环境介绍:
主机名 | 角色 | IP地址 |
squid.contoso.com | squid代理服务器 | 192.168.49.135 |
p_w_picpath01.contoso.com | 图片服务器(web) | 192.168.49.139 |
一、准备工作
以其中一台为例:
[root@squid etc]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@squid etc]# getenforce
Disabled
[root@squid etc]# tail -2 /etc/hosts
192.168.49.139 p_w_picpath01.contoso.com p_w_picpath01
192.168.49.135 squid.contoso.com squid
[root@squid etc]# crontab -l #时间同步一定要做,不然反向代理缓存可能出现无法命中的问题
0 * * * * /usr/sbin/ntpdate 210.72.145.44 64.147.116.229 time.nist.gov
二、squid配置
继续上一篇squid的正向代理中的配置,进行相应的修改。
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8001
acl CONNECT method CONNECT
#acl qq url_regex -i ^http://.*qq.*$
#http_access deny qq
#acl qq_path urlpath_regex -i \.*qq*
#http_access deny qq_path
# 设置squid acl访问控制规则
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 80 accel vhost vport #squid反向代理需要使用80端口,并设置squid支持虚拟主机模式
hierarchy_stoplist cgi-bin ?
cache_dir ufs /usr/local/squid/var/cache 100 16 256
access_log /usr/local/squid/var/logs/access.log squid
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log /usr/local/squid/var/logs/store.log
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_mgr [email protected]
# 设置squid运行的用户
cache_effective_user squid
cache_effective_group squid
# 设置squid的可视化主机名
visible_hostname cache1.contoso.com
#icp_port 3130 #这里需要把icp端口注释掉,因为下面的cache_peer中定义端口0作为icp端口,也就是不使用icp端口进行squid服务器间通信,如果保留3130会产生冲突,所以要么修改为0,要么注释或删掉该行
coredump_dir /usr/local/squid/var/cache
cache_mem 90 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8192 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 4096 KB
memory_replacement_policy lru
emulate_httpd_log on
cache_peer p_w_picpath01.contoso.com parent 80 0 no-query no-digest max-conn=32 originserver #设置对那些web服务器做反向代理
hosts_file /etc/hosts #设置squid使用/etc/hosts文件解析域名
request_header_max_size 128 KB #设置请求头部大小的最大值
ipcache_size 1024
ipcache_low 90
ipcache_high 95
三、图片服务器安装httpd服务
yum -y install httpd [root@p_w_picpath01 html]# ll total 272 -rw-r--r-- 1 root root 193402 Jun 26 2014 lnmp.jpg -rw-r--r-- 1 root root 7807 Jun 5 2014 mysql.png -rw-r--r-- 1 root root 26837 Apr 24 2012 nginx.jpg -rw-r--r-- 1 root root 43831 Dec 19 2013 php.jpg service httpd restart
浏览器进行测试访问:
四、启动squid并测试反向代理
[root@squid etc]# squid -k parse
2016/10/30 23:09:23| Processing Configuration File: /usr/local/squid/etc/squid.conf (depth 0)
2016/10/30 23:09:23| Initializing https proxy context
[root@squid etc]# squid -D
[root@squid etc]# netstat -tunlp|grep squid
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1164/(squid)
[root@squid etc]# lsof -i :80 #这里也可以说明squid服务器上是没有httpd等web服务在运行
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
squid 1164 squid 18u IPv4 10763 0t0 TCP *:http (LISTEN)
在浏览器中访问squid服务器,测试反正代理效果:
访问成功,说明squid反向代理没有问题。
再查看一下squid访问日志:
[root@squid etc]# squid -k rotate
[root@squid ~]# >/usr/local/squid/var/logs/access.log
[root@squid ~]# tail -f /usr/local/squid/var/logs/access.log
1477885541.844 0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- p_w_picpath/jpeg
1477885545.966 0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- p_w_picpath/jpeg
1477885557.249 0 192.168.49.1 TCP_IMS_HIT/304 248 GET http://192.168.49.135/php.jpg - NONE/- p_w_picpath/jpeg
1477885565.281 5 192.168.49.1 TCP_MISS/200 27189 GET http://192.168.49.135/nginx.jpg - FIRST_UP_PARENT/p_w_picpath01.contoso.com p_w_picpath/jpeg
1477885567.835 0 192.168.49.1 TCP_IMS_HIT/304 246 GET http://192.168.49.135/nginx.jpg - NONE/- p_w_picpath/jpeg
1477885568.629 0 192.168.49.1 TCP_IMS_HIT/304 246 GET http://192.168.49.135/nginx.jpg - NONE/- p_w_picpath/jpeg
1477885708.180 2 192.168.49.1 TCP_MISS/200 8157 GET http://192.168.49.135/mysql.png - FIRST_UP_PARENT/p_w_picpath01.contoso.com p_w_picpath/png
1477885710.626 0 192.168.49.1 TCP_IMS_HIT/304 245 GET http://192.168.49.135/mysql.png - NONE/- p_w_picpath/png
五、squid开启离线模式
# 在squid.conf中开启offline_mode
[root@squid etc]# echo "offline_mode on" >> squid.conf
[root@squid etc]# tail -1 squid.conf
offline_mode on
# 重启squid
[root@squid etc]# killall squid
[root@squid etc]# killall squid
[root@squid etc]# killall squid
squid: no process killed
[root@squid etc]# squid -k parse
2016/10/30 23:53:30| Processing Configuration File: /usr/local/squid/etc/squid.conf (depth 0)
2016/10/30 23:53:30| Initializing https proxy context
[root@squid etc]# squid -D
[root@squid etc]# lsof -i :80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
squid 1230 squid 18u IPv4 11547 0t0 TCP *:http (LISTEN)
# 关闭图片服务器的httpd服务
[root@p_w_picpath01 html]# service httpd stop
Stopping httpd: [ OK ]
浏览器访问图片服务器(注意清除浏览器缓存先):
发现图片服务器已经无法访问。
再访问squid代理服务器(也需要清理浏览器缓存):
发现squid代理服务器依然能够访问,而且即使使用Ctrl+F5进行强制刷新依然能够正常访问。
查看一下日志:
1477892930.670 0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- p_w_picpath/jpeg
1477892930.905 0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- p_w_picpath/jpeg
1477892931.107 0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- p_w_picpath/jpeg
1477892941.516 0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- p_w_picpath/jpeg
1477892941.997 0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- p_w_picpath/jpeg
1477892942.196 0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- p_w_picpath/jpeg
1477892942.403 0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- p_w_picpath/jpeg
1477892942.584 0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- p_w_picpath/jpeg
1477892942.965 0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- p_w_picpath/jpeg
1477892943.139 0 192.168.49.1 TCP_IMS_HIT/304 249 GET http://192.168.49.135/lnmp.jpg - NONE/- p_w_picpath/jpeg
发现也都是命中的状态,说明squid的离线模式生效。离线模式虽然能够在web服务器宕机的情况下继续提供服务,但是访问的资源不是最新的,一些长时间没有变化的静态内容可以使用这种设置,如果是动态内容不建议使用该选项。