Squid透明代理安装与配置

1,首先从http://www.squid-cache.org下载squid-2.6.STABLE10-20070315.tar.gz最新版

2,解压配置编译参数:

./configure --prefix=/usr/local/squid \    #指定squid安装目录
--mandir=/usr/share/man \                  #指定man的安装目录
--enable-async-io=20 \                     #采用同步io提高性能,负载高可设大点
--disable-icmp \                           #禁止icmp协议代理(默认不允许)
--enable-delay-pools \                     #允许延迟限止带宽
--enable-cache-digests \                   #允许缓存摘要,可以加快请求缓冲内容的速度(集群用)
--enable-snmp \                            #允许snmp协议支持(如用mrtg进行流量监控等)
--disable-ident-lookups \                  #禁止使用RFC931识别
--enable-epoll \                           #支持epoll的IO模式,2.6以上内核才具有
--enable-basic-auth-helpers="NCSA"         #允许带密码验证,NCSA 风格的用户名和密码档
--enable-linux-netfilter                   #允许透明代理
--enable-arp-acl                           #允许基于MAC地址的存取过滤
--enable-err-language="Simplify_Chinese"   #支持的错误语言
--enable-default-err-language="Simplify_Chinese" #指定默认的错误语言

3,编译安装:
make && make install


4,添加squid启动用户和组:
groupadd squid
useradd -g squid squid -s /sbin/nologin #根据cache_effective_user指定缓冲管理的用户

mkdir var/cache                             #根据cache_dir指定
chown -R squid:squid /usr/local/squid       #更改目录所有者和组为squid连同子目录

5,配置squid.conf

首先生成干净的配置文件:
mv squid.conf squid.conf.bak
cat squid.conf.bak | grep -v "#" | grep -v "^$"   > squid.conf

#定义服务器地址和端口(做Proxy时最好用lan的ip来设定绑定端口,transparent表示支持透明代理)
http_port 192.168.1.253:3128 transparent
                                               
#定义服务器的名字
visible_hostname ProxyServer

#定义管理员邮件地址(在访问发生错误时,visible_hostname和cache_mgr这两个选项的值显示在错误提示页面内的相关位置)
cache_mgr [email protected]

#定义缓存内存空间
cache_mem 32MB                                               
cache_swap_low 90                                            
cache_swap_high 95

#定义缓冲最大值的内容
maximum_object_size 4096 KB
#定义缓存目录
cache_dir ufs /usr/local/squid/var/cache 200 16 256

#定义不缓冲的内容
hierarchy_stoplist cgi-bin ?
hierarchy_stoplist -i ^https:\\ ?
acl QUERY urlpath_regex -i cgi-bin \? \.asp \.php \.jsp \.cgi
acl denyssl urlpath_regex -i ^https:\\
no_cache deny QUERY
no_cache deny denyssl

ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024


#日志
access_log /usr/local/squid/var/logs/access.log squid
cache_log /usr/local/squid/var/logs/cache.log
#cache_store_log /usr/local/squid/var/logs/store.log
cache_store_log none

#Dns服务器
dns_nameservers 202.96.128.86 61.144.56.101

#缓冲存取用户和组
cache_effective_user squid squid

#定义ACL

#sexurl.txt列出要过滤网站地址的关键字,每个关键字占一行,如www.sina.com(取sina)即可
#maclist.txt列出允许上网的主机的MAC地址,每个地址占一行,如00:50:56:C0:00:08

acl all src 0.0.0.0/0.0.0.0                             #定义所有的地址
acl allow_lan src 192.168.1.0/24                        #允许局域网lan访问的acl
acl sexurl url_regex "/usr/local/squid/sexurl.txt"      #定义色情网站过滤
acl virurl url_regex "/usr/local/squid/virurl.txt"      #定义病毒网站过滤

#acl allowedmac arp "/etc/squid/maclist.txt"


#定义访问策略
http_access deny sexurl                                 #拒绝色情网站
http_access deny virurl                                 #拒绝病毒网站
http_access allow allow_lan                             #允许局域网ip访问
http_access deny all                                    #拒绝其它未定义的规则

#http_access allow allowedmac        


#定义可缓冲的文件名:


5,运行SQUID:
sbin/squid -z               #初始化生成缓冲目录
sbin/squid -NCd1            #前台运行(显示很多运行日志)
squid                       #直接运行
bin/RunCache &               #不间断运行

启动步骤:
squid -z
squid -NsYD /usr/local/squid/conf/squid.conf > squid.out 2>&1

监控缓冲日志:
tail -f /usr/local/squid/var/logs/access.log

------------------------------------------------------------------------------------------
6,操作系统优化:

(1)加大系统的文件描述符限制:
ulimit -n
默认为1024增大为65536:
ulimit -n 65536

查看所有的系统限制:
ulimit -a

(2)加速回收TIME_WAIT的sockets:

sysctl -a|grep net.ipv4.tcp_tw

sysctl -w net.ipv4.tcp_tw_reuse=1
sysctl -w net.ipv4.tcp_tw_recycle =1

(3)加大临时端口的范围(默认是1024-4999):

echo "1024 40000" > /proc/sys/net/ipv4/ip_local_port_range

(4)如果还做NAT的话,增加NAT表的限制:
echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max

----------------------------------------------------------------------------------
7,squidclient使用简介:

查看帮助:./squidclient -h 192.168.1.123 -p 3128 mgr:
/usr/local/squid/squidclient
squidclient -h 192.168.1.123 -p 3128 mgr:client_list //查看客户端列表
squidclient -h 192.168.1.123 -p 3128 mgr:objects //取得已缓存的列表
squidclient -h 192.168.1.123 -p 3128 mgr:info     //取得运行状态

经验技巧:打开一个网址,访问一下,看看有没有Cache到
squidclient -h 192.168.1.123 -p 3128 mgr:objects | grep GET | grep xxx.com

统计cache到的总数哈:
squidclient -h 192.168.1.123 -p 3128 mgr:objects | grep GET | wc -l


---------------------------------------------------------
透明代理:
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.0/24 --dport 80 -j REDIRECT --to-ports 3128


-----------------------------------------------------------------------------------
错误FAQ:

FATAL: ipcache_init: DNS name lookup tests failed.

有3种方法解决这个问题
1。配置正确的DNS
2。修改squid.conf
      加入 dns_nameservers   dns-ip(你的dns服务器ip)
3。启动的时候加参数-D ,忽略DNS test
      但是请保证能解析到你所要cache的内容的url。(使用hosts 绑定)
   vi /usr/local/squid/bin
   把squid -NsY修改成squid -NsYD
------------------------
squid透明代理配置文件:

http_port 192.168.1.123:3128 transparent
visible_hostname ProxyServer

#Disable Cache
hierarchy_stoplist cgi-bin ?
hierarchy_stoplist -i ^https:\\ ?
acl QUERY urlpath_regex -i cgi-bin \? \.asp \.php \.jsp \.cgi
acl denyssl urlpath_regex -i ^https:\\
no_cache deny QUERY
no_cache deny denyssl

cache_mgr [email protected]
cache_mem 48 MB                                               
cache_swap_low 90                                            
cache_swap_high 95
maximum_object_size 4096 KB

cache_dir ufs /usr/local/squid/var/cache 200 16 256
access_log /usr/local/squid/var/logs/access.log squid
#access_log none
#cache_log /usr/local/squid/var/logs/cache.log
cache_log none
#cache_store_log /usr/local/squid/var/logs/store.log
cache_store_log none

ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024

dns_nameservers 202.96.128.86 61.144.56.101
cache_effective_user squid squid

acl allow_lan src 192.168.1.0/24
#acl badurl url_regex "/usr/local/squid/sexurl.txt"
acl all src 0.0.0.0/0.0.0.0

#http_access deny badurl
http_access allow allow_lan

你可能感兴趣的:(Linux)