Squid mainly provides cache acceleration and application layer filtering control functions.
1, Working mechanism
1. Instead of the client requesting data from the website, the user's real IP address can be hidden.
2. Save the obtained Web page data (static Web elements) into the cache and send it to the client, so as to respond quickly the next time the same data is requested.
2, Type of Squid agent
Traditional agent:
Applicable to the Internet, you need to specify the address and port of the proxy server on the client.
Transparent proxy:
The client does not need to specify the address and port of the proxy server, but redirects the Web access to the proxy server through the default route and firewall policy.
Reverse proxy:
If the requested resource is cached in the Squid reverse proxy server, the requested resource is directly returned to the client; Otherwise, the reverse proxy server will request resources from the background WEB server, and then return the requested response to the client. At the same time, it will also cache the response locally for use by the next requester.
3, Construction of experimental environment
Install Squid service
(1) Turn off the firewall
systemctl stop firewalld systemctl disable firewalld setenforce 0
(2) Compile and install Squid
yum -y install gcc gcc-c++ make tar zxvf squid-3.5.28.tar.gz -C /opt/ cd /opt/squid-3.5.28
./configure --prefix=/usr/local/squid \ --sysconfdir=/etc \ --enable-arp-acl \ --enable-linux-netfilter \ --enable-linux-tproxy \ --enable-async-io=100 \ --enable-err-language="Simplify_Chinese" \ --enable-underscore \ --enable-poll \ --enable-gnuregex
make && make install ln -s /usr/local/squid/sbin/* /usr/local/sbin/ #squid into environment variable useradd -M -s /sbin/nologin squid chown -R squid:squid /usr/local/squid/var/ #Create squid master to belong to group
(3) Modify Squid's configuration file
----56 Row insertion---- http_access allow all #Put on HTTP_ Before access deny all, allow any client to use the proxy service http_access deny all http_port 3128 #Used to specify the address and port that the proxy service listens to (the default port number is 3128) ----61 Row insertion---- cache_effective_user squid #Add, specify the program user, which is used to set the account of initialization and runtime cache. Otherwise, the startup will not succeed cache_effective_group squid #Add, specify account basic group ----68 Row modification---- coredump_dir /usr/local/squid/var/cache/squid #Specify cache file directory
(4) Squid operation control
#Check whether the configuration file syntax is correct squid -k parse #Start Squid squid –z #-The z option is used to initialize the cache directory squid #Start squid service netstat -anpt | grep "squid"
(5) Create Squid service script
vim /etc/init.d/squid
#!/bin/bash
#chkconfig: 2345 90 25
PID="/usr/local/squid/var/run/squid.pid"
CONF="/etc/squid.conf"
CMD="/usr/local/squid/sbin/squid"
case "$1" in
start)
netstat -natp | grep squid &> /dev/null
if [ $? -eq 0 ]
then
echo "squid is running"
else
echo "Starting squid..."
$CMD
fi
;;
stop)
$CMD -k kill &> /dev/null
rm -rf $PID &> /dev/null
;;
status)
[ -f $PID ] &> /dev/null
if [ $? -eq 0 ]
then
netstat -natp | grep squid
else
echo "squid is not running"
fi
;;
restart)
$0 stop &> /dev/null
echo "Closing squid..."
$0 start &> /dev/null
echo "Starting squid..."
;;
reload)
$CMD -k reconfigure
;;
check)
$CMD -k parse
;;
*)
echo "Usage: $0{start|stop|status|reload|check|restart}"
;;
esac
2345 is the default self start level. If yes, it means no self start at any level; 90 is the start priority, 25 is the stop priority, and the priority range is 0-100. The higher the number, the lower the priority.
chmod +x /etc/init.d/squid chkconfig --add squid chkconfig --level 35 squid on
Building traditional proxy server
vim /etc/squid.conf
http_access allow all http_access deny all http_port 3128 cache_effective_user squid cache_effective_group squid --63 that 's ok--insert cache_mem 64 MB #Specify the size of the memory space used by the cache function to maintain the frequently accessed WEB objects. The capacity is preferably a multiple of 4, and the unit is MB. It is recommended to set it to 1 / 4 of the physical memory reply_body_max_size 10 MB #The maximum file size that users are allowed to download, in bytes. When downloading a Web object that exceeds the specified size, a prompt of "request or access too large" will appear on the error page of the browser. The default setting is 0, which means no restriction maximum_object_size 4096 KB #The maximum object size allowed to be saved to the cache space, in kilobytes. Files exceeding the size limit will not be cached, but will be forwarded directly to the user service squid restart perhaps systemctl restart squid
Firewall rules also need to be modified in the production environment
iptables -F iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
Proxy configuration for client
Open the browser, tools – > Internet Options – > connection – > LAN settings – > open the proxy server (address: Squid server IP address, port: 3128)
Note: the wb server to be accessed needs to have HTTP service
View the new records of Squid access log
tail -f /usr/local/squid/var/logs/access.log
Build transparent proxy server
(1) Web address setting
Squid Server: dual network card, intranet ens33: 192.168.90.10 Extranet ens36: 12.0.0.1 Web Server: 12.0.0.12 Client: 192.168.90.100
(2) Squid server configuration
vim /etc/squid.conf http_access allow all http_access deny all ----60 Row modification---- Modify and add intranet services IP Address, and support transparent proxy options transparent http_port 192.168.126.10:3128 transparent systemctl restart squid
(3) Turn on routing forwarding to realize address forwarding of different network segments in the machine
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf sysctl -p Modify firewall rules iptables -F iptables -t nat -F iptables -t nat -I PREROUTING -i ens33 -s 192.168.90.0/24 -p tcp --dport 126 -j REDIRECT --to 3128 #http protocol for forwarding iptables -t nat -I PREROUTING -i ens33 -s 192.168.90.0/24 -p tcp --dport 443 -j REDIRECT --to 3128 #https protocol for forwarding iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
(4) Web server configuration
yum install -y httpd systemctl start httpd
Access after closing the functions of the proxy server set before the client's browser http://12.0.0.12
4, ACL access control
In the configuration file squid In conf, ACL access control is realized through the following two steps:
(1) Use acl configuration items to define the conditions to be controlled;
(2) Via http_ The access configuration item controls "allow" or "deny" access to the defined list.
1. Define access control lists
Format: acl List name list type list content vim /etc/squid.conf ...... acl localhost src 192.168.90.10/32 #The source address is 192.168.90.10 acl MYLAN src 192.168.90.0/24 192.168.1.0/24 #Client network segment acl destionhost dst 192.168.90.13/32 #The destination address is 192.168.90.13 acl MC20 maxconn 20 #Maximum concurrent connections 20 acl PORT port 21 #Target port 21 acl DMBLOCK dstdomain .qq.com #Target domain, matching all sites in the domain acl BURL url_regex -i ^rtsp:// ^emule:// # URL s starting with rtsp: / /, eMule: /, - i means case is ignored acl PURL urlpath_regex -i \.mp3$ \.mp4$ \.rmvb$ #With mp3,. mp4,. URL path at the end of rmvb acl WORKTIME time MTWHF 08:30-17:30 #The time is from 8:30 to 17:30 from Monday to Friday, "MTWHF" is the English initials of each week
2. Start object list management
mkdir /etc/squid vim /etc/squid/dest.list 192.168.90.20 #Configure the allowed or denied ip address, which is the address of the web server 192.168.1.0/24
Note: remember to configure the proxy when making ACL
vim /etc/squid.conf ...... acl destionhost dst "/etc/squid/dest.list" #Call the contents of the list in the specified file ...... http_access deny(or allow) destionhost #Note that if it is a rejection list, it needs to be placed in http_access allow all
service squid reload #Reload the configuration
5, Squid log analysis
1. Install image processing software package
yum install -y pcre-devel gd gd-devel mkdir /usr/local/sarg tar zxvf sarg-2.3.7.tar.gz -C /opt/
cd /opt/sarg-2.3.7 ./configure --prefix=/usr/local/sarg --sysconfdir=/etc/sarg --enable-extraprotection make && make install ./configure --prefix=/usr/local/sarg –sysconfdir=/etc/sarg \ #The configuration file directory is / usr/loca/etc by default –enable-extraprotection #Additional safety protection
2. Modify profile
vim /etc/sarg/sarg.conf
--7 that 's ok--note off access_log /usr/local/squid/var/logs/access.log #Specify access log file --25 that 's ok--note off title "Squid User Access Reports" #Page title --120 that 's ok--note off output_dir /var/www/html/sarg #Report output directory --178 that 's ok--note off user_ip no #Display with user name --184 that 's ok--Uncomment, modify topuser_sort_field connect reverse #In top sorting, the specified connection times are arranged in descending order, and the ascending order is normal --190 that 's ok--Uncomment, modify user_sort_field connect reverse #For user access records, the number of connections is sorted in descending order --206 that 's ok--Uncomment, modify exclude_hosts /usr/local/sarg/noreport #Specifies files that are not included in the sorted site list --257 that 's ok--note off overwrite_report no #Overwrite logs with the same name and date --289 that 's ok--Uncomment, modify mail_utility mailq.postfix #Send mail report command --434 that 's ok--Uncomment, modify charset UTF-8 #Specifies the character set UTF-8 --518 that 's ok--note off weekdays 0-6 #Week cycle of top ranking --525 that 's ok--note off hours 0-23 #Time period of top ranking --633 that 's ok--note off www_document_root /var/www/html
3. Start validation
#Add is not included in the site file, and the added domain name will not be displayed in the sorting touch /usr/local/sarg/noreport ln -s /usr/local/sarg/bin/sarg /usr/local/bin sarg --help function sarg #Start a record
6, Squid reverse proxy
If the requested resource is cached in the Squid reverse proxy server, the requested resource is directly returned to the client; Otherwise, the reverse proxy server will request resources from the background Web server, and then return the requested response to the client. At the same time, it will also cache the response locally for the next requester to use.
1. Working mechanism
- Cache web page objects to reduce duplicate requests
- Assign the Internet request to the intranet Web server in rotation or by weight
- Proxy user requests to avoid users directly accessing the Web server and improve security
2. Modify profile
vim /etc/squid.conf ...... --60 that 's ok--Modify, insert http_port 192.168.90.10:80 accel vhost vport cache_peer 192.168.90.20 parent 80 0 no-query originserver round-robin max_conn=30 weight=1 name=web1 cache_peer 192.168.90.40 parent 80 0 no-query originserver round-robin max_conn=30 weight=1 name=web2 cache_peer_domain web1 web2 www.benet.com #For www.chenwei.com COM, squid sends a request to port 80 of 192.168.126.11 and 192.168.126.12
3. Backend wb server settings
yum install -y httpd systemctl start httpd wb1 to configure: echo "this is benet" >> /var/www/html/index.html wb2 to configure: echo "this is accp" >> /var/www/html/index.html
4. Domain name mapping configuration of the client
modify C:\Windows\System32\drivers\etc\hosts file 192.168.126.10 www.chenwei.com
5. Proxy configuration for client
Open the browser, tools – > Internet Options – > connection – > LAN settings – > open the proxy server (address: Squid server IP address, port: 80)
Client visit www.benet.com COM, and then refresh
