tps://www.aliyun.com/product/cas?source=5176.11533457&userCode=kv73ipbs&type=copy
https://www.aliyun.com/product/cas?source=5176.11533457&userCode=kv73ipbs&type=copy
https://www.aliyun.com/product/cas?source=5176.11533457&userCode=kv73ipbs&type=copyhttps://www.aliyun.com/product/cas?source=5176.11533457&userCode=kv73ipbs&type=copy
编译安装
版本为squid-3.5.27
系统为Centos6.5
依赖环境
yum install -y perl gcc*autoconf automake make sudo wget libxml2-devel libcap-devel libtool-ltdl-devel
解压
[root@uu ~]# mkdir /application [root@uu ~]# cd /application/ [root@uu application]# rz [root@uu application]# tar zxvf squid-3.5.27.tar.gz
关于软连接
编译软件时指定版本号(/appiication/app1.1.1),访问时希望去掉版本号(/application/app,),可以设置软链接到编译的路径。 所有程序都访问软链接文件(/application/app,),当软件升级高版本后,只需删除链接文件重建到高版本路径的软链接接口(/application/app,)。
做软连接
[root@uu application]# ln -s squid-3.5.27 squid
编译
./configure --prefix=/application/squid --disable-loadable-modules --enable-gnuregex --enable-icmp --enable-linux-netfilter --enable-err-language="zh-cn" --enable-default-err-language="zh-cn" --enable-kill-parent-hack --enable-cache-digests --enable-dlmalloc--enable-poll --enable-async-io=240 --enable-arp-acl--mandir=/usr/share/man/ --with-large-files --with-fd=20480 --with-large-files --enable-arp-acl
注释
--enable-arp-acl
通过IP地址来识别用户很不可靠,比IP地址更好的是网卡的MAC物理地址。要在Squid中使用MAC地址识别,
配置文件中加入:
acl advance arp 00:01:02:1f:2c:3e 00:01:02:3c:1a:8b ...
验证
echo $?
PS
Squid本身会被安装到/application/sbin下
Squid的cache目录默认为/application/squid/cache
Squid的log目录默认为/application/squid/logs
squid的配置文件目录默认为/application/etc/squid
编译安装的注释
l --enable-async-io=80 这个主要是设置async模式来运行squid,我的理解是设置用线程来运行squid,如果服务器配置很不错,有1G以上内存,cpu使用SMP的方式的话可以考虑设成160或者更高。如果服务器比较糟糕就根据实际情况设了。另外此项还另cache文件支持aufs。80这个值是根据160的配置情况自己确定的。 l --enable-epoll LINUX2.6 内核中提高I/O性能的新方法。 l --enable-poll 应启用Poll()函数而不是select()函数,通常而言poll(轮询)比 select要好,但configure(脚本程序)已知Poll在某些平台下失效, 若你认为你比configure编译配置脚本程序要聪明的话,可以用这个选项启用Poll。总之就是用这个可以提升性能就是啦。没有看得很明白,但是我自己感觉是不是epoll更先进一点。反正我用epoll取代了poll。 epoll是Linux内核为处理大批量句柄而作了改进的poll,是Linux下多路复用IO接口select/poll的增强版本,它能显著减少程序在大量并发连接中只有少量活跃的情况下的系统CPU利用率。 l --disable-internal-dns Squid代理服务器在程序内部实现DNS解析,不会检查/etc/hosts文件,直接根据/etc/resolv.conf中的DNS服务器。我的实践:1、配置参数中dns_children 必须要依赖于disable-internal-dns。2、默认是检查/etc/hosts文件的。默认值是hosts_file /etc/hosts。如果要不检查,必须显示指定hosts_file none。 l --with_filedescriptors=20480 增加并发是同时打开文件的文件描述符数量,默认是1024,一般不够。会在cache_log中形成WARNING: your cache is running out of the filedescriptors!的警告信息。另外我的实践:必须在配置文件中显示指定max_filedescriptors 20480,前后两个值并不一定要相等,前面是编译时设定的最大值,后面配置文件中的值不大于该值即可。 l --enable-kill-parent-hack 关掉suqid的时候,要不要连同父进程一起关掉,这个当然要啦。当然要,就要吧。以前发生过关闭SQUID不正常,无法删除pid文件什么的,可能是和这个选项有关。(2.7也支持本选项) l --enable-underscore 在3.0里不再需要也不再支持这个安装选项(2.7也不支持了)。在配置文件中有allow_underscore 这个选项。默认是允许域名中支持下划线了。 l --enable-err-language="zh-cn" --enable-default-err-language="zh-cn" 原来是--enable-err-language="Simplify_Chinese" --enable-default-err-language="Simplify_Chinese"
安装
注意
squid 3.1.5以后版本,默认编译时,会出现如下错误,可以禁用eCAP(--disable-loadable-modules)
> ../libltdl/libltdl/lt_error.h:35:31: error: libltdl/lt_system.h: No such file or directory > make[3]: *** [LoadableModule.o] Error 1 > make[3]: Leaving directory `/application/src/squid/squid-3.1.6/src’ > make[2]: *** [all-recursive] Error 1 > make[2]: Leaving directory `/application/src/squid/squid-3.1.6/src’ > make[1]: *** [all] Error 2 > make[1]: Leaving directory `/application/src/squid/squid-3.1.6/src’ > make: *** [all-recursive] Error 1
或者:
In file included from LoadableModule.cc:18: ../libltdl/ltdl.h:106: 错误:‘LT_DLSYM_CONST’没有命名一个类型 LoadableModule.cc: In constructor ‘LoadableModule::LoadableModule(const String&)’: LoadableModule.cc:33: 错误:‘lt__PROGRAM__LTX_preloaded_symbols’在此作用域中尚未声明 make[3]: *** [LoadableModule.o] 错误 1 make[3]: Leaving directory `/application/squid-3.5.27/src' make[2]: *** [all-recursive] 错误 1 make[2]: Leaving directory `/application/squid-3.5.27/src' make[1]: *** [all] 错误 2 make[1]: Leaving directory `/application/squid-3.5.27/src' make: *** [all-recursive] 错误 1 如果你用的是centos系统的最小化安装,可能没有安装c语言编译器,需要手动安装,如安装过程中出现以下错误: -bash: make: command not found 这是因为没有安装编译器,用以下命令安装:yum install gcc* gcc-*。安装后,再次make就可以了
make
[root@uu squid-3.5.27]##make sed " s%@DEFAULT_ERROR_DIR@%%g; s%@DEFAULT_MIME_TABLE@%%g; s%@""PACKAGE_STRING""@%Squid Web Proxy 3.5.27%g; s%@SYSCONFDIR@%/application/squid/etc%g; " < ./cachemgr.cgi.8.in > cachemgr.cgi.8 make[2]: Leaving directory `/application/squid-3.5.27/tools' make[1]: Leaving directory `/application/squid-3.5.27/tools' Making all in test-suite make[1]: Entering directory `/application/squid-3.5.27/test-suite' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/application/squid-3.5.27/test-suite' make[1]: Entering directory `/application/squid-3.5.27' make[1]: Nothing to be done for `all-am'. make[1]: Leaving directory `/application/squid-3.5.27' [root@uu squid-3.5.27]# echo $? 0
make install
[root@uu squid-3.5.27]# make install make[3]: Leaving directory `/application/squid-3.5.27/tools' make[2]: Leaving directory `/application/squid-3.5.27/tools' make[1]: Leaving directory `/application/squid-3.5.27/tools' Making install in test-suite make[1]: Entering directory `/application/squid-3.5.27/test-suite' make[2]: Entering directory `/application/squid-3.5.27/test-suite' make[2]: Nothing to be done for `install-exec-am'. make[2]: Nothing to be done for `install-data-am'. make[2]: Leaving directory `/application/squid-3.5.27/test-suite' make[1]: Leaving directory `/application/squid-3.5.27/test-suite' make[1]: Entering directory `/application/squid-3.5.27' make[2]: Entering directory `/application/squid-3.5.27' make[2]: Nothing to be done for `install-exec-am'. make[2]: Nothing to be done for `install-data-am'. make[2]: Leaving directory `/application/squid-3.5.27' make[1]: Leaving directory `/application/squid-3.5.27' [root@uu squid-3.5.27]# echo $? 0
到此为止,squid3.5.5已经安装到/application/squid目录下了,运行
配置文件
>/application/squid/etc/squid.conf
vim /application/squid/etc/squid.conf [root@uu etc]# cat squid.conf http_port 3128 cache_mem 64 MB maximum_object_size 400 MB minimum_object_size 0 KB maximum_object_size_in_memory 4096 KB cache_dir aufs /application/squid/var/cache/squid 1024 16 256 cache_mem 128 MB cache_log /application/squid/var/logs/cache.log #logfile_rotate 60 #cache_swap_high 95 #cache_swap_low 90 request_entities off #ident_timeout 10 seconds #设置squid等待用户认证请求的时间。缺省值为10秒。[–enable-ident-lookups] cache_effective_user nobody cache_effective_group nobody httpd_suppress_version_string on #acl manager proto cache_object #acl localhost src 127.0.0.1/32 ::1 #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT acl http proto HTTP acl good_domain dstdomain yyt.etcsd.com http_access allow manager localhost http_access allow http good_domain http_access deny http !good_domain http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all coredump_dir /application/squid/var/cache/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320 visible_hostname pstation cache_mgr 15666661331@163.com
错误提示
去掉manager和127.0.0.1的行 UPGRADE: ACL 'manager' is now a built-in ACL. Remove it from your config file. 2018/01/19 13:04:31| Processing: acl localhost src 127.0.0.1/32 ::1 2018/01/19 13:04:31| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1' 2018/01/19 13:04:31| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost' 2018/01/19 13:04:31| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1' 2018/01/19 13:04:31| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost' 2018/01/19 13:04:31| WARNING: (B) '::1' is a subnetwork of (A) '::1' 2018/01/19 13:04:31| WARNING: because of this '::1' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '::1' from the ACL named 'localhost' 2018/01/19 13:04:31| WARNING: (B) '::1' is a subnetwork of (A) '::1' 2018/01/19 13:04:31| WARNING: because of this '::1' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '::1' from the ACL named 'localhost' 2018/01/19 13:04:31| Processing: acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 2018/01/19 13:04:31| WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) '127.0.0.0/8' 2018/01/19 13:04:31| WARNING: because of this '127.0.0.0/8' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '127.0.0.0/8' from the ACL named 'to_localhost' 2018/01/19 13:04:31| WARNING: (B) '0.0.0.0' is a subnetwork of (A) '0.0.0.0' 2018/01/19 13:04:31| WARNING: because of this '0.0.0.0' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '0.0.0.0' from the ACL named 'to_localhost' 2018/01/19 13:04:31| WARNING: (B) '0.0.0.0' is a subnetwork of (A) '0.0.0.0' 2018/01/19 13:04:31| WARNING: because of this '0.0.0.0' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '0.0.0.0' from the ACL named 'to_localhost' 2018/01/19 13:04:31| WARNING: (B) '::1' is a subnetwork of (A) '::1' 2018/01/19 13:04:31| WARNING: because of this '::1' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '::1' from the ACL named 'to_localhost' 2018/01/19 13:04:31| WARNING: (B) '::1' is a subnetwork of (A) '::1' 2018/01/19 13:04:31| WARNING: because of this '::1' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '::1' from the ACL named 'to_localhost'
启动
/application/squid/sbin/squid -z /application/squid/sbin/squid -k parse 测试配置文件 /application/squid/sbin/squid -k reconfigure 重新配置文件 /application/squid/sbin/squid -k shutdown 关闭squid /application/squid/sbin/squid -s 开启squid 后台 /application/squid/sbin/squid -N -d1 前台开启squid /application/squid/sbin/squid -k interrupt 关闭squid(更高crr优先级,直接关闭squid) /application/squid/sbin/squid -k kill 关闭squid(最高优先级,直接杀死squid进程) netstat -ntpl 检测squid端口是否已经启动: [root@uu ~]# netstat -tunpl | grep :3128 不重起,只装入新的配置文件: [root@rh73 ~]# /etc/rc.d/init.d/squid reload
问题处理
安装好了以后,系统中新建了一个用户squid
cat /etc/passwd|grep squid
cat /etc/group|grep 65534
如果没有的话,手动添加
添加用户
[root@uu application]# useradd squid -s /sbin/nologin -M
问题处理
1、root@uu etc]# /application/squid/sbin/squid -k parse 报错的话: WARNING: Cannot write log file: /application/squid/var/logs/cache.log /application/squid/var/logs/cache.log: Permission denied messages will be sent to 'stderr' 2、[root@uu etc]# /application/squid/sbin/squid -z 初始化配置 2018/01/19 14:11:45 kid1| Current Directory is /application/squid/etc 2018/01/19 14:11:45 kid1| Creating missing swap directories FATAL: Failed to make swap directory /var/spool/squid: (13) Permission denied 解决: chown -R nobody /application/squid/var/cache/ chown -R nobody /application/squid/var/logs/ 一般出现的问题是squid对安装缓存的目录权限不够则开启适当的权限即可, 然后查看是否可以启动,最后停留在一行不动 则表示启动成功用Ctrl+c终止 如果显示正常启动的正确信息 则现在可以启动Squid了 ###下面这条是目录搞错了,配置文件参数应当是:coredump_dir /application/squid/var/cache/squid 2018/01/19 14:11:48 kid1| cannot change current directory to /var/spool/squid: (2) No such file or directory
优化-----标记符
[root@uu etc]# pwd /application/squid/etc 加入开机启动 [root@uu etc]# echo "/application/squid/sbin/squid start " >>/etc/rc.local
定期清理swap.state内无效数据
squid -k rotate -f /path/to/squid/conf_file vi /etc/crontab 0 0 * * * root squid -k rotate -f /application/squid/etc/squid.conf 当squid应用运行了一段时间之后,cache_dir对应的swap.state文件就会变得越来越大,里面的无效接口数据越来越多,这可能影响squid的响应时间,因此需要使用squid清理swap.state里面的无效数据,减少swap.state的大小。
环境变量
添加PATH环境变量(临时),可用:
[root@uu]#
export PATH="/application/squid/sbin:$PATH"
export PATH="/application/squid/bin:$PATH"
永久添加环境变量(影响所有用户)
在文档最后,添加(两种方法)
1、# vim /etc/profile export PATH="/application/squid/sbin:$PATH" 保存,退出, 2、echo export PATH="/application/squid/sbin:$PATH" >> /etc/profile echo export PATH="/application/squid/bin:$PATH" >> /etc/profile 然后运行: #source /etc/profile 不报错则成功。 [root@uu etc]# source /etc/profile [root@uu etc]# echo $PATH /application/squid/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
试试吧
killall squid
squid -k parse
squid -z
squid start
netstat -tunpl | grep :3128
配置认证
默认时,Squid本身不带任何认证程序,但是可以通过外部认证程序来实现用户认证。一般有以下的认证程序:LDAP认证、SMB认证、基于mysql的认证、基于sock5的密码认证和基于Radius的认证。下面介绍常用的ncsa实现的认证,ncsa是Squid源代码包自带的认证程序,但是需要使用到apache的htpasswd来生成密码文件。或者使用 apt-get/yum install http-tools的方式安装此工具
NCSA方式。
加入认证配置
auth_param basic program /application/squid/helpers/basic_auth/NCSA/basic_ncsa_auth /opt/squid/etc/passwd auth_param basic realm hello auth_param basic credentialsttl 2 hours auth_param basic casesensitive on auth_param basic children 5 acl alloweduser proxy_auth REQUIRE http_access allow alloweduser #一定要放在所有http_access前面,否则不生效
完整版配置(注意顺序)
[root@uu etc]# cat squid.conf http_port 3128 cache_mem 64 MB maximum_object_size 400 MB minimum_object_size 0 KB maximum_object_size_in_memory 4096 KB cache_dir aufs /application/squid/var/cache/squid 1024 16 256 cache_mem 128 MB cache_log /application/squid/var/logs/cache.log #logfile_rotate 60 #cache_swap_high 95 #cache_swap_low 90 vary_ignore_expire on collapsed_forwarding on request_entities off ident_timeout 10 seconds #设置squid等待用户认证请求的时间。缺省值为10秒。[–enable-ident-lookups] cache_effective_user nobody cache_effective_group nobody httpd_suppress_version_string on #acl manager proto cache_object #acl localhost src 127.0.0.1/32 ::1 #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 #acl localnet src 10.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT acl http proto HTTP acl good_domain dstdomain yyt.etcsd.com auth_param basic program /application/squid/helpers/basic_auth/NCSA/basic_ncsa_auth /opt/squid/etc/passwd auth_param basic realm hello auth_param basic credentialsttl 2 hours auth_param basic casesensitive on auth_param basic children 5 acl alloweduser proxy_auth REQUIRE acl authorizedip src "/application/squid/authorizedip.txt" #http_access allow manager localhost http_access allow http good_domain http_access deny http !good_domain http_access allow alloweduser http_access allow authorizedip http_access deny !Safe_ports http_access deny CONNECT !SSL_ports #http_access allow all http_access deny all coredump_dir /application/squid/var/cache/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320 visible_hostname pstation cache_mgr 15666661331@163.com ########################################################
注释
auth_param basic program /usr/lib/squid/ncsa_auth /opt/squid/etc/passwd #定义了认证方式为basic,认证程序的路径和认证程度需要读取的帐户文件 auth_param basic children 5 #此选项定义了认证程序的进程为5个 auth_param basic credentialsttl 2 hours #定义了认证程序的时间为2小时,如果2小时过后用户还需要使用squid,则必须重新输入帐户和密码 auth_param basic realm Please input account #定义了用户的登录时显示的领域内容,类似于Apache的用户认证 auth_param basic casesensitive off #指定是否区分用户名大小写,on为区分,off为不区分。 acl auth_user proxy_auth REQUIRED # 强制要求用户验证 http_access allow auth_user #普通用户需要认证才能访问internet,允许经过认证的用户访问。 #名称和相对位置不对会报错 #2018/01/20 22:24:01| /application/squid/etc/squid.conf:34 unrecognized: 'authenticate_program' #2018/01/20 22:24:01| Processing: authenticate_program realm hello #2018/01/20 22:24:01| /application/squid/etc/squid.conf:35 unrecognized: 'authenticate_program' #2018/01/20 22:24:01| Processing: acl alloweduser proxy_auth REQUIRED #2018/01/20 22:24:01| Can't use proxy auth because no authentication schemes are fully configured. #FATAL: ERROR: Invalid ACL: acl alloweduser proxy_auth REQUIRED
创建密码文件
htpasswd是Apache的密码生成器,没有 Apache的话需要先安装,yum install httpd -y即可。 [root@uu opt]# mkdir /opt/squid/etc -p [root@uu opt]# cd /opt/squid/etc [root@uu etc]# touch passwd [root@uu etc]# htpasswd -bc /opt/squid/etc/passwd test test Adding password for user test