1.centos6.4 32位安装
硬件:2个cpu,4GB内存,100GB硬盘,swap8GB,其它给/
选择最小安装,服务自定义:
1.基本系统:①JAVA平台②Perl支持③容兼程序库④基本⑤硬件监控工具⑥继承UNIX兼容性⑦网络文件系统客户端⑧调试工具
2.开发:开发工具
3.服务器:服务器平台
服务器名:
IP配置:
DNS:
修改系统limits.conf
修改/etc/security/limits.conf
* soft nofile 32768
* hard nofile 65536
2.squid安装
[root@squid159 ~]#yum -y install squid
Loaded plugins:fastestmirror, security
Determining fastestmirrors
* base: mirrors.btte.net
* extras: mirrors.btte.net
* updates: mirrors.btte.net
Setting up InstallProcess
ResolvingDependencies
--> Runningtransaction check
---> Packagesquid.i686 7:3.1.10-16.el6 will be installed
--> FinishedDependency Resolution
DependenciesResolved
===================================================================================
PackageArchVersionRepositorySize
===================================================================================
Installing:
squidi6867:3.1.10-16.el6base1.7 M
Transaction Summary
===================================================================================
Install1 Package(s)
Total downloadsize: 1.7 M
Installed size: 5.7M
DownloadingPackages:
squid-3.1.10-16.el6.i686.rpm| 1.7 MB00:00
warning:rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
Retrieving key fromfile:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
Importing GPG key0xC105B9DE:
Userid : CentOS-6 Key (CentOS 6 OfficialSigning Key)
Package: centos-release-6-4.el6.centos.10.i686(@anaconda-CentOS-201303020136.i386/6.4)
From:/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
Runningrpm_check_debug
Running TransactionTest
Transaction TestSucceeded
Running Transaction
Installing : 7:squid-3.1.10-16.el6.i6861/1
Verifying: 7:squid-3.1.10-16.el6.i6861/1
Installed:
squid.i686 7:3.1.10-16.el6
Complete!
3.squid配置
[root@squid159 ~]#vi /etc/squid/squid.conf
[root@centossquid]# vi /etc/squid/squid.conf
#
# Recommendedminimum configuration:
#
acl manager protocache_object
acl localhost src127.0.0.1/32 ::1
acl to_localhostdst 127.0.0.0/8 0.0.0.0/32 ::1
# Example ruleallowing access from your local networks.
# Adapt to listyour (internal) IP networks from where browsing
# should be allowed
acl localnet src10.0.0.0/8# RFC1918 possibleinternal network
acl localnet src172.16.0.0/12# RFC1918 possibleinternal network
acl localnet src192.168.0.0/16 # RFC1918 possible internal network
acl localnet srcfc00::/7# RFC 4193 local privatenetwork range
acl localnet srcfe80::/10# RFC 4291 link-local(directly plugged) machines
acl SSL_ports port443
acl Safe_ports port80# http
acl Safe_ports port21# ftp
acl Safe_ports port443# https
acl Safe_ports port70# gopher
acl Safe_ports port210# wais
acl Safe_ports port1025-65535# unregistered ports
acl Safe_ports port280# http-mgmt
acl Safe_ports port488# gss-http
acl Safe_ports port591# filemaker
acl Safe_ports port777# multiling http
acl CONNECT methodCONNECT
#
# Recommendedminimum Access Permission configuration:
#
#
# Recommendedminimum configuration:
#
acl manager protocache_object
acl localhost src127.0.0.1/32 ::1
acl to_localhostdst 127.0.0.0/8 0.0.0.0/32 ::1
# Example ruleallowing access from your local networks.
# Adapt to listyour (internal) IP networks from where browsing
# should be allowed
acl localnet src10.0.0.0/8# RFC1918 possibleinternal network
acl localnet src172.16.0.0/12# RFC1918 possibleinternal network
acl localnet src192.168.0.0/16 # RFC1918 possible internal network
acl localnet srcfc00::/7# RFC 4193 local private networkrange
acl localnet srcfe80::/10# RFC 4291 link-local(directly plugged) machines
acl SSL_ports port443
acl Safe_ports port80# http
acl Safe_ports port21# ftp
acl Safe_ports port443# https
acl Safe_ports port70# gopher
acl Safe_ports port210# wais
acl Safe_ports port1025-65535# unregistered ports
acl Safe_ports port280# http-mgmt
acl Safe_ports port488# gss-http
acl Safe_ports port591# filemaker
acl Safe_ports port777# multiling http
acl CONNECT methodCONNECT
#
# Recommendedminimum Access Permission configuration:
#
# Only allowcachemgr access from localhost
http_access allowmanager localhost
http_access denymanager
# Deny requests tocertain unsafe ports
http_access deny!Safe_ports
# Deny CONNECT toother than secure SSL ports
http_access denyCONNECT !SSL_ports
# We stronglyrecommend the following be uncommented to protect innocent
# web applicationsrunning on the proxy server who think the only
# one who canaccess services on "localhost" is a local user
#http_access denyto_localhost
#
# INSERT YOUR OWNRULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example ruleallowing access from your local networks.
# Adapt localnet inthe ACL section to list your (internal) IP networks
# from wherebrowsing should be allowed
http_access allowlocalnet
http_access allowlocalhost
# And finally denyall other access to this proxy
http_access denyall
# Squid normallylistens to port 3128
http_port 3128
# We recommend youto use at least the following line.
hierarchy_stoplistcgi-bin ?
# Uncomment andadjust the following to add a disk cache directory.
#cache_dir ufs/var/spool/squid 100 16 256
# Leave coredumpsin the first cache dir
coredump_dir/var/spool/squid
# Add any of yourown refresh_pattern entries above these.
refresh_pattern^ftp:144020%10080
refresh_pattern^gopher:14400%1440
refresh_pattern -i(/cgi-bin/|\?) 00%0
refresh_pattern .
上面是默认的配置文件。
3.1需要改2个地方
#http_port 3128
http_port 80 vhost vport
还要注释掉和添加
#http_access deny all
http_access allow all
3.2在最后增加
visible_hostname squidproxy
cache_dir ufs /var/spool/squid 2048 16 256
cache_mem 2048 MB
maximum_object_size_in_memory 4096 KB
maximum_object_size 4096 KB
minimum_object_size 0 KB
error_directory /usr/share/squid/errors/zh-cn
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_mgr [email protected]
cache_peer 实际IPparent 80 0 no-query originserverno-digest name=wangzhan
cache_peer_domain wangzhan实际域名
cache_peer实际IPparent 80 0 no-query originserver no-digest name=cactiez
cache_peer_domain cactiez实际域名
cache_peer实际IPparent 80 0 no-query originserver no-digest name=nagios
cache_peer_domain nagios 实际域名
httpd_suppress_version_stringon
保存退出
[root@squid159 ~]#service squid start
init_cache_dir/var/spool/squid... 正在启动 squid:.[确定]
[root@squid159 ~]#chkconfig -level 35 squid on
-level: 未知的选项
[root@squid159 ~]#chkconfig --level 35 squid on
3.3防火墙开通80端口
[root@squid159 ~]#vi /etc/sysconfig/iptables
添加80端口
[root@squid159 ~]#service iptables restart
iptables:清除防火墙规则:[确定]
iptables:将链设置为政策 ACCEPT:filter [确定]
iptables:正在卸载模块:[确定]
iptables:应用防火墙规则:[确定]
3.4改域名指向
然后在DNS服务器上将域名指向squid代理服务器
查看squid运行状态
[root@centos ~]#squidclient -p 80 mgr:info
4.用cacti监控squid
4.1配置squid
[root@squid159 ~]#vi /etc/squid/squid.conf
在最后添加如下5行
acl cactiserver src监控服务器实际IP
acl SNMPsnmp_community squidpublic
snmp_port 3401
snmp_access allowSNMP cactiserver
snmp_access denyall
4.2安装net-snmp
[root@squid159 ~]#yum -y install net-snmp
Loaded plugins:fastestmirror, security
Loading mirrorspeeds from cached hostfile
* base: mirrors.btte.net
* extras: mirrors.btte.net
* updates: mirrors.btte.net
Setting up InstallProcess
ResolvingDependencies
--> Runningtransaction check
---> Packagenet-snmp.i686 1:5.5-44.el6_4.1 will be installed
--> ProcessingDependency: net-snmp-libs = 1:5.5-44.el6_4.1 for package:1:net-snmp-5.5-44.el6_4.1.i686
--> ProcessingDependency: libsensors.so.4 for package: 1:net-snmp-5.5-44.el6_4.1.i686
--> ProcessingDependency: libnetsnmptrapd.so.20 for package: 1:net-snmp-5.5-44.el6_4.1.i686
--> ProcessingDependency: libnetsnmpmibs.so.20 for package: 1:net-snmp-5.5-44.el6_4.1.i686
--> ProcessingDependency: libnetsnmphelpers.so.20 for package: 1:net-snmp-5.5-44.el6_4.1.i686
--> ProcessingDependency: libnetsnmpagent.so.20 for package: 1:net-snmp-5.5-44.el6_4.1.i686
--> ProcessingDependency: libnetsnmp.so.20 for package: 1:net-snmp-5.5-44.el6_4.1.i686
--> Runningtransaction check
---> Packagelm_sensors-libs.i686 0:3.1.1-17.el6 will be installed
---> Packagenet-snmp-libs.i686 1:5.5-44.el6_4.1 will be installed
--> FinishedDependency Resolution
DependenciesResolved
=====================================================================================
PackageArchVersionRepositorySize
=====================================================================================
Installing:
net-snmpi6861:5.5-44.el6_4.1updates302 k
Installing fordependencies:
lm_sensors-libsi6863.1.1-17.el6base37 k
net-snmp-libsi6861:5.5-44.el6_4.1updates1.5 M
Transaction Summary
=====================================================================================
Install3 Package(s)
Total downloadsize: 1.8 M
Installed size: 6.4M
DownloadingPackages:
(1/3):lm_sensors-libs-3.1.1-17.el6.i686.rpm|37 kB00:00
(2/3):net-snmp-5.5-44.el6_4.1.i686.rpm| 302 kB00:00
(3/3):net-snmp-libs-5.5-44.el6_4.1.i686.rpm| 1.5 MB00:00
-------------------------------------------------------------------------------------
Total4.5 MB/s | 1.8 MB00:00
Runningrpm_check_debug
Running TransactionTest
Transaction TestSucceeded
Running Transaction
Installing :lm_sensors-libs-3.1.1-17.el6.i6861/3
Installing :1:net-snmp-libs-5.5-44.el6_4.1.i6862/3
Installing :1:net-snmp-5.5-44.el6_4.1.i6863/3
Verifying: 1:net-snmp-libs-5.5-44.el6_4.1.i6861/3
Verifying: lm_sensors-libs-3.1.1-17.el6.i6862/3
Verifying: 1:net-snmp-5.5-44.el6_4.1.i6863/3
Installed:
net-snmp.i686 1:5.5-44.el6_4.1
DependencyInstalled:
lm_sensors-libs.i686 0:3.1.1-17.el6net-snmp-libs.i686 1:5.5-44.el6_4.1
Complete!
4.3配置net-snmp
[root@squid159 ~]#vi /etc/snmp/snmpd.conf
添加如下2行
viewsystemviewincluded .1.3.6.1.4.1.3495.1
proxy -v 2c -c squidpublic 0.0.0.0:3401.1.3.6.1.4.1.3495.1
修改下面3个地方
#com2secnotConfigUserdefaultpublic
com2secnotConfigUser监控服务器IPpublic
#accessnotConfigGroup ""anynoauthexactsystemview none none
accessnotConfigGroup ""anynoauthexactall none none
查找以下代码:
#view all included .1 80
将该行前面的"#"去掉.
3.启动服务,添加开机启动
[root@squid159 ~]#service snmpd start
正在启动 snmpd:[确定]
[root@squid159 ~]#chkconfig --level 35 snmpd on
4.开启防火墙udp3401端口
[root@squid159 ~]#vi /etc/sysconfig/iptables
-A INPUT -m udp -pudp --dport 3401 -j ACCEPT
再重启这三个服务
[root@squid159 ~]#service squid restart
[root@squid159 ~]#service snmpd restart
[root@squid159 ~]#service iptables restart
4.4配置cacti
可以在cacti服务器上测试
[root@CactiEZ ~]#snmpwalk -v2c -c squidpublic squid服务器IP:3401 .1.3.6.1.4.1.3495.1
CactiEZ里面的配置:
4.5cacti效果图
5.squid日志管理
5.1安装webalizer
[root@squid159 ~]#yum -y install webalizer
结果
Installed:
webalizer.i686 0:2.21_02-3.3.el6
DependencyInstalled:
apr-util-ldap.i686 0:1.3.9-3.el6_0.1gd.i686 0:2.0.35-11.el6
httpd.i686 0:2.2.15-26.el6.centoshttpd-tools.i6860:2.2.15-26.el6.centos
libXpm.i686 0:3.5.10-2.el6
Complete!
[root@squid159 ~]#vi /etc/httpd/conf/httpd.conf
Listen 8080
找到
在前加入以下4行。
AuthType Basic
AuthName"admin"
AuthUserFile/var/www/passwd/admin
require valid-user
[root@centos ~]#mkdir /var/www/passwd
[root@centos ~]# cd/var/www/passwd
[root@centos passwd]# htpasswd -c adminadministrator
New password:
Re-type newpassword:
Adding password foruser administrator
用户名是administrator密码是
[root@centospasswd]# chown apache.apache admin
[root@centospasswd]# service httpd restart
[root@centos ~]# vi/etc/sysconfig/iptables
-A INPUT -m state--state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
[root@centos ~]#service iptables restart
5.2配置webalizer
使用vi编辑Webalizer配置文件。
[root@localhost ~]# vi /etc/webalizer.conf |
设置访问日志的存放路径。
将系统默认值:
LogFile /var/log/httpd/access_log |
改为如下内容:
LogFile /var/log/squid/access.log |
设置访问日志的格式类型。
将格式类型参数:
LogType clf |
修改为:
LogType squid |
设置报表输出目录。
从默认值:
OutputDir /var/www/html |
修改为Squid的统计报表保存目录。
5.3添加计划任务
使用crontab命令让Webalizer每小时整点生成Squid流量统计分析。
[root@localhost ~]# crontab -e |
0 */1 * * *webalizer -c /etc/webalizer.conf
保存后,service crond restart
5.4访问日志分析结果
http://IP:8080
用户名:administrator
密码:
6.手动清空squid缓存
[root@squid159 ~]#service squid stop
停止 squid:................[确定]
[root@squid159 ~]#rm -rf /var/spool/squid/*
[root@squid159 ~]#cd /var/spool/squid/
[root@squid159squid]# ls
[root@squid159squid]# cd /
[root@squid159 /]#squid -z
2013/05/0811:49:14| Creating Swap Directories
2013/05/0811:49:14| /var/spool/squid exists
2013/05/0811:49:14| Making directories in /var/spool/squid/00
2013/05/0811:49:14| Making directories in /var/spool/squid/01
2013/05/0811:49:14| Making directories in /var/spool/squid/02
2013/05/0811:49:14| Making directories in /var/spool/squid/03
2013/05/0811:49:14| Making directories in /var/spool/squid/04
2013/05/0811:49:14| Making directories in /var/spool/squid/05
2013/05/0811:49:14| Making directories in /var/spool/squid/06
2013/05/0811:49:14| Making directories in /var/spool/squid/07
2013/05/0811:49:14| Making directories in /var/spool/squid/08
2013/05/0811:49:14| Making directories in /var/spool/squid/09
2013/05/0811:49:14| Making directories in /var/spool/squid/0A
2013/05/0811:49:14| Making directories in /var/spool/squid/0B
2013/05/0811:49:14| Making directories in /var/spool/squid/0C
2013/05/0811:49:14| Making directories in /var/spool/squid/0D
2013/05/0811:49:14| Making directories in /var/spool/squid/0E
2013/05/0811:49:14| Making directories in /var/spool/squid/0F
[root@squid159 /]#cd /var/spool/squid
[root@squid159squid]# ls
000102030405060708090A0B0C0D0E0F
[root@squid159squid]# service squid start
正在启动 squid:.[确定]
[root@squid159squid]# ls
000102030405060708090A0B0C0D 0E0Fswap.state
7.squid压力测试
下载siege-3.0.0.tar.gz(2013-5-8最新版本)上传至/usr/local/src目录下
[[email protected]]# tar zxvf siege-3.0.0.tar.gz
[[email protected]]# ls
[[email protected]]# cd siege-3.0.0
[[email protected]]# ./configure
[[email protected]]# make
[[email protected]]# make install
[root@squid159 /]#find / -name siegerc
[root@squid159 /]#vi /usr/local/etc/siegerc
修改
Verbose = false
Concurrent = 50
Internet = true
Benchmark = true
[root@squid159 /]# siege-c 100 -r 10 http://网站域名
** SIEGE 3.0.0
** Preparing 100concurrent users for battle.
The server is nowunder siege..done.
Transactions:1000 hits
Availability:100.00 %
Elapsed time:2.99 secs
Datatransferred:8.28 MB
Response time:0.29 secs
Transactionrate:334.45 trans/sec
Throughput:2.77 MB/sec
Concurrency:96.24
Successfultransactions:1000
Failedtransactions:0
Longesttransaction:1.07
Shortesttransaction:0.13
FILE:/usr/local/var/siege.log
You can disablethis annoying message by editing
the .siegerc filein your home directory; change
the directive'show-logfile' to false.
[error] unable tocreate log file: No such file or directory
[root@squid159 /]#siege -c 200 -r 10 http:// 网站域名
** SIEGE 3.0.0
** Preparing 200concurrent users for battle.
The server is nowunder siege..done.
Transactions:2000 hits
Availability:100.00 %
Elapsed time:14.88 secs
Datatransferred:16.56 MB
Response time:0.60 secs
Transactionrate:134.41 trans/sec
Throughput:1.11 MB/sec
Concurrency:80.44
Successfultransactions:2000
Failedtransactions:0
Longesttransaction:10.05
Shortesttransaction:0.01
[root@squid159 /]#siege -c 300 -r 10 http:// 网站域名
** SIEGE 3.0.0
** Preparing 300concurrent users for battle.
The server is nowunder siege..done.
Transactions:3000 hits
Availability:100.00 %
Elapsed time:14.50 secs
Datatransferred:3.33 MB
Response time:0.85 secs
Transactionrate:206.90 trans/sec
Throughput:0.23 MB/sec
Concurrency:175.13
Successfultransactions:0
Failedtransactions:0
Longesttransaction:10.01
Shortesttransaction:0.00
[root@squid159 /]#siege -c 500 -r 10 http:// 网站域名
[fatal] unable toallocate memory for 500 simulated browser: Resource temporarily unavailable
7.1siege测试结果
并发数 |
100 |
200 |
300 |
每秒传输率 |
334.45 trans/sec |
134.41 trans/sec |
206.90 trans/sec |
实际并发数 |
96.24 |
80.44 |
175.13 |
响应时间 |
0.29 secs |
0.60 secs |
0.85 secs |
Siege测试指标部分描述:
Transactions: 已完成的事务总数
Availability: 完成的成功率
Elapsedtime: 总共使用的时间
Data transferred: 响应中数据的总大小
Responsetime: 显示网略连接的速度
Transactionrate: 平均每秒完成的事务数
Throughput: 平均每秒传送的数据量
Concurrency: 实际最高并发连接数
Successfultransactions: 成功处理的次数
Failedtransactions: 失败处理的次数
Longesttransaction: 最长事务处理的时间
Shortesttransaction: 最短事务处理时间