Ke: What if a website is slow due to the slow response of visitors? What should I do if my company wants to prohibit access to some websites? Take a good look at squid proxy servers.
Squid Proxy Server)
Forward proxy
Package security:
Rpm-ivh squid-2.6.STABLE21-6.el5.i386.rpm
Uninstall package
Rpm-e squid
Start the service
Service squid restart
# If the startup fails, add the host name to vim/etc/squid. conf.
Visible_hostname
Visible hostname User Name
For details, refer to the squid Chinese guide.
Netstat-anplt | grep squid
Cd/etc/init. d/all scripts here
/Etc/init. d/httpd start httpd
Service httpd start is the same
---------------------------------------------------------------
Main configuration file
Vim/etc/squid. conf
Cache directory
Cd/var/spool/squid/
------------------------
Squid Components
Service name: squid
Main Program:/usr/sbin/squid
Configuration Directory:/etc/squid
Master configuration file:/etc/squid. conf
Listening tcp port: 3128
Default access log file:/var/log/squid/access. log
5. common squid configuration options (/etc/squid. conf)
Http_port 3128 (you can also only listen to one ip Address: http_port 192.168.0.1: 3128)
Cache_mem 64 MB # cache size
Maximum_object_size 4096KB # Maximum Cache Block
Reply_body_max_size 1024000 allow all # Restrict the download file size
Access_log/var/log/squid/access. log # access log files
Visible_hostname proxy. test. xom # visible Host Name
Cache_dir ufs/var/spool/squid 100 16 256
Usf: The storage format of cached data
/Var/spool/squid cache directory
100: The cache directory occupies disk space M)
16: Number of first-level sub-directories in the cache space
256: Number of second-level sub-directories in the cache space
Cache_mgr webmaster@test.com # define administrator mailbox
Http_access deny all # Access Control
-----------------------------
Forward Proxy Server
Vim/etc/squid. conf
Http_port 3128
# Access_log/var/log/squid/access. log
Http_access allow all: set this to allow
The host uses two addresses, one for the Internet, and the other for the Intranet http_access allow all. Set this address to allow
After setting the intranet on the client, choose "edit"> "accept"> "advanced"> "network"> "set" on the webpage.
IP address used to access intelnet
---------------------
Transparent proxy
Configuration of transparent Proxy Buffer Server:
Vim/etc/squid. conf
1 http_port 3128 transparent
B. Add iptables rules:
Iptables-t nat-a prerouting-p tcp -- dport 80-j REDIRECT -- to 3128
Client
View routes
Route-n
Add a route Gateway
Route add default gw 192.168.1.2
----------------------------
Transparent proxy access control! It indicates that reverse matching is a sequential matching number name.
Define the acl list
Acl list name list type list content...
Restrict the acl list
Http_access allow or deny list name ......
Reject an IP address
Acl dy_ip src 192.168.1.103/32
Http_access deny dy_ip
Reject a CIDR Block
Acl dy_ip src 192.168.1.0/24
Acl dy_ip src 192.168.1.0/24 192.168.10.0/24
Acl dy_ip src 192.168.1.0-192.168.10.0/24
Http_access deny dy_ip
---------------
Deny Access From an ip address through a file
Acl guests src "/etc/squid/guest"
Http_access deny guest
/Etc/squid/guests content
192.168.1.131
----------------
Reject port number
Acl d_p port 80
Acl d_p port 1-1024
Http_access deny d_p
-----------------
Allow the domain name to access the local proxy server in the uplooking.com domain is actually the IP address for domain name resolution or the limited IP address)
Acl permitted_domain src uplooking.com
Http_access allow permitted_domain
------------------
The website is denied access.
Acl B dstdomain www.squid-cache.org
Http_access deny B
--------------
Service
Acl FTP proto FTP
Http_access deny FTP
Time
CodeDay
SSunday
MMonday 1
TTuesday 2
WWednesday 3
HThursday 4
FFriday 5
ASaturday 6
DAll weekdays)
Time spans midnight, you need to divide them into two ACLs for writing, or use a negative mechanism to define non-busy hours. For example:
Acl Offpeak1-
Acl Offpeak2-
Http_access allow Offpeak1...
Http_access allow Offpeak2...
Acl Peak-
Http_access allow! Peak...
Multiple date and time range lists should be placed in the same time ACL. For example, if you enter
: Acl Blah time M-W-, what can be done is: acl Blah time MW-, resolution only uses the last time range.
The correct method is to write them into two lines:
Acl Blah time M-
Acl Blah time W-
Controls the access URL containing the sexy Field
Acl deny_url url_regex-I sexy
Http_access deny deny_url
Reject URLs at the end of some fields
Acl RealFile urlpath_regex-I \. rmvb $ \. rm $
Http_access deny RealFile
Explanations
Acl kaixin_net dstdomain .kaixin.com
Acl adv_net src 192.168.0.2-192.168.0.20/255.255.255.255 defines the IP address
Acl mynetwork src 192.168.0.0/24
Acl kaixin_time time MTWHF-
Acl all src 0.0.0.0/0.0.0.0
Http_access allow adv_net kaixin_time kaixin_net
Http_access deny mynetwork kaixin_time kaixin_net
Http_access allow all
Exercise
Allow all clients in the network segment 10.0.0.124/24 and 192.168.10.15/24 to access the proxy server,
In addition, allow clients listed in the file/etc/squid/guest to access the proxy server. In addition, the client will reject access to the local proxy server:
Acl a src 10.0.0.124/24
Acl B src "/etc/squid/guest"
Http_access allow a B
Http_access deny all
Allow two domain names, job.net and gdfq.edu.cn, to access the local proxy server. Access to other domains is denied:
Acl a src job.net gdfq.edu.cn
Http_access allow
Http_access deny all
Deny the client from accessing the website with the specified IP address or domain name in the file through the proxy server,
The file/etc/squid/deny_ip contains IP addresses that reject access,
In the file/etc/squid/deny_dns, the domain name for which access is denied is stored:
Acl aa dst "/etc/squid/deny_ip"
Acl bb src "/etc/squid/deny_dns"
Http_access aa bb
Touch/etc/squid/deny_dns
Touch/etc/squid/deny_ip
Allow all users to access the proxy server within the specified time period (-from Monday to Thursday)
Only a specific user (System Administrator, CIDR Block: 192.168.10.0/24) is allowed to access the proxy server on Friday afternoon,
Others refused to access the proxy server from one o'clock P.M. to 6.1 on Friday:
Acl a time MTWH 8: 30-
Acl B src 192.168.10.0/24
Acl c time F 13:00-18:
Http_access allow all
Http_access allow c B
Http_access deny all
---------------------------------------------------------------------------
Configuration process
Http_port 80
Cache_peer 192.168.1.105 parent 8888 0 originserver
Cache_peer Web server address server type http port icp port [Optional]
Cache_peer specifies the location of the Real WEB Server
The parent server type corresponds to the cache level of the target host. The upstream Web host generally uses the "parent" parent service.
)
The icp port is used to connect to an adjacent ICPInternet Cache Protocol. The Cache server is usually another Squid host;
Originserver indicates that the server is the original host that provides Web Services,
Weight = n "indicates the priority weight of the server. n is an integer. The higher the number, the higher the priority. The default value is 1 );
Max-conn = n "specifies the maximum number of connections from the reverse proxy host to the web server.
Second, SQUID reverse proxy, one-to-multiple web server load balancing
192.168.0.2
/
Client --- squid server ----- | ------> |-192.168.0.3
1.1.1.1 \
192.168.0.4
Two IP addresses of Squid server: 1.1.1.1 192.168.0.254
The three web servers are 192.168.0.2 192.168.0.3 192.168.0.4 and must have the same page content. You can use NFS to share the page content and mount NFS to/var/www/html.
In the configuration file, modify cache_peer behavior based on one-to-one reverse proxy as follows:
Ache_peer 192.168.0.2 parent 8888 0 round-robin
Ache_peer 192.168.0.3 parent 8888 0 round-robin
Ache_peer 192.168.0.4 parent 8888 0 round-robin
Second, SQUID reverse proxy, one-to-multiple web server load balancing
192.168.0.2
/
Client --- squid server ----- | ------> |-192.168.0.3
1.1.1.1 \
192.168.0.4
Two IP addresses of Squid server: 1.1.1.1 192.168.0.254
The three web servers are 192.168.0.2 192.168.0.3 192.168.0.4 and must have the same page content. You can use NFS to share the page content and mount NFS to/var/www/html.
In the configuration file, modify cache_peer behavior based on one-to-one reverse proxy as follows:
Ache_peer 192.168.0.2 parent 8888 0 round-robin
Ache_peer 192.168.0.3 parent 8888 0 round-robin
Ache_peer 192.168.0.4 parent 8888 0 round-robin
-------------------------------------------------------------------
Configure the Reverse Proxy Buffer Server
One-to-one
Squid Server
Configuration File
/Etc/squid. conf
Http_prot 80 vhost changed to 80
# Cache_peer
Cache_peer 192.168.1.12 parent 80 0 originserver added
The tail-f/var/log/squid/access. log file displays the address used to access you.
-------------------------
One-to-multiple aapche)
Reverse Proxy
Configuration File
/Etc/squid. conf
Http_prot 80 vhost changed to 80
# Cache_peer
Cache_peer 192.168.1.157 parent 80 0 round-robin
Cache_peer 192.168.1.113 parent 80 0 round-robin
Cache_peer 192.168.1.111 parent 80 0 round-robin
This article is from the "history_xcy" blog, please be sure to keep this http://historys.blog.51cto.com/7903899/1296677