Squid正向代理

简介

正向代理语义上更侧重于,让代理服务器去帮忙请求某个网址。让代理服务器去帮忙访问qq,baidu这些网站等。
在这里有两个特征。
1、被访问的服务器(qq、baidu)只知道是代理服务器请求的,而不知道是你请求的;
2、你可以明确知道你要请求的真实服务器(qq、baidu)
3、客户端必须在浏览器设置代理服务器的地址和端口。(设置之后,意思就是说只要在这个浏览器上输入的网址,统统都丢给代理服务器去帮忙访问)

安装

yum install -y squid

配置

vim /etc/squid/squid.conf
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
#http_access deny all

http_access allow all
cache_dir aufs /data/cache  1024 16 256
cache_mem 512 MB
hierarchy_stoplist cgi-bin ?
# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

这里我主要改变了以下几行

http_access allow all
cache_dir aufs /data/cache  1024 16 256
cache_mem 512 MB
hierarchy_stoplist cgi-bin ?

将缓存的目录改变到
/data/cache
所以我们要来创建/缓存目录

mkdir -p /data/cache

chown -R squid:squid /data/cache

初始化缓存目录

squid -z

检测配置文件是否有语法错误

squid -k check
squid: ERROR: No running copy

这是说 squid 还未启动,没有关系

service squid start

我在启动的时候一直出错无法启动,查看日志后发现

/data/cache/swap.state: (13) Permission denied
FATAL: commonUfsDirOpenSwapLog: Failed to open swap log.
Squid Cache (Version 3.1.23): Terminated abnormally.

但是我明明已经给squid授权了呀!
后来才发现自己的selinux没有关闭

setenforce=0

vim /etc/selinux/config

selinux=disabled

再次启动服务,成功启动

测试

curl -x 127.0.0.1:3128 http://www.baidu.com -I

成功返回网页,成功!

设置白名单

如果我们只想代理某几个域名
vim /etc/squid/squid.conf
在acl CONNECT method CONNECT下面加入

acl http proto HTTP
acl good_domain dstdomain .hpe.com .hpelinux.com
http_access allow http good_domain
http_access deny http !good_domain

重启squid
service squid restart

再次代理访问百度

curl -x 127.0.0.1:3128 http://www.baidu.com -I

不能成功返回,应该是403禁止访问

设置黑名单

道理和设置白名单相同
vim /etc/squid/squid.conf
在acl CONNECT method CONNECT下面加入

acl http proto HTTP
acl bad_domain dstdomain .sina.com .sohu.com
http_access allow http !bad_domain
http_access deny http bad_domain

重启squid

service squid restart

再次代理访问百度

curl -x 127.0.0.1:3128 http://www.baidu.com -I

可以访问,成功返回200

代理访问新浪

curl -x 127.0.0.1:3128 http://www.sina.com -I

访问出错,403禁止访问

你可能感兴趣的:(Squid正向代理)