环境描述
虚拟机环境:VM
操作系统:centos 5.6 双网卡,内网地址:192.168.126.129外网静态地址 172.28.0.6
公司DNS 172.28.0.19网关 172.28.0.3深圳DNS 202.96.134.133(这个可要可无)
这里外网地址是桥接到宿主主机的一个地址!
PS:单网卡也是一样的配置方法,只是少许地方需要修改下!!
squid
版本:squid-3.1.14.tar.gz
前期工作:
(1)
执行如下命令,并将其加入/etc/rc.d/rc.local
[root@centos5 ~]# echo "1024 40000" >/proc/sys/net/ipv4/ip_local_port_range
(这个可以不用改)
[root@centos5 ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
(2)
使用如下命令安装相关软件包。当然可以用rpm -qa|grep squid进行查看是否安装了下面的软件,要是系统有安装rpm包,最好删除!
[root@centos5 ~]# rpm -qa|grep squid
[root@centos5 ~]# yum -y install imake autoconf automake
这里是做了充足的准备,升级下,以免编译时出现问题!!不过也可以试着不做这步!
(3)编译安装squid
[root@centos5 ~]# ll
总计 5380
-rw-------1 rootroot1123 07-13 19:47 anaconda-ks.cfg
drwxr-xr-x2 rootroot4096 07-13 21:26 Desktop
-rw-r--r--1 root root33389 07-13 19:47 install.log
-rw-r--r--1 rootroot4904 07-13 19:46install.log.syslog
-rw-r--r--1 rootroot2 07-15 02:33 ip_forward~
-rw-r--r--1 rootroot2 07-15 02:33 ip_forwarz~
drwxr-xr-x 17 1020 10204096 07-14 03:04 squid-3.1.14
-rw-r--r--1 rootroot 3395652 07-14 10:33 squid-3.1.14.tar.gz
drwxr-xr-x 11 1000 10004096 07-14 01:16 varnish-3.0.0
-rw-r--r--1 rootroot 2013974 07-13 17:58 varnish-3.0.0.tar.gz
-rw-r--r--1 rootroot2602 07-12 22:30 varnish-release-3.0-1.noarch.rpm
[root@centos5 ~]# tar -zxvf squid-3.1.4.tar.gz
[root@centos5 ~]# cd squid-3.1.4
[root@centos5 ~]# ./configure --prefix=/usr/local/squid \
--enable-dlmalloc \
--enable-removal-policies=heap,lru \
--enable-default-err-language=Simplify_Chinese \
--enable-cpu-profiling --enable-storeio=ufs,aufs \
--enable-snmp \
--enable-stacktrace \
--disable-ident-lookups \
--with-large-files \
--enable-linux-netfilter \
--enable-linux-tproxy \
--disable-epoll \
--with-pthreads \
--enable-delay-pools \
--enable-icmp \
--enable-htcp \
--enable-forw-via-db \
--enable-cache-digests \
--disable-optimizations \
--disable-select \
--enable-auth-basic \
--disable-wccp \
--with-filedescriptors=65536 \
--enable-arp-acl \
--enable-icap-client
注意:--enable-linux-tproxy 和--enable-linux-netfilter是实现透明代理的关键参数
[root@centos5 ~]# make;make install
(4)
修改/usr/local/squid/etc/squid.conf ,内容如下:
这里有些参数配置文件中没有,要添加进去!看你想实现什么功能!我这简单配置下~~
我这里只是想说明怎么去实现透明代理。。。
[root@centos5 ~]# vi /usr/local/squid/etc/squid.conf
http_port 192.168.126.129:8080
transparent
dns_nameservers 172.28.0.19 202.96.134.133
visible_hostname 192.168.126.129
cache_dir ufs /var/spool/squid 4000 16 256
cache_mem 400 MB
acl lanclient src 192.168.1.0/24 a.b.c.d/32
http_access allow net
cache_mgr
[email protected]
redirect_net 20
fqdncache_size 1024
cache_swap_low 60
cache_swap_high 80
maximum_object_size 20 MB
minimum_object_size 0 MB
maximum_object_size_in_memory 5 MB
access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log /usr/local/squid/var/logs/store.log
ipcache_size 1024
ipcache_low 60
ipcache_high 80
cache_effective_user squid
cache_effective_group squid
(5)
使用如下命令创建squid需要的用户和组
[root@centos5 ~]# useradd -s /sbin/nologin squid
(6) 建立squid日志文件及修改相关权限及所有者
touch /usr/local/squid/var/logs/cache.log
chmod 755 /usr/local/squid/var/logs/cache.log
touch /usr/local/squid/var/logs/access.log
chmod 755 /usr/local/squid/var/logs/access.log
touch /usr/local/squid/var/logs/store.log
chmod 755 /usr/local/squid/var/logs/store.log
chown -R squid:squid /usr/local/squid/var
注意: 这里可以先建个shell小脚本,再把以上命令拷贝到当中,一起执行!!!
(7)使用如下命令初始化squid缓存目录
/usr/local/squid/sbin/squid -z 建立时会出现下面的文字
[root@centos5 ~]# /usr/local/squid/sbin/squid -z
2011/07/14 03:40:33| Creating Swap Directories
2011/07/14 03:40:33| /var/spool/squid exists
2011/07/14 03:40:33| Making directories in /var/spool/squid/00
2011/07/14 03:40:33| Making directories in /var/spool/squid/01
2011/07/14 03:40:33| Making directories in /var/spool/squid/02
2011/07/14 03:40:33| Making directories in /var/spool/squid/03
2011/07/14 03:40:33| Making directories in /var/spool/squid/04
2011/07/14 03:40:33| Making directories in /var/spool/squid/05
2011/07/14 03:40:33| Making directories in /var/spool/squid/06
2011/07/14 03:40:33| Making directories in /var/spool/squid/07
2011/07/14 03:40:33| Making directories in /var/spool/squid/08
2011/07/14 03:40:33| Making directories in /var/spool/squid/09
2011/07/14 03:40:33| Making directories in /var/spool/squid/0A
2011/07/14 03:40:33| Making directories in /var/spool/squid/0B
2011/07/14 03:40:33| Making directories in /var/spool/squid/0C
2011/07/14 03:40:33| Making directories in /var/spool/squid/0D
2011/07/14 03:40:33| Making directories in /var/spool/squid/0E
2011/07/14 03:40:33| Making directories in /var/spool/squid/0F
(8)
执行如下命令启动squid,并将squid添加到开机自启动
[root@centos5 ~]# /usr/local/squid/sbin/squid -s
[root@centos5 ~]# echo "/usr/local/squid/sbin/squid -s ">>/etc/rc.d/rc.local
要停止squid
[root@centos5 ~]# /usr/local/squid/sbin/squid -kshutdown
(9)
查看squid状态
[root@centos5 ~]# lsof -i:8080
COMMANDPIDUSERFDTYPE DEVICE SIZE NODE NAME
squid6550squid16uIPv424209TCP 192.168.126.129:squid(LISTEN)
执行了上面的操作只是实现了squid代理功能 ,客户端需要配置代理服务器地址和端口号
##################################################################################
(10)使用iptables 做nat,并将所有的80请求重定向到本机的8080 以实现透明代理。
[root@centos5 ~]# vi /usr/local/squid/squid.firewall
脚本如下
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "starting iptables rules"
/sbin/iptables -t filter -F
/sbin/iptables -t filter -Z
/sbin/iptables -t filter -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -Z
/sbin/iptables -t nat -X
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_filter
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/iptables -t filter -P INPUT ACCEPT
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t filter -P FORWARD ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s 192.168.126.0/24 -j SNAT--to-source 172.28.0.6
/sbin/iptables -t nat -A PREROUTING -s 192.168.126.0/24 -p tcp--dport 80 -j REDIRECT --to-ports 8080
执行脚本并将其加入到开机自启动,注意将脚本中的a.b.c.d换成自己公司的公网静态ip
[root@centos5 ~]# sh /usr/loca/squid/squid.firewall
[root@centos5 ~]# echo "/usr/loca/squid/squid.firewall ">>/etc/rc.d/rc.loca
至此squid+iptables已经实现了透明代理
(11)测试
客户机将网关指向192.168.126.129 填写上dns(这里是172.28.0.19),测试能否上网。
[root@centos5 ~]# tail -f /usr/local/squid/var/logs/access.log
看日志是否有记录客户机的上网记录!!
附上常用调试方法以及遇到的问题
1、在开启squid之前,你应该验证其配置文件是否正确。运行如下命令即可:
[root@centos5 ~]# /usr/local/squid/sbin/squid -k parse
[root@centos5 ~]# /usr/local/squid/sbin/squid -k parse
2011/07/15 03:40:33| Processing Configuration File:/usr/local/squid/etc/squid.conf (depth 0)
2011/07/15 03:40:33| Processing: acl manager protocache_object
2011/07/15 03:40:33| Processing: acl localhost src127.0.0.1/32 ::1
2011/07/15 03:40:33| Processing: acl to_localhost dst127.0.0.0/8 0.0.0.0/32 ::1
2011/07/15 03:40:33| Processing: acl localnet src 10.0.0.0/8# RFC1918 possible internal network
要是没有像error之类的提示错误,恭喜你,你的配置是正确滴!!!
2
、重配置运行中的squid进程
在你了解了更多关于squid的知识后,你会发现对squid.conf文件做了许多改动。为了让新设置生效,你可以关闭和重启squid,或者在squid运行时,重配置它。
重配置运行中的squid最好的方法是使用squid -k reconfigure命令:
# /usr/local/squid/sbin/squid -k reconfigure