squid 代理服务
squid代理服务分为两种方式: 一、正向代理(用在企业的办公环境中,员工上网需要通过Squid代理来上网) 客户端发送请求到代理服务器,代理服务器去向真正的服务器请求结果,并将结果返回给客户端
二、反向代理(常用于网站静态项(图片、html、流媒体、js、css等)的缓存服务器) 客户端发送请求,代理服务器从缓存中找结果返回,或向服务器请求到结果后缓存一份以供下次使用,并把结果返回客户端。
其中:它有两种传输模式:
1.同步模式:(如:squid)用户发起请求,请求立即被转到后端的服务器,于是在浏览器和后端服务器之间就建立了一个连接,在请求完成前这个连接是一直存在的。 2.异步模式:(如:nginx)用户发起的请求会发送到nginx,nginx接收到所有的数据后在转发到后端的服务器,后端服务器处理完成后把数据返回给nginx,nginx在返回给用户。
一、正向代理
[root@localhost ~]# yum install -y squid [root@localhost ~]# squid -v //查看squid版本 Squid Cache: Version 3.1.10 [root@localhost ~]# rm -f /etc/squid/squid.conf //不使用默认配置 [root@localhost ~]# vim /etc/squid/squid.conf //加入 http_port 3128 acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 8080 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access allow all cache_dir aufs /data/cache 1024 16 256 cache_mem 128 MB hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern \.(jpg|png|gif|mp3|xml) 1440 50% 2880 ignore-reload refresh_pattern . 0 20% 4320 [root@localhost ~]# squid -kcheck //检测一下是否有语法错误 1.提示信息: squid: ERROR: No running copy --> squid还未启动,没有关系,显示成这样说明配置文件没有问题了。 2. 提示信息: WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'. --> [root@localhost ~]# vim /etc/squid/squid.conf //加入 visible_hostname aminglinux.com #可自定义 [root@localhost ~]# mkdir -p /data/cache //初始化缓存目录 [root@localhost ~]# chown -R squid:squid /data/cache/ [root@localhost ~]# squid -z 2013/06/12 16:25:14| Creating Swap Directories 2013/06/12 16:25:14| /data/cache exists //初始化完成 [root@localhost ~]# /etc/init.d/squid start 正在启动 squid:. [确定]
测试:
1. [root@localhost ~]# curl -xlocalhost:3128 http://www.baidu.com/ //看到了一大串,说明squid正向代理设置ok 2. [root@localhost ~]# curl -xlocalhost:3128 http://www.lishiming.net/static/image/common/logo.png -I HTTP/1.0 200 OK Server: nginx/1.0.0 Date: Sat, 08 Jun 2013 04:30:17 GMT Content-Type: image/png Content-Length: 7785 Last-Modified: Wed, 13 Jan 2010 03:33:47 GMT Accept-Ranges: bytes X-Cache: HIT from dx_cache216.5d6d.com X-Cache: MISS from localhost.localdomain X-Cache-Lookup: MISS from localhost.localdomain:3128 Via: 1.0 dx_cache216.5d6d.com:80 (squid), 1.0 localhost.localdomain (squid/3.1.10) Connection: keep-alive [root@localhost ~]# curl -xlocalhost:3128 http://www.lishiming.net/static/image/common/logo.png -I HTTP/1.0 200 OK Server: nginx/1.0.0 Content-Type: image/png Content-Length: 7785 Last-Modified: Wed, 13 Jan 2010 03:33:47 GMT Accept-Ranges: bytes Date: Sat, 08 Jun 2013 04:30:17 GMT X-Cache: HIT from dx_cache216.5d6d.com Age: 360898 Warning: 113 localhost.localdomain (squid/3.1.10) This cache hit is still fresh and more than 1 day old X-Cache: HIT from localhost.localdomain X-Cache-Lookup: HIT from localhost.localdomain:3128 Via: 1.0 dx_cache216.5d6d.com:80 (squid), 1.0 localhost.localdomain (squid/3.1.10) Connection: keep-alive 3. 配置白名单 ,表示机器只可以访问白名单的网站 [root@localhost ~]# vim /etc/squid/squid.conf ... ... acl CONNECT method CONNECT #在此下面添加 acl http proto HTTP acl good_domain dstdomain .lishiming.net .aminglinux.com http_access allow http good_domain http_access deny http !good_domain [root@localhost ~]# /etc/init.d/squid restart [root@localhost ~]# curl -xlocalhost:3128 http://www.baidu.com/ -I HTTP/1.0 403 Forbidden Server: squid/3.1.23 Mime-Version: 1.0 Date: Fri, 15 Apr 2016 16:32:28 GMT Content-Type: text/html Content-Length: 3274 X-Squid-Error: ERR_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from localhost.localdomain X-Cache-Lookup: NONE from localhost.localdomain:3128 Via: 1.0 localhost.localdomain (squid/3.1.23) Connection: keep-alive 4. 配置黑名单,表示机器不可以访问黑名单 acl http proto HTTP acl bad_domain dstdomain .sina.com .souhu.com http_access allow http !bad_domain http_access deny http bad_domain
situation:
在办公室里,常常网络管理人员需要将一些端口和网络的进行封锁,为保持安全,也为了让员工们积极工作
这时,我们搭建正向代理服务器(选择机房里其他能够访问外网的服务器)进行搭建
===============我是分割线。==============================
二、反向代理
[root@localhost ~]# vim /etc/squid/squid.conf http_port 3128 #改为http_port 80 accel vhost vport ... ... #文件最尾增加 cache_peer 123.125.119.147 parent 80 0 originserver name=a cache_peer 61.135.169.125 parent 80 0 originserver name=b cache_peer_domain a www.qq.com cache_peer_domain b www.baidu.com [root@localhost ~]# /etc/init.d/squid restart [root@localhost ~]# curl -xlocalhost:80 http://www.baidu.com/ -I [root@localhost ~]# curl -xlocalhost:80 http://www.qq.com/ -I [root@localhost ~]# curl -xlocalhost:80 http://www.sina.com/ -I #您会发现,baidu.com和qq.com都能正常访问,然而sina.com访问503了
===============我是分割线。==============================
三、squid使用选项
1 。
[root@localhost ~]# squid -h
Usage: squid [-cdhvzCFNRVYX] [-s | -l facility] [-f config-file] [-[au] port] [-k signal]
-a port Specify HTTP port number (default: 3128).
-d level Write debugging to stderr also.
-f file Use given config-file instead of
/etc/squid/squid.conf
-h Print help message.
-k reconfigure|rotate|shutdown|interrupt|kill|debug|check|parse
Parse configuration file, then send signal to
running copy (except -k parse) and exit.
-s | -l facility
Enable logging to syslog.
-u port Specify ICP port number (default: 3130), disable with 0.
-v Print version.
-z Create swap directories
-C Do not catch fatal signals.
-D OBSOLETE. Scheduled for removal.
-F Don't serve any requests until store is rebuilt.
-N No daemon mode.
-R Do not set REUSEADDR on port.
-S Double-check swap during rebuild.
-X Force full debugging.
-Y Only return UDP_HIT or UDP_MISS_NOFETCH during fast reload.
2.
[root@localhost ~]# squid -kche //==squid -kcheck
[root@localhost ~]# squid -krec //重加载
