Typical configuration of squid.conf

1. Configure

#vi/etc/squid/squid.conf

#http_port指令告诉squid在哪个端口侦听HTTP请求. The default port is 3128, which, in addition to the form below, can also be http_port 192.168.63.50:3128
Http_port 3128
Icp_port 3130

#缓存目录的设置, you can set up multiple cache directories, syntax for:<cache_dir> <aufs|ufs> < directories > <mbytes size > <dir1> <dir2>
Cache_dir UFS/VAR/SPOOL/SQUID 1000 64 1024

#下面是关于日志文件的放置目录与文件名.
Cache_access_log/var/log/squid/access.log
Cache_log/var/log/squid/cache.log
Cache_store_log/var/log/squid/store.log
Pid_filename/var/run/squid.pid

#关闭认证机制, some versions of Squid are automatically added to the proxy authentication mechanism, which is not required in general, so find lines that include auth_param and annotate them.
#auth_param Basic Children 5
#auth_param Basic Realm Squid proxy-caching Web server
#auth_param Basic Credentialsttl 2 hours

#设置squid用户及用户组, Admin Account
Cache_effective_user Squid
Cache_effective_group Squid
Cache_mgr Youraccount@your.e.mail

# Memory-related configuration: Because my system has very little memory, I only give 8 MB. If you have a large physical memory, such as a MB, consider increasing to 64 or 128 MB.
CACHE_MEM 128 MB

# Configuration related to disk capacity (note: The following 90 and 95 are percentages), consider converting 4096 to 32768 KB if your cache_dir disk is large
Cache_swap_low 90
Cache_swap_high 95
Maximum_object_size 4096 KB

# Configuration related to memory save data
Maximum_object_size_in_memory 8 KB

#定义acl (Access control list), syntax for:acl<acl> <acl name > <acl type > < configuration content >
#黑体为用户自定义部分

ACL all src 0/0
ACL Manager Proto Cache_object
ACL Localhost src 127.0.0.1/32
ACL safe_ports Port 80 21 443 563 70 210 280 488 591 777 1025-65535
ACL ssl_ports 443 563
ACL Connect method Connect
ACL mynetwork src 192.168.0.0/16

#利用前面定义的acl, define access control rules
Http_access Allow Manager Localhost
Http_access Deny Manager
Http_access Deny! Safe_ports
Http_access Deny CONNECT! Ssl_ports
Http_access Allow MyNetwork
Http_access Deny All

#定义与其它代理服务器的关系, Syntax: <cache_peer> < host name > < category > Cache_peer 192.168.60.6 Parent 4480 7 No-query Default

#设置与其它代理服务器的关系:
# <cache_peer_access> < Upper Proxy > <allow|deny> <acl name >
#cache_peer_access 192.168.60.6 Allow aclxxx
#cache_peer_access 192.168.60.6 deny!aclxxx

Coredump_dir/var/spool/squid 2. Activate squid

1. Before opening squid, you should verify that the configuration file is correct. Run the following command:

# Squid-k Parse

If you do not see the output, the configuration file is valid and you can proceed to the following steps. However, if the configuration file contains errors, squid will tell you:

2. Initialize the cache directory. That is, to create a storage format for the cached directory

Just do it before you start the Squid service for the first time (prior to running squid, or whenever you add a new Cache_dir, you must initialize the cache directory.) )

# squid-z

Cache directory initialization can take some time, depending on the size and number of cache directories, as well as the speed of disk drives. If you want to see this process, use the-X option:

# SQUID-ZX

3). Start Squid Service

# service Squid start

Assuming squid is installed in the/usr/local/squid directory, you can also

#/USR/LOCAL/SQUID/SBIN/SQUID-SD

4). Stop Squid

The safest way to stop squid is to use the squid-k shutdown command:

# squid-k Shutdown

5. Reconfigure the squid process in operation

After you've learned more about squid, you'll notice a lot of changes to the squid.conf file. In order for the new setting to take effect, you can turn the squid off and on, or reconfigure it when the squid is running.

The best way to reconfigure squid running is to use the Squid-k reconfigure command:

# Squid-k Reconfigure

6). Scroll log file

Squid writes a lot of log files unless you ban it in squid.conf. You must periodically scroll through the log files to prevent them from becoming too large. Squid will be a lot of important information written into the log, if not written, squid will be wrong and exit. To properly control disk space consumption, use the following command in Cron:

%squid-k Rotate

For example, the following task interface scrolls the log at 4 O ' Day every morning:

0 4 * * */usr/local/squid/sbin/squid-k rotate

The order does two things. First, it closes the currently open log file. Then, by adding a numeric extension after the filename, it renames cache.log,store.log, and Access.log. For example, Cache.log becomes cache.log.0,cache.log.0 into cache.log.1, so continue, scroll to the value specified by the Logfile_rotate option.

Squid only saves the last logfile_rotate version of each log file. Older versions are deleted during the renaming process. If you want to save more copies, you need to increase the logfile_rotate limit, or write a script to move the log files to another location. See chapter 13.7 For additional information about scrolling logs. 3. Access Control Sample

1) Prohibit access to a Web site

Add the following ACL name and access rule to the Squid configuration file and reload the configuration file

ACL Sina dstdomain. sina.com.cn. sina.com
Http_access Deny Sina

Or

ACL Sina DST 58.63.236.26 58.63.236.27 58.63.236.28 58.63.236.29 58.63.236.30 58.63.236.31 58.63.236.32 58.63.236.33 58.6 3.236.34 58.63.236.35 58.63.236.36 58.63.236.37 58.63.236.38 58.63.236.39 58.63.236.49 58.63.236.50
Http_access Deny Sina

Or

ACL Sina DST www.sina.com.cn
Http_access Deny Sina

2 Prohibit access from certain IP addresses

Add the following ACL name and access rule to the Squid configuration file and reload the configuration file

ACL Zhang Src 192.168.63.6/32
Http_access deny Zhang

3) Prohibit access to certain periods

ACL working_hours MTWHF 08:00-17:00
Http_access Allow Working_hours
Http_access Deny! Working_hours 4 prevents an agent from establishing too many connections

ACL Overconnlimit maxconn 4
Http_access Deny Overconnlimit

three. Transparent Agent

Let's now imagine an online state where you have a whole set of internal networks that go online through a NAT host. So we've talked about the fact that using Proxy is a good option in a very large intranet, because at least he can reduce the bandwidth load. Unfortunately, however, when setting up a proxy, the user is also asked to set up a proxy on the browser. Then there is no way in the "user does not need to make any configuration on the browser, you can implement a Proxy to help consumers join the Internet." Of course we do. That's transparent Proxy. It is also translated into "Transparent proxy server", the principle is:

When a user goes online via a NAT server to access the Internet, if the Internet protocol used is 80 (that is, WWW), the requirement is delegated to proxy to work to achieve the function of the agent server.

Oh. In other words, when the user is through the NAT host online, as long as the NAT host found "Yi." You're going to read the WWW data, right. Good. Then this action by Proxy host to help you fix. In this way, the user does not need to configure Proxy information on the browser, because this action is "by the NAT host itself", so as long as the NAT host configured on the appropriate, users do not have to configure any information. So how to do it. Just two steps: 1. Configure Proxy Host:

1 if it is squid 2.5, you need to change the following instructions in the Squid configuration file:

[Root@test root]# vi/etc/squid/squid.conf
。
Httpd_accel_host Virtual # Tell the Web Accelerator, for all URLs

Httpd_accel_port 80 # tells the Web accelerator that the port to listen to is 80.

Httpd_accel_with_proxy on # This is important. Because the cache configuration is automatically terminated after configuring Httpd_accel_host, you must add this configuration to on to provide cache functionality.
Httpd_accel_uses_host_header on

2 If Squid 2.6, you only need to change the squid configuration file in one of the instructions:

Http_port 192.168.63.50:3128 Transparent #192.168.63.50 is the address of the squid server.

[Root@test root]# Squid-k reconfigure 2. Configure the port map of the NAT host:

Let's take a look at the NAT host first, because you need to give the 80 port to Proxy 3128来 to help, so your firewall script must join this section to do:

#iptables-T nat-a prerouting-i eth0-p tcp-s 192.168.62.0/24--dport 80-j REDIRECT--to-ports 3128

Note that the eth0 is "your NAT Internal network card", as for the 192.168.62.0/24 is your internal domain, please follow the actual state of your host to configure. As a result, your client side does not need any configuration at all, so you can immediately use the benefits of Proxy 3. Configure forwarding

#echo 1 >/proc/sys/net/ipv4/ip_forward

Or:

#vi/etc/sysctl.conf

Net_ipv4_forword=1

#vi/etc/sysconfig/network

Forward_ipv4=yes

#service Network Restart 4. Configuring Clients

To test another computer as a client, you need to point the gateway, preferred DNS server to the server that sets the transparent proxy, and clear the client's browser proxy settings. four. Reverse proxy

Proxy server is a very common way to connect the LAN host to the Internet, using proxy Internet can save scarce IP address resources, and can block external host to the internal host access, so that the intranet host from the external network host attack. However, if you want the host on the Internet to access the intranet's host resources (for example, a Web site) and want to keep the intranet host from being attacked by an external network host, the general Proxy service cannot be implemented and needs to be implemented using a reverse proxy.

What is a reverse proxy? In fact, the reverse proxy is commonly referred to as the Web server acceleration, which is a way to reduce the load on the actual Web server by adding a high-speed web buffer server (that is, a Web reverse proxy server) between the busy Web server and the Internet. The typical structure is shown in the following illustration:

Web server Acceleration (reverse proxy) is designed to provide accelerated functionality for Web servers. It acts as a proxy cache, but not for browser users, but for one or more specific Web servers (which is also the origin of the reverse proxy name). Implement a reverse proxy, as shown in the figure above, by simply placing the reverse proxy cache device on the front of one or more Web servers. When an Internet user accesses a Web server, the IP address that is resolved through the DNS server is the IP address of reverse proxy server, not the IP address of the original Web server, when the reverse proxy Server device acts as a Web server. The browser can connect to it without having to directly connect to the Web server. As a result, a large amount of Web service work is unloaded on the reverse proxy service. Not only can prevent the external network host direct communication with the Web server security risks, but also can greatly reduce the burden on the Web server, improve access speed.

1. Squid reverse proxy single background Web server

1 if the Web server and the reverse proxy server are two separate machines (the general reverse proxy should have two network cards connected to the internal and external networks respectively). Then, you should modify the following to set up the reverse proxy service.

Http_port #squid监听的端口
Httpd_accel_host 172.16.250.250 #内部WEB服务器的IP地址
Httpd_accel_port #WEB服务的端口号
Httpd_accel_single_host on #转发没有缓冲的请求到一台单独的机器, squid is set to reverse proxy only for a single Web server
Httpd_accel_with_proxy on #如果希望squid既作反向代理服务器又作本地机器的上网代理, you need to set this to on and the default is off
Httpd_accel_uses_host_header off #在HTTP协议1.1, the HTTP request includes a master header information, the host name of the specified URL, or the IP address of the host. This option can be used to complete the reverse proxy function of multiple backend Web servers.

2 if the Web server and the reverse proxy server are the same machine. Then, the Web server's listening port should be set to a non-80 port (for example, 81 port). The contents to be modified are as follows:

Http_port #squid监听的端口
Httpd_accel_host localhost #内部WEB服务器的IP地址
Httpd_accel_port Bayi #WEB服务器的端口号
Httpd_accel_single_host on
Httpd_accel_with_proxy on
Httpd_accel_uses_host_header off

2. Squid reverse proxy multiple backend Web servers

We can use squid to reverse proxy multiple backend Web servers. For example: We can configure squid at the same time reverse proxy www.abc.com, www.xyz.com, www.lmn.com three back-end Web servers, the schematic is as follows:

Squid is configured as follows:

Httpd_accel_host Virtual
Httpd_accel_port 80
Httpd_accel_single_host off
Httpd_accel_uses_host_header on

(Note: You need to activate the internal DNS option when compiling squid)

Then set the domain resolution that the reverse proxy needs to be set up (Internet users can resolve the domain name of three Web sites through here) as follows:

Www.abc.com 202.102.240.74
Www.xyz.com 202.102.240.74
Www.lmn.com 202.102.240.74

Causes three domain names to point to the reverse proxy server IP address 202.102.240.74.

The following sets the DNS portal information required by the reverse proxy (that is, set up internal DNS, only squid is used internally and not visible to Internet users). There are two ways to set up internal DNS, using internal DNS servers to resolve or use the/etc/hosts file for implementation.

The resource records for using internal DNS servers are as follows:
Www.abc.com in A 192.168.62.2
Www.xyz.com in A 192.168.62.3
Www.lmn.com in A 192.168.62.4

If you use the/etc/hosts file to implement internal DNS (you should use the Disable internal DNS option at compile time), edit the/etc/hosts file to add the following entry:
192.168.62.2 www.abc.com
192.168.62.3 www.xyz.com
192.168.62.4 www.lmn.com

Conclusion: through the discussion and relevant examples in this paper, we can see that the reverse proxy is not only a kind of Web server accelerator, but also a kind of effective firewall technology which can be used to provide Web publishing, which not only saves the scarce IP address resources, accelerates the Web server's access speed, And can protect the web host, so can adapt to a variety of application situations.