文档日期:2019年12月5日
代理服务器(Proxy Server)位于连个终端设备之间,充当一种中间设备。
客户端C向服务器S发起资源请求,可以是一个文档,或者网页,请求先被发送到代理服务器P。然后代理服务器P发送该请求到目的服务器,并获取其资源。
|C| ----><---- |P| ----><---- |S|
代理服务器的好处,是可以缓存资源。比如,有许多用户访问的网页,代理服务器将其内容缓存在本地,这样用户来访问的时候,代理服务器直接把内容就给返回了。
代理服务器可用于安全校验,管理权限和缓存服务。当然代理服务器也可用于匿名访问,因为代理服务器请求资源,都是用自己的IP,而客户端的IP则没有必要。
Squid Proxy是一个应用于web的开源缓存代理服务。支持多种协议,比如HTTP, HTTPS, FTP及更多。因为使用了缓存和访问频繁的网页的重用功能,它提升了响应时间,降低了带宽需求。
本文中,我们想介绍如何在CentOS 7内安装Squid Proxy服务,以及一些基础配置项,将其架设为一个缓存服务器。
# 系统要求 Requirements
Squid并没有任何的最小硬件要求,内存占用取决于用户访问代理的数量,以及缓存中对象的数量。继续下文,您需要在CentOS7获取root访问权限。如果是非root用户,使用sudo -i切换到root身份。如果是sudoer组员,则可以使用sudo运行指令。
# 安装Squid
安装之前,建议先更新系统的包。
yum -y update
接着需要安装EPEL仓库,默认的yum仓库不包含squid。执行以下指令:
yum -y install epel-release
yum -y update
yum clean all
接着就可以使用如下指令安装Squid Proxy了:
yum -y install squid
安装完毕,使用systemd控制squid的状态。
systemctl start squid
想要设置为开机自启动,运行下面的命令:
systemctl enable squid
查看squid运行状态:
systemctl status squid
终端输出类似如下:
[root@192 ~]# systemctl status squid
● squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2019-12-06 01:44:50 CST; 33s ago
Process: 1312 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
Process: 1306 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
Main PID: 1314 (squid)
CGroup: /system.slice/squid.service
├─1314 /usr/sbin/squid -f /etc/squid/squid.conf
├─1316 (squid-1) -f /etc/squid/squid.conf
└─1317 (logfile-daemon) /var/log/squid/access.log
Dec 06 01:44:50 192.168.233.166 systemd[1]: Starting Squid caching proxy...
Dec 06 01:44:50 192.168.233.166 squid[1314]: Squid Parent: will start 1 kids
Dec 06 01:44:50 192.168.233.166 squid[1314]: Squid Parent: (squid-1) process 1316 started
Dec 06 01:44:50 192.168.233.166 systemd[1]: Started Squid caching proxy.
查看更多squid的可用选项:
[root@192 ~]# squid -h
Usage: squid [-cdhvzCFNRVYX] [-n name] [-s | -l facility] [-f config-file] [-[au] port] [-k signal]
-a port Specify HTTP port number (default: 3128).
-d level Write debugging to stderr also.
-f file Use given config-file instead of
/etc/squid/squid.conf
-h Print help message.
-k reconfigure|rotate|shutdown|restart|interrupt|kill|debug|check|parse
Parse configuration file, then send signal to
running copy (except -k parse) and exit.
-n name Specify service name to use for service operations
default is: squid.
-s | -l facility
Enable logging to syslog.
-u port Specify ICP port number (default: 3130), disable with 0.
-v Print version.
-z Create missing swap directories and then exit.
-C Do not catch fatal signals.
-D OBSOLETE. Scheduled for removal.
-F Don't serve any requests until store is rebuilt.
-N No daemon mode.
-R Do not set REUSEADDR on port.
-S Double-check swap during rebuild.
-X Force full debugging.
-Y Only return UDP_HIT or UDP_MISS_NOFETCH during fast reload.
查看squid的版本号和配置选项:
[root@192 ~]# squid -v
Squid Cache: Version 3.5.20
Service Name: squid
configure options:
'--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu'
'--program-prefix='
'--prefix=/usr'
'--exec-prefix=/usr'
'--bindir=/usr/bin'
'--sbindir=/usr/sbin'
'--sysconfdir=/etc'
'--datadir=/usr/share'
'--includedir=/usr/include'
'--libdir=/usr/lib64'
'--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib'
'--mandir=/usr/share/man'
'--infodir=/usr/share/info'
'--disable-strict-error-checking'
'--exec_prefix=/usr'
'--libexecdir=/usr/lib64/squid'
'--localstatedir=/var'
'--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid'
'--with-logdir=$(localstatedir)/log/squid'
'--with-pidfile=$(localstatedir)/run/squid.pid'
'--disable-dependency-tracking'
'--enable-eui'
'--enable-follow-x-forwarded-for'
'--enable-auth'
'--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam'
'--enable-auth-ntlm=smb_lm,fake'
'--enable-auth-digest=file,LDAP,eDirectory'
'--enable-auth-negotiate=kerberos'
'--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group'
'--enable-cache-digests'
'--enable-cachemgr-hostname=localhost'
'--enable-delay-pools'
'--enable-epoll'
'--enable-ident-lookups'
'--enable-linux-netfilter'
'--enable-removal-policies=heap,lru' '--enable-snmp'
'--enable-ssl-crtd' '--enable-storeio=aufs,diskd,rock,ufs' '--enable-wccpv2'
'--enable-esi'
'--enable-ecap'
'--with-aio'
'--with-default-user=squid'
'--with-dl'
'--with-openssl'
'--with-pthreads'
'--disable-arch-native'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu'
'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie'
'LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now'
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
squid主配置文件在 /etc/squid/squid.conf。现在可以配置浏览器,设置代理为刚才创建的代理服务器。
IE浏览器和谷歌chrome浏览器,可以在 “系统控制面板->internet选项->连接->局域网设置->代理服务器【为LAN使用代理服务器】”内配置。填写proxy server的IP地址,还有端口3128。这样你就可以通过该代理服务器访问网络了。
默认Squid配置为仅允许局域网内连接。如果你访问外网,会得到“The proxy server is refusing connections”。那么这时,你就得配置squid的访问权限了。
先看一下错误日志:
tail -f /var/log/squid/acess.log
错误信息大致如下:
1476596170.987 61641 61.14.229.246 TCP_MISS/200 3460 CONNECT aus5.mozilla.org:443 - HIER_DIRECT/52.42.158.162 -
1476596470.531 121781 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476596574.995 101350 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476596867.906 290539 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476596875.984 4939 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476597519.292 1561080 61.14.229.246 TCP_MISS/200 3828 CONNECT qa.sockets.stackexchange.com:443 - HIER_DIRECT/198.252.206.25 -
1476597857.853 979174 61.14.229.246 TCP_MISS/200 216 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476598063.413 4459 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476598213.392 351400 61.14.229.246 TCP_MISS/200 158 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476598576.745 511218 61.14.229.246 TCP_MISS/200 158 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
# 配置Squid
使用编辑器编辑squid的配置文件:
vim /etc/squid/squid.conf
自带的最小配置项如下:
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern .
# 允许IP地址通过你的代理服务器访问互联网
允许一列IP地址,可以新加一条ACL条目。Squid支持CIDR书写方式。考虑一种情况,你要允许从 110.220.230.1到110.220.230.255访问,那么可以这样写,很显然使用3个8位的掩码就够了,正好允许一个8位=255个IP地址。
acl localnet src 110.220.230.0/24
与子网掩码的用法同。
改完之后不要方剂重启一下squid服务:
systemctl restart squid
# 允许HTTP连接的指定端口
默认squid只允许开放访问安全端口,如下列端口:
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
这些都是linux系统服务占用的,自然没问题。要加入自定义的特定端口到这个信任列表,怎么做呢?
仿照上面写一条就行了:
acl Safe_ports port 168
改完之后再用 systemctl restart squid 重启服务就会生效。
# 使用squid的基本认证
如果你想让用户使用之前,对其身份进行验证。你可能会用到squid的基本认证特性。
这里我们会用到一个工具 httpd-tools,其包含了htpasswd指令用于创建加密密码文件。使用如下指令安装:
yum -y install htpd-tools
接着创建新文件,并设置改文件属主为squid用户。
touch /etc/squid/passwd && chown squid /etc/squid/passwd
然后用htpasswd给该密码文件内添加用户,加入用户名pxuser,可以这样操作
htpasswd /etc/squid/passwd pxuser
命令行会询问输入密码和一次确认密码,输入就是。请记住,这个密码是pxuser的。
默认htpasswd使用MD5给密码加密的,存储的当然也就是MD5哈希值。
用户和密码都就位了,接着我们向squid配置文件内添加允许授权用户访问。在安全端口设置下方加入以下配置行:
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
接得修改完配置重启squid服务。重启后生效。你再次连接代理服务器,它就会弹出登录框询问账号密码。如果认证失败,返回错误页面。
# 网站拦截
作为代理服务器,我们不想让用户看那些危险网站,这很容易做到。新建一个文件,列举出来要拦截的网站,这样的管理方式比较常用。
touch /etc/squid/blocked_sites
比如写这么几行:
baidu.com
google.com
保存后修改squid的配置文件 /etc/squid/squid.conf。添加如下内容:
acl blocked_sites dstdomain "/etc/squid/blocked_sites"
http_access deny blocked_sites
重启一下服务,binggo! 从此百度谷歌是路人。
# 修改squid的端口号
你肯定想到了,修改配置文件:
http_port 3128
这个端口号改成你喜欢的数字,只要在系统承受范围之内就可以。改完后重启服务,记住了哦~~
# 结论
大面就是squid服务的安装和配置全流程,赶快自己动手试试吧。讲的再多,都不如自己实际操作。那会加深你的印象哦~~
世界上本没有路,踩的坑多了,也就学会了走路。happy coding