一、环境
系统 CentOS 6.4x64最小化安装
IP 192.168.1.11
二、安装squid
下载软件包
[root@squid ~]# wget http://www.squid-cache.org/Versions/v3/3.0/squid-3.0.STABLE20.tar.gz
安装
[root@squid ~]# tar xf squid-3.0.STABLE20.tar.gz [root@squid ~]# cd squid-3.0.STABLE20 #设置打开最大文件数目 [root@squid squid-3.0.STABLE20]# ulimit -Hn 20480 [root@squid squid-3.0.STABLE20]# echo "ulimit -Hn 20480" >>/etc/rc.local #设置端口范围 [root@squid squid-3.0.STABLE20]# echo "net.ipv4.ip_local_port_range = 4000 65000" >>/etc/sysctl.conf [root@squid squid-3.0.STABLE20]# sysctl -p |grep port_range net.ipv4.ip_local_port_range = 4000 65000 [root@squid squid-3.0.STABLE20]# ./configure --prefix=/usr/local/squid3.0 \ > --enable-async-io=100 \ > --with-pthreads \ > --enable-storeio="aufs,diskd,ufs" \ > --enable-removal-policiles="heap,lru" \ > --enable-icmp \ > --enable-delay-pools \ > --enable-useragent-log \ > --enable-referer-log \ > --enable-kill-parent-hack \ > --enable-cachemgr-hostname=localhost \ > --enable-arp-acl \ > --enable-default-err-language=English \ > --enable-err-languages="Simplify_Chinese English" \ > --disable-pool \ > --disable-wccp \ > --disable-wccpv2 \ > --disable-ident-lookups \ > --disable-internal-dns \ > --enable-basic-auth-helpers="NSCA" \ #在编译的时候这个选项报错,ERROR: Basic auth helper NSCA does not exists > --enable-stacktrace \ > --with-large-files \ > --disable-mempools \ > --with-filedescriptors=64000 \ > --enable-ssl \ > --enable-x-accelerator-vary \ > --disable-snmp \ > --with-aio \ > --enable-linux-netfilter \ > --enable-linux-tproxy #注在make阶段如果报关于ssl的错误,请安装yum install openssl-devel后重新./configure [root@squid squid-3.0.STABLE20]# make [root@squid squid-3.0.STABLE20]# make install [root@squid squid-3.0.STABLE20]# ln -s /usr/local/squid3.0/ /usr/local/squid [root@squid squid-3.0.STABLE20]# ll /usr/local/ |grep squid lrwxrwxrwx 1 root root 20 Jul 19 22:09 squid -> /usr/local/squid3.0/ drwxr-xr-x 8 root root 4096 Jul 19 22:06 squid3.0
三、配置squid
(1).修改配置文件
#配置文件路径 [root@squid ~]# cd /usr/local/squid/etc/ [root@squid etc]# ll total 360 -rw-r--r-- 1 root root 419 Jul 19 22:06 cachemgr.conf -rw-r--r-- 1 root root 419 Jul 19 22:06 cachemgr.conf.default -rw-r--r-- 1 root root 11651 Jul 19 22:06 mime.conf -rw-r--r-- 1 root root 11651 Jul 19 22:06 mime.conf.default -rw-r--r-- 1 root root 165287 Jul 19 22:06 squid.conf -rw-r--r-- 1 root root 165287 Jul 19 22:06 squid.conf.default #查看默认配置 [root@squid etc]# egrep -v "^#|^$" squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access deny all icp_access allow localnet icp_access deny all htcp_access allow localnet htcp_access deny all http_port 3128 hierarchy_stoplist cgi-bin ? access_log /usr/local/squid3.0/var/logs/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 coredump_dir /usr/local/squid3.0/var/cache
(2).添加squid的用户
[root@squid etc]# useradd squid -s /sbin/nologin -M
编辑配置文件squid.conf
[root@squid etc]# vim squid.conf cache_effective_user squid #修改缓存运行用户 cache_effective_group squid #修改运行的组 #注:以上不进行,在squid运行的时候是以nobody运行的 #调整squid日志 access_log /usr/local/squid3.0/var/logs/access.log squid cache_store_log /usr/local/squid3.0/var/logs/store.log cache_log /usr/local/squid3.0/var/logs/cache.log #修改缓存文件的目录 cache_dir ufs /usr/local/squid3.0/var/cache 100 16 256 http_port 3128 #默认监听端口 #配置可见主机名 visible_hostname squid.weyee.com #配置管理员信息 cache_mgr lyao@weyee.com
附修改完以后的配置文件内容
[root@squid etc]# egrep -v "^#|^$" squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access deny all icp_access allow localnet icp_access deny all htcp_access allow localnet htcp_access deny all http_port 3128 hierarchy_stoplist cgi-bin ? cache_dir ufs /usr/local/squid3.0/var/cache 100 16 256 access_log /usr/local/squid3.0/var/logs/access.log squid cache_log /usr/local/squid3.0/var/logs/cache.log cache_store_log /usr/local/squid3.0/var/logs/store.log refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user squid cache_effective_group squid icp_port 3130 coredump_dir /usr/local/squid3.0/var/cache visible_hostname squid.weyee.com #必须要配置可见主机名,否则服务不能启动 cache_mgr lyao@weyee.com
(3).squid日志文件说明
squid有三个主要的日志文件:cache.log,access.log,store.log。
cache.log:包含多种消息,例如squid的配置信息、性能警告、以及严重错误。
access.log:squid把关于http事物的关键信息存放在access.log里。该文件是基于行的,也就是说每行对应一个客户端请求。squid记录客户端IP(或主机名)、请求URL、响应size、其它信息。
store.log:记录squid关于存储或删除cache目标的决定。对每个存在cache里的目标,或每个不可cache的目标、以及每个被轮换策略删除的目标,squid都会创建响应的日志条目,该日志文件内容既包含了内存cache,又包含了磁盘cache。
(4).squid的访问控制
基于ACL元素语句如下:
acl name type value1 value2 ...
例如: acl workstations src 10.0.0.0/16 #表示源地址匹配10.0.0.0/16网段 在多数情况下,你能对一个ACL元素列举多个值。你也可以有多个ACL行一个名字 例如: acl Http_ports port 80 8000 8080 等于下面的三行 acl Http_ports port 80 acl Http_ports port 8000 acl Http_ports port 8080
(5).配置文件检查
#检查配置文件是否有误 [root@squid ~]# /usr/local/squid/sbin/squid -k parse 2015/07/23 20:38:46| Processing Configuration File: /usr/local/squid3.0/etc/squid.conf (depth 0) 2015/07/23 20:38:46| Initializing https proxy context WARNING: Cannot write log file: /usr/local/squid3.0/var/logs/cache.log /usr/local/squid3.0/var/logs/cache.log: Permission denied messages will be sent to 'stderr'. #赋予权限 [root@squid ~]# chown -R squid /usr/local/squid3.0/var/logs/ #再次检查 [root@squid ~]# /usr/local/squid/sbin/squid -k parse 2015/07/23 20:40:38| Processing Configuration File: /usr/local/squid3.0/etc/squid.conf (depth 0) 2015/07/23 20:40:38| Initializing https proxy context
(6).配置环境变量
[root@squid ~]# echo 'export PATH=$PATH:/usr/local/squid/sbin:/usr/local/squid/bin' >>/etc/profile [root@squid ~]# source /etc/profile [root@squid ~]# echo $PATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/usr/local/squid/sbin:/usr/local/squid/bin
(7).初始化缓存目录
[root@squid ~]# grep cache_dir /usr/local/squid/etc/squid.conf |grep -v "^#" cache_dir ufs /usr/local/squid3.0/var/cache 100 16 256 #缓存目录还不存在 [root@squid ~]# ll /usr/local/squid3.0/var/cache ls: cannot access /usr/local/squid3.0/var/cache: No such file or directory #初始化目录 [root@squid ~]# squid -z 2015/07/23 20:46:54| Creating Swap Directories FATAL: Failed to make swap directory /usr/local/squid3.0/var/cache: (13) Permission denied #赋予相关权限,并重新初始化 [root@squid ~]# chown -R squid /usr/local/squid3.0/var [root@squid ~]# squid -z #一共初始化16个目录 2015/07/23 20:47:56| Creating Swap Directories 2015/07/23 20:47:56| Making directories in /usr/local/squid3.0/var/cache/00 2015/07/23 20:47:56| Making directories in /usr/local/squid3.0/var/cache/01 2015/07/23 20:47:56| Making directories in /usr/local/squid3.0/var/cache/02 2015/07/23 20:47:56| Making directories in /usr/local/squid3.0/var/cache/03 2015/07/23 20:47:56| Making directories in /usr/local/squid3.0/var/cache/04 2015/07/23 20:47:56| Making directories in /usr/local/squid3.0/var/cache/05 2015/07/23 20:47:56| Making directories in /usr/local/squid3.0/var/cache/06 2015/07/23 20:47:56| Making directories in /usr/local/squid3.0/var/cache/07 2015/07/23 20:47:56| Making directories in /usr/local/squid3.0/var/cache/08 2015/07/23 20:47:56| Making directories in /usr/local/squid3.0/var/cache/09 2015/07/23 20:47:56| Making directories in /usr/local/squid3.0/var/cache/0A 2015/07/23 20:47:56| Making directories in /usr/local/squid3.0/var/cache/0B 2015/07/23 20:47:56| Making directories in /usr/local/squid3.0/var/cache/0C 2015/07/23 20:47:56| Making directories in /usr/local/squid3.0/var/cache/0D 2015/07/23 20:47:56| Making directories in /usr/local/squid3.0/var/cache/0E 2015/07/23 20:47:56| Making directories in /usr/local/squid3.0/var/cache/0F #安装几个软件包,后面会用到 [root@squid ~]# yum install tree telnet dos2unix -y
四.配置普通代理,测试
[root@squid ~]# squid -N -d1 2015/07/23 20:52:50| Starting Squid Cache version 3.0.STABLE20 for x86_64-unknown-linux-gnu... 2015/07/23 20:52:50| Process ID 1414 2015/07/23 20:52:50| With 4096 file descriptors available 2015/07/23 20:52:50| Performing DNS Tests... 2015/07/23 20:52:53| Successful DNS name lookup tests... 2015/07/23 20:52:53| helperOpenServers: Starting 5/5 'dnsserver' processes 2015/07/23 20:52:53| User-Agent logging is disabled. 2015/07/23 20:52:53| Referer logging is disabled. 2015/07/23 20:52:53| Unlinkd pipe opened on FD 14 2015/07/23 20:52:53| Swap maxSize 102400 + 8192 KB, estimated 8507 objects 2015/07/23 20:52:53| Target number of buckets: 425 2015/07/23 20:52:53| Using 8192 Store buckets 2015/07/23 20:52:53| Max Mem size: 8192 KB 2015/07/23 20:52:53| Max Swap size: 102400 KB 2015/07/23 20:52:53| Rebuilding storage in /usr/local/squid3.0/var/cache (DIRTY) 2015/07/23 20:52:53| Using Least Load store dir selection 2015/07/23 20:52:53| Set Current Directory to /usr/local/squid3.0/var/cache 2015/07/23 20:52:53| Loaded Icons. 2015/07/23 20:52:53| Accepting HTTP connections at 0.0.0.0, port 3128, FD 15. 2015/07/23 20:52:53| Accepting ICP messages at 0.0.0.0, port 3130, FD 16. 2015/07/23 20:52:53| HTCP Disabled. 2015/07/23 20:52:53| Pinger socket opened on FD 18 2015/07/23 20:52:53| Ready to serve requests. #有该信息出来表示启动成功 2015/07/23 20:52:54| Done scanning /usr/local/squid3.0/var/cache swaplog (0 entries) 2015/07/23 20:52:54| Finished rebuilding storage from disk. 2015/07/23 20:52:54| 0 Entries scanned 2015/07/23 20:52:54| 0 Invalid entries. 2015/07/23 20:52:54| 0 With invalid flags. 2015/07/23 20:52:54| 0 Objects loaded. 2015/07/23 20:52:54| 0 Objects expired. 2015/07/23 20:52:54| 0 Objects cancelled. 2015/07/23 20:52:54| 0 Duplicate URLs purged. 2015/07/23 20:52:54| 0 Swapfile clashes avoided. 2015/07/23 20:52:54| Took 1.00 seconds ( 0.00 objects/sec). 2015/07/23 20:52:54| Beginning Validation Procedure 2015/07/23 20:52:54| Completed Validation Procedure 2015/07/23 20:52:54| Validated 25 Entries 2015/07/23 20:52:54| store_swap_size = 0 2015/07/23 20:52:54| storeLateRelease: released 0 objects #查看启动端口,默认监听在3128端口上 [root@squid ~]# netstat -tunlp |grep squid tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 1414/squid #配置完上面后,将windows的代理地址指向squid服务器 #查看squid的日志,能看到我们是通过squid服务器进行上网的 [root@squid ~]# tail /usr/local/squid/var/logs/access.log 1437656272.853 305 192.168.1.100 TCP_MISS/304 315 GET http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl - DIRECT/23.66.230.17 application/pkix-crl 1437656273.115 335 192.168.1.100 TCP_MISS/200 2584 GET http://se.360.cn/cloud/picinfo.ini - DIRECT/183.131.192.83 application/octet-stream 1437656273.146 285 192.168.1.100 TCP_MISS/304 316 GET http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl - DIRECT/23.66.230.17 application/pkix-crl 1437656274.383 49 192.168.1.100 TCP_MISS/000 0 GET http://api.bing.com/qsml.aspx? - DIRECT/api.bing.com - 1437656274.437 19 192.168.1.100 TCP_MISS/000 0 GET http://api.bing.com/qsml.aspx? - DIRECT/api.bing.com - 1437656274.483 13 192.168.1.100 TCP_MISS/000 0 GET http://api.bing.com/qsml.aspx? - DIRECT/api.bing.com - 1437656274.629 118 192.168.1.100 TCP_MISS/000 0 GET http://api.bing.com/qsml.aspx? - DIRECT/191.234.5.80 - 1437656274.907 244 192.168.1.100 TCP_MISS/200 2108 GET http://api.bing.com/qsml.aspx? - DIRECT/191.234.5.80 text/html 1437656275.803 471 192.168.1.100 TCP_MISS/302 539 GET http://baidu.com/ - DIRECT/180.149.132.47 text/html 1437656277.297 1195 192.168.1.100 TCP_MISS/200 2206 GET http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEG7MeqWnAyAJuM689OlS1JE%3D - DIRECT/23.41.75.27 application/ocsp-response
六.配置squid开机自启动
[root@squid ~]# tail -1 /etc/rc.local /usr/local/squid/sbin/squid -D
squid启动脚本1
[root@squid ~]# cat /etc/init.d/squid
#!/bin/bash
# chkconfig: 345 85 15
# description: squid is a web cache server
# processname: squid
. /etc/rc.d/init.d/functions
start(){
/usr/local/squid/sbin/squid -s
if [ $? -eq 0 ];then
echo "squid start ok"
else
echo "please check the log"
fi
}
stop(){
/usr/local/squid/sbin/squid -k shutdown
if [ $? -eq 0 ];then
echo "squid stop ok"
else
echo "please check the log"
fi
}
case $1 in
start)
start;;
stop)
stop;;
restart)
stop
start;;
*)
echo "Usage only start|stop|restart"
;;
esac启动脚本2
[root@squid ~]# cat squid.sh #/bin/bash #chkconfig: 345 88 14 #description: squid Daemon case "$1" in start) /usr/local/squid/sbin/squid -D if [ $? -eq 0 ];then echo "start squid is sucessful!" else echo "start squid is fail!" exit $? fi ;; stop) /usr/local/squid/sbin/squid -k shutdown if [ $? -eq 0 ];then echo "stop squid is sucessful!" else echo "stop squid is fail!" fi ;; restart) /usr/local/squid/sbin/squid -k reconfigure if [ $? -eq 0 ];then echo "restart squid is sucessful!" else echo "restart squid is fail!" fi ;; parse) /usr/local/squid/sbin/squid -k parse if [ $? -eq 0 ];then echo "check config is ok!" else echo "check config is fail!" fi ;; check) /usr/local/squid/sbin/squid -k check ;; *) echo "Usage:$0 start|stop|restart|parse|check" esac
七.squid日志轮询
#日志文件默认路径 [root@squid ~]# ll /usr/local/squid/var/logs/ total 304 -rw-r----- 1 squid squid 108736 Jul 23 21:19 access.log -rw-r----- 1 squid squid 39307 Jul 23 21:45 cache.log -rw-r--r-- 1 root squid 5 Jul 23 21:45 squid.pid -rw-r----- 1 squid squid 142841 Jul 23 21:18 store.log #使用日志轮询,类似于日志切割 [root@squid ~]# /usr/local/squid/sbin/squid -k rotate [root@squid ~]# ll /usr/local/squid/var/logs/ total 308 -rw-r----- 1 squid squid 0 Jul 23 21:49 access.log -rw-r----- 1 squid squid 108736 Jul 23 21:19 access.log.0 -rw-r----- 1 squid squid 453 Jul 23 21:49 cache.log -rw-r----- 1 squid squid 39359 Jul 23 21:49 cache.log.0 -rw-r--r-- 1 root squid 5 Jul 23 21:45 squid.pid -rw-r----- 1 squid squid 0 Jul 23 21:49 store.log -rw-r----- 1 squid squid 142841 Jul 23 21:18 store.log.0
八、配置web管理界面
[root@squid ~]# yum install httpd -y #编辑httpd配置文件 [root@squid ~]# vim /etc/httpd/conf/httpd.conf Listen 8080 #为后面的反向代理调整端口 ScriptAlias "/squid" "/usr/local/squid3.0/libexec/cachemgr.cgi" <Location "/squid"> Order deny,allow Deny from all Allow from all </location> #重启httpd服务 [root@squid ~]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ]
访问地址http://192.168.1.11:8080/squid
九、透明代理
#添加几个参数 [root@squid ~]# vim /usr/local/squid/etc/squid.conf http_port 3128 transparent cache_mem 128 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size 8192 KB minimum_object_size 0 KB maximum_object_size_in_memory 4096 KB emulate_httpd_log on memory_replacement_policy lru #重启squid服务 [root@squid ~]# killall -9 squid [root@squid ~]# squid -D 2015/07/25 10:30:57| WARNING cache_mem is larger than total disk cache space! #配置防火墙 #将所有80端口的请求转发到squid的3128端口,这是一个DNAT [root@squid ~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128 #配置SNAT [root@squid ~]# iptables -t nat -A POSTROUTING -i etho -s 192.168.1.0/24 -j MASQUERADE #配置路由转发 [root@squid ~]# vim /etc/sysctl.conf net.ipv4.ip_forward = 1
