• Linux基础学习-使用Squid部署代理缓存服务


    使用Squid部署代理缓存服务

    Squid是Linux系统中最为流行的一款高性能代理服务软件,通常作为Web网站的前置缓存服务,能够代替用户向网站服务器请求页面数据并进行缓存.Squid服务配置简单、效率高、更能丰富,可以基于多种条件禁止用户访问存在威胁或不适宜的网站资源,因此可以保护企业内网的安全,提升用户的网络体验,帮助节省网络带宽.

    配置Squid服务程序

    首先准备两台虚拟机,一台用做Squid服务器,一台用作Squid客户端.

    主机 操作系统 IP地址
    Squid服务器 RHEL7 172.16.10.20
    Squid客户端 CentOS7 172.16.10.10
    [root@Squid-Server ~]# ping www.baidu.com
    PING www.a.shifen.com (61.135.169.121) 56(84) bytes of data.
    64 bytes from 61.135.169.121 (61.135.169.121): icmp_seq=1 ttl=128 time=38.0 ms
    64 bytes from 61.135.169.121 (61.135.169.121): icmp_seq=2 ttl=128 time=37.9 ms
    
    
    //安装Squid服务
    [root@Squid-Server ~]# yum install squid
    Loaded plugins: product-id, search-disabled-repos, subscription-manager
    This system is not registered with an entitlement server. You can use subscription-manager to register.
    dvd                                                                | 4.1 kB  00:00:00     
    Resolving Dependencies
    --> Running transaction check
    ---> Package squid.x86_64 7:3.5.20-10.el7 will be installed
    --> Processing Dependency: perl(DBI) for package: 7:squid-3.5.20-10.el7.x86_64
    --> Processing Dependency: perl(Digest::MD5) for package: 7:squid-3.5.20-10.el7.x86_64
    --> Processing Dependency: squid-migration-script for package: 7:squid-3.5.20-10.el7.x86_64
    --> Processing Dependency: libecap.so.3()(64bit) for package: 7:squid-3.5.20-10.el7.x86_64
    --> Running transaction check
    ---> Package libecap.x86_64 0:1.0.0-1.el7 will be installed
    ---> Package perl-DBI.x86_64 0:1.627-4.el7 will be installed
    --> Processing Dependency: perl(RPC::PlClient) >= 0.2000 for package: perl-DBI-1.627-4.el7.x86_64
    --> Processing Dependency: perl(RPC::PlServer) >= 0.2001 for package: perl-DBI-1.627-4.el7.x86_64
    ---> Package perl-Digest-MD5.x86_64 0:2.52-3.el7 will be installed
    --> Processing Dependency: perl(Digest::base) >= 1.00 for package: perl-Digest-MD5-2.52-3.el7.x86_64
    ---> Package squid-migration-script.x86_64 7:3.5.20-10.el7 will be installed
    --> Running transaction check
    ---> Package perl-Digest.noarch 0:1.17-245.el7 will be installed
    ---> Package perl-PlRPC.noarch 0:0.2020-14.el7 will be installed
    --> Processing Dependency: perl(Net::Daemon) >= 0.13 for package: perl-PlRPC-0.2020-14.el7.noarch
    --> Processing Dependency: perl(Compress::Zlib) for package: perl-PlRPC-0.2020-14.el7.noarch
    --> Processing Dependency: perl(Net::Daemon::Log) for package: perl-PlRPC-0.2020-14.el7.noarch
    --> Processing Dependency: perl(Net::Daemon::Test) for package: perl-PlRPC-0.2020-14.el7.noarch
    --> Running transaction check
    ---> Package perl-IO-Compress.noarch 0:2.061-2.el7 will be installed
    --> Processing Dependency: perl(Compress::Raw::Bzip2) >= 2.061 for package: perl-IO-Compress-2.061-2.el7.noarch
    --> Processing Dependency: perl(Compress::Raw::Zlib) >= 2.061 for package: perl-IO-Compress-2.061-2.el7.noarch
    ---> Package perl-Net-Daemon.noarch 0:0.48-5.el7 will be installed
    --> Running transaction check
    ---> Package perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7 will be installed
    ---> Package perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ==========================================================================================
     Package                         Arch           Version                 Repository   Size
    ==========================================================================================
    Installing:
     squid                           x86_64         7:3.5.20-10.el7         dvd         3.1 M
    Installing for dependencies:
     libecap                         x86_64         1.0.0-1.el7             dvd          21 k
     perl-Compress-Raw-Bzip2         x86_64         2.061-3.el7             dvd          32 k
     perl-Compress-Raw-Zlib          x86_64         1:2.061-4.el7           dvd          57 k
     perl-DBI                        x86_64         1.627-4.el7             dvd         802 k
     perl-Digest                     noarch         1.17-245.el7            dvd          23 k
     perl-Digest-MD5                 x86_64         2.52-3.el7              dvd          30 k
     perl-IO-Compress                noarch         2.061-2.el7             dvd         260 k
     perl-Net-Daemon                 noarch         0.48-5.el7              dvd          51 k
     perl-PlRPC                      noarch         0.2020-14.el7           dvd          36 k
     squid-migration-script          x86_64         7:3.5.20-10.el7         dvd          48 k
    
    Transaction Summary
    ==========================================================================================
    Install  1 Package (+10 Dependent packages)
    
    Total download size: 4.4 M
    Installed size: 14 M
    Is this ok [y/d/N]: y
    Downloading packages:
    ------------------------------------------------------------------------------------------
    Total                                                      10 MB/s | 4.4 MB  00:00:00     
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Installing : perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64                            1/11 
      Installing : perl-Digest-1.17-245.el7.noarch                                       2/11 
      Installing : perl-Digest-MD5-2.52-3.el7.x86_64                                     3/11 
      Installing : 1:perl-Compress-Raw-Zlib-2.061-4.el7.x86_64                           4/11 
      Installing : perl-IO-Compress-2.061-2.el7.noarch                                   5/11 
      Installing : libecap-1.0.0-1.el7.x86_64                                            6/11 
      Installing : 7:squid-migration-script-3.5.20-10.el7.x86_64                         7/11 
      Installing : perl-Net-Daemon-0.48-5.el7.noarch                                     8/11 
      Installing : perl-PlRPC-0.2020-14.el7.noarch                                       9/11 
      Installing : perl-DBI-1.627-4.el7.x86_64                                          10/11 
      Installing : 7:squid-3.5.20-10.el7.x86_64                                         11/11 
      Verifying  : perl-Net-Daemon-0.48-5.el7.noarch                                     1/11 
      Verifying  : 7:squid-migration-script-3.5.20-10.el7.x86_64                         2/11 
      Verifying  : perl-Digest-MD5-2.52-3.el7.x86_64                                     3/11 
      Verifying  : libecap-1.0.0-1.el7.x86_64                                            4/11 
      Verifying  : perl-IO-Compress-2.061-2.el7.noarch                                   5/11 
      Verifying  : 1:perl-Compress-Raw-Zlib-2.061-4.el7.x86_64                           6/11 
      Verifying  : perl-Digest-1.17-245.el7.noarch                                       7/11 
      Verifying  : perl-DBI-1.627-4.el7.x86_64                                           8/11 
      Verifying  : perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64                            9/11 
      Verifying  : perl-PlRPC-0.2020-14.el7.noarch                                      10/11 
      Verifying  : 7:squid-3.5.20-10.el7.x86_64                                         11/11 
    
    Installed:
      squid.x86_64 7:3.5.20-10.el7                                                            
    
    Dependency Installed:
      libecap.x86_64 0:1.0.0-1.el7                                                            
      perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7                                            
      perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7                                             
      perl-DBI.x86_64 0:1.627-4.el7                                                           
      perl-Digest.noarch 0:1.17-245.el7                                                       
      perl-Digest-MD5.x86_64 0:2.52-3.el7                                                     
      perl-IO-Compress.noarch 0:2.061-2.el7                                                   
      perl-Net-Daemon.noarch 0:0.48-5.el7                                                     
      perl-PlRPC.noarch 0:0.2020-14.el7                                                       
      squid-migration-script.x86_64 7:3.5.20-10.el7                                           
    
    Complete!
    
    
    参数 作用
    http_port 3128 监听的端口号
    cache_mem 64M 内存缓冲区的大小
    cache_dir ufs /var/spool/squid 2000 16 256 硬盘缓冲区的大小
    cache_effective_user squid 设置缓存的有效用户
    cache_effective_group squid 设置缓存的有效用户组
    dns_nameservers [IP地址] 一般不设置,而是用服务器默认的DNS地址
    cache_access_log /var/log/squid/access.log 访问日志文件的保存路径
    cache_log /var/log/squid/cache.log 缓存日志文件的保存路径
    visible_hostname [Name] 设置Squid服务器的名称
    标准正向代理
    //启动服务加入开机启动项
    [root@Squid-Server ~]# systemctl restart squid
    [root@Squid-Server ~]# systemctl enable squid
    Created symlink from /etc/systemd/system/multi-user.target.wants/squid.service to /usr/lib/systemd/system/squid.service.
    
     52 http_access allow localnet
     53 http_access allow localhost
     54 
     55 # And finally deny all other access to this proxy
     56 http_access deny all
     57 
     58 # Squid normally listens to port 3128
     59 http_port 3128
    
    

    如果你开启了防火墙和Selinux又更改了默认端口号需要对端口进行放行

    //查看
    semanage port -l | grep squid_port_t
    //添加新的端口号
    semanage port -a -t squid_port_t -p tcp 10000
    //再次查看
    semanage port -l | grep squid_port_t
    

    实验1: 只允许IP地址为172.16.10.10的客户端使用服务器上的Squid服务程序提供的代理服务,禁止其余所有主机代理请求

     #################################################################
     27 acl client src 172.16.10.10
     28 #################################################################
     29 #
     30 # Recommended minimum Access Permission configuration:
     31 #
     32 # Deny requests to certain unsafe ports
     33 #################################################################
     34 http_access allow client
     35 http_access deny all
     36 #################################################################
     37 http_access deny !Safe_ports
    
    

    更改客户端的IP地址,再次尝试联网发现无法上网了,代理服务器拒绝连接.

    实验2: 禁止所有客户端访问网址中包含linux关键词的网站.

    #################################################################
     27 #acl client src 172.16.10.10
     28 acl deny_keyword url_regex -i linux
     29 #################################################################
     30 #
     31 # Recommended minimum Access Permission configuration:
     32 #
     33 # Deny requests to certain unsafe ports
     34 #################################################################
     35 #http_access allow client
     36 http_access deny deny_keyword
     37 #http_access deny all
    
    

    访问含有linux关键字的网址时被拒绝.

    实验3: 禁止所有客户端访问某个特定的网站

    #################################################################
     27 #acl client src 172.16.10.10
     28 #acl deny_keyword url_regex -i linux
     29 acl deny_url url_regex http://www.linuxidc.com
     30 #################################################################
     31 #
     32 # Recommended minimum Access Permission configuration:
     33 #
     34 # Deny requests to certain unsafe ports
     35 #################################################################
     36 #http_access allow client
     37 #http_access deny deny_keyword
     38 http_access deny deny_url
     39 #http_access deny all
     40 #################################################################
     41 http_access deny !Safe_ports
     42 
     43 # Deny CONNECT to other than secure SSL ports
     44 http_access deny CONNECT !SSL_ports
    
    

    访问指定网址被拒绝.访问其他网址正常访问.

    实验4: 禁止员工在企业网内部下载带有某些后缀的文件

    #################################################################
    #acl client src 172.16.10.10
    #acl deny_keyword url_regex -i linux
    #acl deny_url url_regex http://www.linuxidc.com
    acl badfile urlpath_regex -i .rar$ .avi$
    #################################################################
    #
    # Recommended minimum Access Permission configuration:
    #
    # Deny requests to certain unsafe ports
    #################################################################
    #http_access allow client
    #http_access deny deny_keyword
    #http_access deny deny_url
    #http_access deny all
    http_access deny badfile
    #################################################################
    http_access deny !Safe_ports
    
    
    透明正向代理
    //客户端取消代理,网关指向squid服务器地址
    [root@Squid-Server ~]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
    [root@Squid-Server ~]# sysctl -p
    net.ipv4.ip_forward = 1
    [root@Squid-Server ~]# iptables -t nat -A POSTROUTING -p udp --dport 53 -o ens35 -j MASQUERADE
    此处网卡为对外的网卡
    
     72 http_port 3128 transparent
     73 
     74 # Uncomment and adjust the following to add a disk cache directory.
     75 cache_dir ufs /var/spool/squid 100 16 256
    [root@Squid-Server ~]# squid -k parse
    [root@Squid-Server ~]# squid -z
    2018/08/23 10:39:30| Squid is already running!  Process ID 2299
    [root@Squid-Server ~]# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128
    [root@Squid-Server ~]# iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -o ens35 -j SNAT --to 192.168.56.15
    //此处网卡为对外的网卡
    [root@Squid-Server ~]# service iptables save
    
    
    反向代理
    //主机设为NAT或者DHCP模式,配置文件编辑如下
    http_port 192.168.56.15:80 vhost
    cache_peer 39.104.16.126 parent 80 0 originserver
    
    

    当你访问本机IP时访问的却是目标站点

  • 相关阅读:
    ASP.NET MVC 入门9、Action Filter 与 内置的Filter实现(介绍) 【转】
    一个建议,看看大家的意见。
    发现不错的文章,推!
    有个小问题,大家一起研究。
    逼不得已,这个我确实不会,昨办?
    MSN Message6.2 的小BUG
    在IE7浏览器中切换成以资源管理器方式
    手机罗盘(指南针)校准方法
    G13/ Wildfire S/A510e link2SD教程,干净清洁的安装程序到内存卡
    HTC G13电池怎么鉴别真伪
  • 原文地址:https://www.cnblogs.com/qdlinux/p/9636567.html
Copyright © 2020-2023  润新知