignored to keep splay tree searching predictable

2018/01/19 13:04:31| WARNING: You should probably remove '::1' from the ACL named 'localhost'

2018/01/19 13:04:31| WARNING: (B) '::1' is a subnetwork of (A) '::1'

2018/01/19 13:04:31| WARNING: because of this '::1' is ignored to keep splay tree searching predictable

2018/01/19 13:04:31| WARNING: You should probably remove '::1' from the ACL named 'localhost'

2018/01/19 13:04:31| Processing: acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

2018/01/19 13:04:31| WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) '127.0.0.0/8'

2018/01/19 13:04:31| WARNING: because of this '127.0.0.0/8' is ignored to keep splay tree searching predictable

2018/01/19 13:04:31| WARNING: You should probably remove '127.0.0.0/8' from the ACL named 'to_localhost'

2018/01/19 13:04:31| WARNING: (B) '0.0.0.0' is a subnetwork of (A) '0.0.0.0'

2018/01/19 13:04:31| WARNING: because of this '0.0.0.0' is ignored to keep splay tree searching predictable

2018/01/19 13:04:31| WARNING: You should probably remove '0.0.0.0' from the ACL named 'to_localhost'

2018/01/19 13:04:31| WARNING: (B) '0.0.0.0' is a subnetwork of (A) '0.0.0.0'

2018/01/19 13:04:31| WARNING: because of this '0.0.0.0' is ignored to keep splay tree searching predictable

2018/01/19 13:04:31| WARNING: You should probably remove '0.0.0.0' from the ACL named 'to_localhost'

2018/01/19 13:04:31| WARNING: (B) '::1' is a subnetwork of (A) '::1'

2018/01/19 13:04:31| WARNING: because of this '::1' is ignored to keep splay tree searching predictable

2018/01/19 13:04:31| WARNING: You should probably remove '::1' from the ACL named 'to_localhost'

2018/01/19 13:04:31| WARNING: (B) '::1' is a subnetwork of (A) '::1'

2018/01/19 13:04:31| WARNING: because of this '::1' is ignored to keep splay tree searching predictable

2018/01/19 13:04:31| WARNING: You should probably remove '::1' from the ACL named 'to_localhost'
View Code

啓動

/application/squid/sbin/squid -z

/application/squid/sbin/squid -k parse  測試配置文件

/application/squid/sbin/squid -k reconfigure  從新配置文件

/application/squid/sbin/squid -k shutdown  關閉squid

/application/squid/sbin/squid -s 開啓squid 後臺

/application/squid/sbin/squid -N -d1 前臺開啓squid

/application/squid/sbin/squid -k interrupt  關閉squid(更高crr優先級,直接關閉squid)

/application/squid/sbin/squid -k kill  關閉squid(最高優先級,直接殺死squid進程)

netstat -ntpl

檢測squid端口是否已經啓動:
[root@uu ~]# netstat -tunpl | grep :3128

不重起,只裝入新的配置文件:
[root@rh73 ~]# /etc/rc.d/init.d/squid reload
View Code

問題處理

安裝好了之後,系統中新建了一個用戶squid

cat /etc/passwd|grep squid
cat /etc/group|grep 65534

若是沒有的話,手動添加

添加用戶

[root@uu application]# useradd squid -s /sbin/nologin -M

問題處理

1、root@uu etc]# /application/squid/sbin/squid -k parse

報錯的話:

WARNING: Cannot write log file: /application/squid/var/logs/cache.log

/application/squid/var/logs/cache.log: Permission denied

         messages will be sent to 'stderr'

 

2、[root@uu etc]# /application/squid/sbin/squid -z 初始化配置

2018/01/19 14:11:45 kid1| Current Directory is /application/squid/etc

2018/01/19 14:11:45 kid1| Creating missing swap directories

FATAL: Failed to make swap directory /var/spool/squid: (13) Permission denied

解決:

chown -R nobody /application/squid/var/cache/
chown -R nobody /application/squid/var/logs/

通常出現的問題是squid對安裝緩存的目錄權限不夠則開啓適當的權限便可,

而後查看是否能夠啓動,最後停留在一行不動 則表示啓動成功用Ctrl+c終止 若是顯示正常啓動的正確信息 則如今能夠啓動Squid了

###下面這條是目錄搞錯了,配置文件參數應當是:coredump_dir /application/squid/var/cache/squid

2018/01/19 14:11:48 kid1| cannot change current directory to /var/spool/squid: (2) No such file or directory
View Code

優化-----標記符

[root@uu etc]# pwd

/application/squid/etc

加入開機啓動

[root@uu etc]# echo "/application/squid/sbin/squid start " >>/etc/rc.local
View Code

按期清理swap.state內無效數據

squid -k rotate -f /path/to/squid/conf_file

vi /etc/crontab

0  0   *  *   *       root    squid -k rotate -f /application/squid/etc/squid.conf

當squid應用運行了一段時間以後,cache_dir對應的swap.state文件就會變得愈來愈大,裏面的無效接口數據愈來愈多,這可能影響squid的響應時間,所以須要使用squid清理swap.state裏面的無效數據,減小swap.state的大小。
View Code

環境變量

添加PATH環境變量(臨時),可用:

[root@uu]#

export PATH="/application/squid/sbin:$PATH"

export PATH="/application/squid/bin:$PATH"

永久添加環境變量(影響全部用戶)

在文檔最後,添加(兩種方法)

1、# vim /etc/profile

export PATH="/application/squid/sbin:$PATH"

保存,退出,

2、echo export PATH="/application/squid/sbin:$PATH" >> /etc/profile

echo export PATH="/application/squid/bin:$PATH" >> /etc/profile

而後運行:

#source /etc/profile

不報錯則成功。                                                                                        

[root@uu etc]# source /etc/profile

[root@uu etc]# echo $PATH        

/application/squid/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
View Code

試試吧

killall squid

squid -k parse

squid -z

squid start

netstat -tunpl | grep :3128

配置認證

  默認時,Squid自己不帶任何認證程序,可是能夠經過外部認證程序來實現用戶認證。通常有如下的認證程序:LDAP認證、SMB認證、基於mysql的認證、基於sock5的密碼認證和基於Radius的認證。下面介紹經常使用的ncsa實現的認證,ncsa是Squid源代碼包自帶的認證程序,可是須要使用到apache的htpasswd來生成密碼文件。或者使用 apt-get/yum install http-tools的方式安裝此工具

NCSA方式。

加入認證配置

auth_param basic program /application/squid/helpers/basic_auth/NCSA/basic_ncsa_auth /opt/squid/etc/passwd

auth_param basic realm hello

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive on

auth_param basic children 5

acl alloweduser proxy_auth REQUIRE

http_access allow alloweduser              #必定要放在全部http_access前面,不然不生效
View Code

完整版配置(注意順序)

[root@uu etc]# cat squid.conf

http_port 3128

cache_mem 64 MB 

maximum_object_size 400 MB   

minimum_object_size 0 KB   

maximum_object_size_in_memory 4096 KB

 

cache_dir aufs /application/squid/var/cache/squid 1024 16 256   

cache_mem 128 MB  

cache_log /application/squid/var/logs/cache.log   

#logfile_rotate 60  

#cache_swap_high 95  

#cache_swap_low 90 

vary_ignore_expire on

collapsed_forwarding on

 

request_entities off

ident_timeout 10 seconds #設置squid等待用戶認證請求的時間。缺省值爲10秒。[–enable-ident-lookups]

cache_effective_user nobody

cache_effective_group nobody

httpd_suppress_version_string on

 

 

 

#acl manager proto cache_object

#acl localhost src 127.0.0.1/32 ::1

#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

#acl localnet src 10.0.0.0/8

acl SSL_ports port 443

acl Safe_ports port 80         

acl Safe_ports port 443        

acl CONNECT method CONNECT

acl http proto HTTP

acl good_domain dstdomain yyt.etcsd.com

auth_param basic program /application/squid/helpers/basic_auth/NCSA/basic_ncsa_auth /opt/squid/etc/passwd

auth_param basic realm hello

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive on

auth_param basic children 5

acl alloweduser proxy_auth REQUIRE

acl authorizedip src "/application/squid/authorizedip.txt"

#http_access allow manager localhost

http_access allow http good_domain

http_access deny http !good_domain

http_access allow alloweduser

http_access allow authorizedip

http_access deny !Safe_ports

 

http_access deny CONNECT !SSL_ports

#http_access allow all

 

http_access deny all

coredump_dir /application/squid/var/cache/squid

 

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

visible_hostname pstation

cache_mgr 15666661331@163.com

 

########################################################
View Code

註釋

auth_param basic program /usr/lib/squid/ncsa_auth /opt/squid/etc/passwd

#定義了認證方式爲basic,認證程序的路徑和認證程度須要讀取的賬戶文件

auth_param basic children 5

#此選項定義了認證程序的進程爲5個

 

auth_param basic credentialsttl 2 hours

#定義了認證程序的時間爲2小時,若是2小時事後用戶還須要使用squid,則必須從新輸入賬戶和密碼

auth_param basic realm Please input account

#定義了用戶的登陸時顯示的領域內容,相似於Apache的用戶認證

auth_param basic casesensitive off

#指定是否區分用戶名大小寫,on爲區分,off爲不區分。

acl auth_user proxy_auth REQUIRED

# 強制要求用戶驗證

http_access allow auth_user

#普通用戶須要認證才能訪問internet,容許通過認證的用戶訪問。

#名稱和相對位置不對會報錯

#2018/01/20 22:24:01| /application/squid/etc/squid.conf:34 unrecognized: 'authenticate_program'

#2018/01/20 22:24:01| Processing: authenticate_program realm hello

#2018/01/20 22:24:01| /application/squid/etc/squid.conf:35 unrecognized: 'authenticate_program'

#2018/01/20 22:24:01| Processing: acl alloweduser proxy_auth REQUIRED

#2018/01/20 22:24:01| Can't use proxy auth because no authentication schemes are fully configured.

#FATAL: ERROR: Invalid ACL: acl alloweduser proxy_auth REQUIRED
View Code

建立密碼文件

htpasswd是Apache的密碼生成器,沒有 Apache的話須要先安裝,yum install httpd -y便可。

[root@uu opt]# mkdir /opt/squid/etc -p

[root@uu opt]# cd /opt/squid/etc

[root@uu etc]# touch passwd

[root@uu etc]# htpasswd -bc /opt/squid/etc/passwd test test

Adding password for user test
View Code
相關文章
相關標籤/搜索