centos7如何做IP代理服务器 centos 搭建代理服务器_TCP


文档日期:2019年12月5日

代理服务器(Proxy Server)位于连个终端设备之间,充当一种中间设备。

客户端C向服务器S发起资源请求,可以是一个文档,或者网页,请求先被发送到代理服务器P。然后代理服务器P发送该请求到目的服务器,并获取其资源。


|C| ----><---- |P| ----><---- |S|


代理服务器的好处,是可以缓存资源。比如,有许多用户访问的网页,代理服务器将其内容缓存在本地,这样用户来访问的时候,代理服务器直接把内容就给返回了。

代理服务器可用于安全校验,管理权限和缓存服务。当然代理服务器也可用于匿名访问,因为代理服务器请求资源,都是用自己的IP,而客户端的IP则没有必要。

Squid Proxy是一个应用于web的开源缓存代理服务。支持多种协议,比如HTTP, HTTPS, FTP及更多。因为使用了缓存和访问频繁的网页的重用功能,它提升了响应时间,降低了带宽需求。

本文中,我们想介绍如何在CentOS 7内安装Squid Proxy服务,以及一些基础配置项,将其架设为一个缓存服务器。

# 系统要求 Requirements

Squid并没有任何的最小硬件要求,内存占用取决于用户访问代理的数量,以及缓存中对象的数量。继续下文,您需要在CentOS7获取root访问权限。如果是非root用户,使用sudo -i切换到root身份。如果是sudoer组员,则可以使用sudo运行指令。

# 安装Squid

安装之前,建议先更新系统的包。


yum -y update


接着需要安装EPEL仓库,默认的yum仓库不包含squid。执行以下指令:


yum -y install epel-release
yum -y update
yum clean all


接着就可以使用如下指令安装Squid Proxy了:


yum -y install squid


安装完毕,使用systemd控制squid的状态。


systemctl start squid


想要设置为开机自启动,运行下面的命令:


systemctl enable squid


查看squid运行状态:


systemctl status squid


终端输出类似如下:


[root@192 ~]# systemctl status squid
● squid.service - Squid caching proxy
   Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-12-06 01:44:50 CST; 33s ago
  Process: 1312 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
  Process: 1306 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
 Main PID: 1314 (squid)
   CGroup: /system.slice/squid.service
           ├─1314 /usr/sbin/squid -f /etc/squid/squid.conf
           ├─1316 (squid-1) -f /etc/squid/squid.conf
           └─1317 (logfile-daemon) /var/log/squid/access.log

Dec 06 01:44:50 192.168.233.166 systemd[1]: Starting Squid caching proxy...
Dec 06 01:44:50 192.168.233.166 squid[1314]: Squid Parent: will start 1 kids
Dec 06 01:44:50 192.168.233.166 squid[1314]: Squid Parent: (squid-1) process 1316 started
Dec 06 01:44:50 192.168.233.166 systemd[1]: Started Squid caching proxy.


查看更多squid的可用选项:


[root@192 ~]# squid -h
Usage: squid [-cdhvzCFNRVYX] [-n name] [-s | -l facility] [-f config-file] [-[au] port] [-k signal]
       -a port   Specify HTTP port number (default: 3128).
       -d level  Write debugging to stderr also.
       -f file   Use given config-file instead of
                 /etc/squid/squid.conf
       -h        Print help message.
       -k reconfigure|rotate|shutdown|restart|interrupt|kill|debug|check|parse
                 Parse configuration file, then send signal to
                 running copy (except -k parse) and exit.
       -n name   Specify service name to use for service operations
                 default is: squid.
       -s | -l facility
                 Enable logging to syslog.
       -u port   Specify ICP port number (default: 3130), disable with 0.
       -v        Print version.
       -z        Create missing swap directories and then exit.
       -C        Do not catch fatal signals.
       -D        OBSOLETE. Scheduled for removal.
       -F        Don't serve any requests until store is rebuilt.
       -N        No daemon mode.
       -R        Do not set REUSEADDR on port.
       -S        Double-check swap during rebuild.
       -X        Force full debugging.
       -Y        Only return UDP_HIT or UDP_MISS_NOFETCH during fast reload.


查看squid的版本号和配置选项:


[root@192 ~]# squid -v
Squid Cache: Version 3.5.20
Service Name: squid
configure options:  
'--build=x86_64-redhat-linux-gnu' 
'--host=x86_64-redhat-linux-gnu' 
'--program-prefix=' 
'--prefix=/usr' 
'--exec-prefix=/usr' 
'--bindir=/usr/bin' 
'--sbindir=/usr/sbin' 
'--sysconfdir=/etc' 
'--datadir=/usr/share' 
'--includedir=/usr/include' 
'--libdir=/usr/lib64' 
'--libexecdir=/usr/libexec' 
'--sharedstatedir=/var/lib' 
'--mandir=/usr/share/man' 
'--infodir=/usr/share/info' 
'--disable-strict-error-checking' 
'--exec_prefix=/usr' 
'--libexecdir=/usr/lib64/squid' 
'--localstatedir=/var' 
'--datadir=/usr/share/squid' 
'--sysconfdir=/etc/squid' 
'--with-logdir=$(localstatedir)/log/squid' 
'--with-pidfile=$(localstatedir)/run/squid.pid' 
'--disable-dependency-tracking' 
'--enable-eui' 
'--enable-follow-x-forwarded-for' 
'--enable-auth' 
'--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' 
'--enable-auth-ntlm=smb_lm,fake' 
'--enable-auth-digest=file,LDAP,eDirectory' 
'--enable-auth-negotiate=kerberos' 
'--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' 
'--enable-cache-digests' 
'--enable-cachemgr-hostname=localhost' 
'--enable-delay-pools' 
'--enable-epoll' 
'--enable-ident-lookups' 
'--enable-linux-netfilter' 
'--enable-removal-policies=heap,lru' '--enable-snmp' 
'--enable-ssl-crtd' '--enable-storeio=aufs,diskd,rock,ufs' '--enable-wccpv2' 
'--enable-esi' 
'--enable-ecap' 
'--with-aio' 
'--with-default-user=squid' 
'--with-dl' 
'--with-openssl' 
'--with-pthreads' 
'--disable-arch-native' 
'build_alias=x86_64-redhat-linux-gnu' 
'host_alias=x86_64-redhat-linux-gnu' 
'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 
'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'


squid主配置文件在 /etc/squid/squid.conf。现在可以配置浏览器,设置代理为刚才创建的代理服务器。

IE浏览器和谷歌chrome浏览器,可以在 “系统控制面板->internet选项->连接->局域网设置->代理服务器【为LAN使用代理服务器】”内配置。填写proxy server的IP地址,还有端口3128。这样你就可以通过该代理服务器访问网络了。

默认Squid配置为仅允许局域网内连接。如果你访问外网,会得到“The proxy server is refusing connections”。那么这时,你就得配置squid的访问权限了。

先看一下错误日志:


tail -f /var/log/squid/acess.log


错误信息大致如下:


1476596170.987  61641 61.14.229.246 TCP_MISS/200 3460 CONNECT aus5.mozilla.org:443 - HIER_DIRECT/52.42.158.162 -
1476596470.531 121781 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476596574.995 101350 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476596867.906 290539 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476596875.984   4939 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476597519.292 1561080 61.14.229.246 TCP_MISS/200 3828 CONNECT qa.sockets.stackexchange.com:443 - HIER_DIRECT/198.252.206.25 -
1476597857.853 979174 61.14.229.246 TCP_MISS/200 216 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476598063.413   4459 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476598213.392 351400 61.14.229.246 TCP_MISS/200 158 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476598576.745 511218 61.14.229.246 TCP_MISS/200 158 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -


# 配置Squid

使用编辑器编辑squid的配置文件:


vim /etc/squid/squid.conf


自带的最小配置项如下:


#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|?) 0     0%      0
refresh_pattern .


# 允许IP地址通过你的代理服务器访问互联网

允许一列IP地址,可以新加一条ACL条目。Squid支持CIDR书写方式。考虑一种情况,你要允许从 110.220.230.1到110.220.230.255访问,那么可以这样写,很显然使用3个8位的掩码就够了,正好允许一个8位=255个IP地址。


acl localnet src 110.220.230.0/24


与子网掩码的用法同。

改完之后不要方剂重启一下squid服务:


systemctl restart squid


# 允许HTTP连接的指定端口

默认squid只允许开放访问安全端口,如下列端口:


acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http


这些都是linux系统服务占用的,自然没问题。要加入自定义的特定端口到这个信任列表,怎么做呢?

仿照上面写一条就行了:


acl Safe_ports port 168


改完之后再用 systemctl restart squid 重启服务就会生效。

# 使用squid的基本认证

如果你想让用户使用之前,对其身份进行验证。你可能会用到squid的基本认证特性。

这里我们会用到一个工具 httpd-tools,其包含了htpasswd指令用于创建加密密码文件。使用如下指令安装:


yum -y install htpd-tools


接着创建新文件,并设置改文件属主为squid用户。


touch /etc/squid/passwd && chown squid /etc/squid/passwd


然后用htpasswd给该密码文件内添加用户,加入用户名pxuser,可以这样操作


htpasswd /etc/squid/passwd pxuser


命令行会询问输入密码和一次确认密码,输入就是。请记住,这个密码是pxuser的。

默认htpasswd使用MD5给密码加密的,存储的当然也就是MD5哈希值。

用户和密码都就位了,接着我们向squid配置文件内添加允许授权用户访问。在安全端口设置下方加入以下配置行:


auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users


接得修改完配置重启squid服务。重启后生效。你再次连接代理服务器,它就会弹出登录框询问账号密码。如果认证失败,返回错误页面。

# 网站拦截

作为代理服务器,我们不想让用户看那些危险网站,这很容易做到。新建一个文件,列举出来要拦截的网站,这样的管理方式比较常用。


touch /etc/squid/blocked_sites


比如写这么几行:


baidu.com
google.com


保存后修改squid的配置文件 /etc/squid/squid.conf。添加如下内容:


acl blocked_sites dstdomain "/etc/squid/blocked_sites"
http_access deny blocked_sites


重启一下服务,binggo! 从此百度谷歌是路人。

# 修改squid的端口号

你肯定想到了,修改配置文件:


http_port 3128


这个端口号改成你喜欢的数字,只要在系统承受范围之内就可以。改完后重启服务,记住了哦~~

# 结论

大面就是squid服务的安装和配置全流程,赶快自己动手试试吧。讲的再多,都不如自己实际操作。那会加深你的印象哦~~

世界上本没有路,踩的坑多了,也就学会了走路。happy coding