squid 实现 代理
准备需要两块网卡 两个ip
192.168.1.142和192.168.142.1
yum install squid
*************************************************************************************************
正向代理实现
vi /etc/squid/squid.conf
acl SSL_ports port 443 #acl规则
acl CONNECT method CONNECT
acl mynet src 192.168.142.2/32 #acl 测试屏蔽192.168.142.2 名称为mynet 标记
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny mynet #设置屏蔽mynet
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all #允许代理
http_port 3128 #端口
cache_dir ufs /var/spool/squid 100 16 256 #缓存目录 大小,一级目录100个二级目录16个
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_mem 99 MB
maximum_object_size 20 MB
maximum_object_size_in_memory 20 MB
cache_swap_low 90
cache_swap_high 95
设置客户端的squid
**************************************************************************************************************************
基于用户密码
vi /etc/squid/squid.conf
acl SSL_ports port 443
acl CONNECT method CONNECT
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic mima
auth_param basic credentialsttl 2 hours
acl lookwest proxy_auth REQUIRED
http_access allow lookwest
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_mem 99 MB
maximum_object_size 20 MB
maximum_object_size_in_memory 20 MB
cache_swap_low 90
cache_swap_high 95
3. 配置用户名 密码
在装了httpd的bin 目录下面 输入
./htpasswd -c /etc/squid/passwd YOUR_NAME
会提示你输入密码 ,输入即可
意思就是在 /etc/squid/passwd中生成登录用户名和密码
4. service squid restart 重启squid
如果发现问题,到 /var/log/squid 目录下面看日志
*********************************************************************************************************************************
透明代理 squid+iptables
vi /etc/squid/squid.conf
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access allow manager
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 3128 transparent
dns_nameservers 222.222.202.202
dns_nameservers 222.222.222.222
cache_dir ufs /var/spool/squid 100 16 256
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
iptables -t nat -I POSTROUTING -s 192.168.142.0/24 -j SNAT --to 192.168.1.142
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 3128
vi /etc/sysctl
net.ipv4.ip_forward=1
systemctl restart squid
客户端不用改成局域网lan的代理,加网关
***********************************************************************************************************************
反向代理
vi /etc/squid/squid.conf
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 80 vhost vport
cache_peer 192.168.1.148 parent 80 0 no-query originserver name=aaa
cache_peer_domain aaa www.aaa.com
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
注意dns解析等问题
*************************************************************************************************************************
squid实现加密
配置文件为
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 80 vhost vport
cache_peer 192.168.1.148 parent 80 0 no-query originserver name=aaa
cache_peer_domain aaa www.aaa.com
https_port 443 accel cert=/etc/pki/tls/certs/han.pem key=/etc/pki/tls/certs/han.pem vhost
acl SITE_AAA_SSL myport 443
cache_peer 192.168.1.148 parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=ACCEL_AAA_SSL
cache_peer_access ACCEL_AAA_SSL allow SITE_AAA_SSL
http_access allow SITE_AAA_SSL
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
注意在web端和squid使用同一密钥。。。开443端口