Liunx service usage (squid Proxy Server)

Ke: What if a website is slow due to the slow response of visitors? What should I do if my company wants to prohibit access to some websites? Take a good look at squid proxy servers.

Squid Proxy Server)

Forward proxy

Package security:

Rpm-ivh squid-2.6.STABLE21-6.el5.i386.rpm

Uninstall package

Rpm-e squid

Start the service

Service squid restart

# If the startup fails, add the host name to vim/etc/squid. conf.

Visible_hostname

Visible hostname User Name

For details, refer to the squid Chinese guide.

Netstat-anplt | grep squid

Cd/etc/init. d/all scripts here

/Etc/init. d/httpd start httpd

Service httpd start is the same

---------------------------------------------------------------

Main configuration file

Vim/etc/squid. conf

Cache directory

Cd/var/spool/squid/

------------------------

Squid Components

Service name: squid

Main Program:/usr/sbin/squid

Configuration Directory:/etc/squid

Master configuration file:/etc/squid. conf

Listening tcp port: 3128

Default access log file:/var/log/squid/access. log

5. common squid configuration options (/etc/squid. conf)

Http_port 3128 (you can also only listen to one ip Address: http_port 192.168.0.1: 3128)

Cache_mem 64 MB # cache size

Maximum_object_size 4096KB # Maximum Cache Block

Reply_body_max_size 1024000 allow all # Restrict the download file size

Access_log/var/log/squid/access. log # access log files

Visible_hostname proxy. test. xom # visible Host Name

Cache_dir ufs/var/spool/squid 100 16 256

Usf: The storage format of cached data

/Var/spool/squid cache directory

100: The cache directory occupies disk space M)

16: Number of first-level sub-directories in the cache space

256: Number of second-level sub-directories in the cache space

Cache_mgr webmaster@test.com # define administrator mailbox

Http_access deny all # Access Control

-----------------------------

Forward Proxy Server

Vim/etc/squid. conf

Http_port 3128

# Access_log/var/log/squid/access. log

Http_access allow all: set this to allow

The host uses two addresses, one for the Internet, and the other for the Intranet http_access allow all. Set this address to allow

After setting the intranet on the client, choose "edit"> "accept"> "advanced"> "network"> "set" on the webpage.

IP address used to access intelnet

---------------------

Transparent proxy

Configuration of transparent Proxy Buffer Server:

Vim/etc/squid. conf

1 http_port 3128 transparent

B. Add iptables rules:

Iptables-t nat-a prerouting-p tcp -- dport 80-j REDIRECT -- to 3128

Client

View routes

Route-n

Add a route Gateway

Route add default gw 192.168.1.2

----------------------------

Transparent proxy access control! It indicates that reverse matching is a sequential matching number name.

Define the acl list

Acl list name list type list content...

Restrict the acl list

Http_access allow or deny list name ......

Reject an IP address

Acl dy_ip src 192.168.1.103/32

Http_access deny dy_ip

Reject a CIDR Block

Acl dy_ip src 192.168.1.0/24

Acl dy_ip src 192.168.1.0/24 192.168.10.0/24

Acl dy_ip src 192.168.1.0-192.168.10.0/24

Http_access deny dy_ip

---------------

Deny Access From an ip address through a file

Acl guests src "/etc/squid/guest"

Http_access deny guest

/Etc/squid/guests content

192.168.1.131

----------------

Reject port number

Acl d_p port 80

Acl d_p port 1-1024

Http_access deny d_p

-----------------

Allow the domain name to access the local proxy server in the uplooking.com domain is actually the IP address for domain name resolution or the limited IP address)

Acl permitted_domain src uplooking.com

Http_access allow permitted_domain

------------------

The website is denied access.

Acl B dstdomain www.squid-cache.org

Http_access deny B

--------------

Service

Acl FTP proto FTP

Http_access deny FTP

Time

CodeDay

SSunday

MMonday 1

TTuesday 2

WWednesday 3

HThursday 4

FFriday 5

ASaturday 6

DAll weekdays)

Time spans midnight, you need to divide them into two ACLs for writing, or use a negative mechanism to define non-busy hours. For example:

Acl Offpeak1-

Acl Offpeak2-

Http_access allow Offpeak1...

Http_access allow Offpeak2...

Acl Peak-

Http_access allow! Peak...

Multiple date and time range lists should be placed in the same time ACL. For example, if you enter

: Acl Blah time M-W-, what can be done is: acl Blah time MW-, resolution only uses the last time range.

The correct method is to write them into two lines:

Acl Blah time M-

Acl Blah time W-

Controls the access URL containing the sexy Field

Acl deny_url url_regex-I sexy

Http_access deny deny_url

Reject URLs at the end of some fields

Acl RealFile urlpath_regex-I \. rmvb $ \. rm $

Http_access deny RealFile

Explanations

Acl kaixin_net dstdomain .kaixin.com

Acl adv_net src 192.168.0.2-192.168.0.20/255.255.255.255 defines the IP address

Acl mynetwork src 192.168.0.0/24

Acl kaixin_time time MTWHF-

Acl all src 0.0.0.0/0.0.0.0

Http_access allow adv_net kaixin_time kaixin_net

Http_access deny mynetwork kaixin_time kaixin_net

Http_access allow all

Exercise

Allow all clients in the network segment 10.0.0.124/24 and 192.168.10.15/24 to access the proxy server,

In addition, allow clients listed in the file/etc/squid/guest to access the proxy server. In addition, the client will reject access to the local proxy server:

Acl a src 10.0.0.124/24

Acl B src "/etc/squid/guest"

Http_access allow a B

Http_access deny all

Allow two domain names, job.net and gdfq.edu.cn, to access the local proxy server. Access to other domains is denied:

Acl a src job.net gdfq.edu.cn

Http_access allow

Http_access deny all

Deny the client from accessing the website with the specified IP address or domain name in the file through the proxy server,

The file/etc/squid/deny_ip contains IP addresses that reject access,

In the file/etc/squid/deny_dns, the domain name for which access is denied is stored:

Acl aa dst "/etc/squid/deny_ip"

Acl bb src "/etc/squid/deny_dns"

Http_access aa bb

Touch/etc/squid/deny_dns

Touch/etc/squid/deny_ip

Allow all users to access the proxy server within the specified time period (-from Monday to Thursday)

Only a specific user (System Administrator, CIDR Block: 192.168.10.0/24) is allowed to access the proxy server on Friday afternoon,

Others refused to access the proxy server from one o'clock P.M. to 6.1 on Friday:

Acl a time MTWH 8: 30-

Acl B src 192.168.10.0/24

Acl c time F 13:00-18:

Http_access allow all

Http_access allow c B

Http_access deny all

---------------------------------------------------------------------------

Configuration process

Http_port 80

Cache_peer 192.168.1.105 parent 8888 0 originserver

Cache_peer Web server address server type http port icp port [Optional]

Cache_peer specifies the location of the Real WEB Server

The parent server type corresponds to the cache level of the target host. The upstream Web host generally uses the "parent" parent service.

)

The icp port is used to connect to an adjacent ICPInternet Cache Protocol. The Cache server is usually another Squid host;

Originserver indicates that the server is the original host that provides Web Services,

Weight = n "indicates the priority weight of the server. n is an integer. The higher the number, the higher the priority. The default value is 1 );

Max-conn = n "specifies the maximum number of connections from the reverse proxy host to the web server.

Second, SQUID reverse proxy, one-to-multiple web server load balancing

192.168.0.2

/

Client --- squid server ----- | ------> |-192.168.0.3

1.1.1.1 \

192.168.0.4

Two IP addresses of Squid server: 1.1.1.1 192.168.0.254

The three web servers are 192.168.0.2 192.168.0.3 192.168.0.4 and must have the same page content. You can use NFS to share the page content and mount NFS to/var/www/html.

In the configuration file, modify cache_peer behavior based on one-to-one reverse proxy as follows:

Ache_peer 192.168.0.2 parent 8888 0 round-robin

Ache_peer 192.168.0.3 parent 8888 0 round-robin

Ache_peer 192.168.0.4 parent 8888 0 round-robin

Second, SQUID reverse proxy, one-to-multiple web server load balancing

192.168.0.2

/

Client --- squid server ----- | ------> |-192.168.0.3

1.1.1.1 \

192.168.0.4

Two IP addresses of Squid server: 1.1.1.1 192.168.0.254

The three web servers are 192.168.0.2 192.168.0.3 192.168.0.4 and must have the same page content. You can use NFS to share the page content and mount NFS to/var/www/html.

In the configuration file, modify cache_peer behavior based on one-to-one reverse proxy as follows:

Ache_peer 192.168.0.2 parent 8888 0 round-robin

Ache_peer 192.168.0.3 parent 8888 0 round-robin

Ache_peer 192.168.0.4 parent 8888 0 round-robin

-------------------------------------------------------------------

Configure the Reverse Proxy Buffer Server

One-to-one

Squid Server

Configuration File

/Etc/squid. conf

Http_prot 80 vhost changed to 80

# Cache_peer

Cache_peer 192.168.1.12 parent 80 0 originserver added

The tail-f/var/log/squid/access. log file displays the address used to access you.

-------------------------

One-to-multiple aapche)

Reverse Proxy

Configuration File

/Etc/squid. conf

Http_prot 80 vhost changed to 80

# Cache_peer

Cache_peer 192.168.1.157 parent 80 0 round-robin

Cache_peer 192.168.1.113 parent 80 0 round-robin

Cache_peer 192.168.1.111 parent 80 0 round-robin

This article is from the "history_xcy" blog, please be sure to keep this http://historys.blog.51cto.com/7903899/1296677