Accelerate Squid transparent proxy on Linux

Source: Internet
Author: User

1. Install squid-2.5

Groupadd squid
Useradd? G squid

Rpm? Ivh squid-2.5.STABLE3-3.3E.i386.rpm

Ii. Configure squid. conf:

# Set the proxy port of SQUID (with the IP address added, Squid will not listen to external network interfaces)

Http_port 192.168.0.1: 3128

# The configuration option is an email from the Server Manager.

Cache_mgr llzqq@nero.3322.org

# Setting error documentation

Error_directory/usr/share/squid/errors/Simplify_Chinese

# Set public DNS for China Telecom:

Dns_nameservers 202.99.160.68 202.99.168.8

# Set the flag Host Name

Visible_hostname nero.3322.org

# Set http1.1 protocol support

Httpd_accel_uses_host_header on
Httpd_accel_host virtual

# Whether to allow squid to proxy the Local web Service

Httpd_accel_with_proxy on

# Allow all hosts to access the Internet through the Proxy Server
Http_access allow all

# RAM that can be used by the specified Squid

Cache_mem 20 MB

# Maximum and minimum cached files

Maximum_object_size 4096 KB
Minimum_object_size 0 KB

Maximum_object_size_in_memory 30 KB
Minimum_object_size_in_memory 0 KB

# Set the squid disk cache directory (we just need to do some operations on this directory)

Cache_dir ufs/tmp 100 16 256

# Specify the percentage of blank space for swap (when the cache value exceeds or below a certain percentage, data is exchanged with the swap space)

Cache_swap_low 85
Cache_swap_high 90

# Port of the cached Server

Httpd_accel_port 80

3. Create a squid cache directory

As you know, the squid cache directory is usually created on the disk, and the disk I/O limits the squid performance, at the same time, we know that RAM is the fastest storage unit in the computer. Now let's take a look at how to put the squid cache directory into the system RAM. We noticed that in the linux File System,/dev/shm is a special file system residing in RAM. Now we have our ideas: bind/dev/shm to the squid cache directory. The procedure is as follows.

Mkdir/dev/shm/tmp
Chmod 1777/dev/shm/tmp
Mount -- bind/dev/shm/tmp

The above three commands have completed Directory Creation and binding, but after reboot, we have to repeat the above process to re-establish and bind the directory, and it must be done before squid starts. To solve this problem, I added the three commands to the squid STARTUP script.

Vi/etc/init. d/squid
==================================== Squid ======================== ====
PATH =/usr/bin:/sbin:/bin:/usr/sbin
Export PATH
#
Mkdir/dev/shm/tmp
Chmod 1777/dev/shm/tmp
Mount -- bind/dev/shm/tmp
Squid? Z
#
# Source function library.


==================================== Squid ======================== ====

Chkconfig squid on

In this way, the task can be automatically completed every time we start the system. This setting also improves the performance of PHP.

4. My firewall FOR ADSL

#! /Bin/bash
# Do iptables based masquerading and firewalling.
# Lllzqq. 02/28/2004

Export PATH =/sbin:/usr/sbin:/bin:/usr/bin

Modprobe iptable_nat
Modprobe ip_nat_ftp
Modprobe ip_nat_irc
Modprobe ip_conntrack
Modprobe ip_conntrack_ftp
Modprobe ip_conntrack_irc

Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
Echo 0>/proc/sys/net/ipv4/conf/all/accept_source_route
Echo 0>/proc/sys/net/ipv4/conf/all/accept_redirects
Echo 1>/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
Echo 1>/proc/sys/net/ipv4/conf/all/log_martians
Echo 1>/proc/sys/net/ipv4/ip_forward
/Sbin/iptables-F INPUT
/Sbin/iptables-F FORWARD
/Sbin/iptables-X
/Sbin/iptables-Z

# Allow forwarding through the internal interface
/Sbin/iptables-a forward-m state -- state ESTABLISHED, RELATED-j ACCEPT

# Do masquerading through ppp0
/Sbin/iptables-t nat-a postrouting-o ppp0-j MASQUERADE

# Loopback-Allow unlimited traffic
/Sbin/iptables-a input-I lo-j ACCEPT
/Sbin/iptables-a output-o lo-j ACCEPT

# SYN-Flooding Protection
Iptables-N syn-flood
Iptables-a input-I ppp0-p tcp -- syn-j syn-flood
Iptables-A syn-flood-m limit -- limit 1/s -- limit-burst 4-j RETURN
Iptables-A syn-flood-j DROP

# Make sure that new TCP connections are SYN packets
/Sbin/iptables-a input-I ppp0-p tcp! -- Syn-m state -- state NEW-j DROP

# SQUID
Iptables-t nat-a prerouting-I eth0-p TCP/IP 0/0 -- dport 80-j REDIRECT -- to-ports 3128

# HTTP
/Sbin/iptables-a input-I ppp0-p tcp-s 0/0 -- sport 80-m state -- state ESTABLISHED, RELATED-j ACCEPT
/Sbin/iptables-a input-I ppp0-p tcp-s 0/0 -- sport 443-m state -- state ESTABLISHED, RELATED-j ACCEPT
/Sbin/iptables-a input-I ppp0-p tcp-d 0/0 -- dport 80-j ACCEPT
/Sbin/iptables-a input-I ppp0-p tcp-d 0/0 -- dport 443-j ACCEPT

# DNS
/Sbin/iptables-a input-I ppp0-p udp-s 0/0 -- sport 53-m state -- state ESTABLISHED-j ACCEPT
/Sbin/iptables-a input-I ppp0-p udp-d 0/0 -- dport 53-j ACCEPT

# IP packets limit
/Sbin/iptables-a forward-f-m limit -- limit 10/s -- limit-burst 10-j ACCEPT
/Sbin/iptables-a forward-p icmp-m limit -- limit 1/s -- limit-burst 3-j ACCEPT
/Sbin/iptables-a input-I ppp0-p icmp-j DROP

# FTP
/Sbin/iptables-a input-I ppp0-p tcp -- dport 21-j ACCEPT
/Sbin/iptables-a input-I ppp0-p tcp -- dport 20-j ACCEPT
/Sbin/iptables-a input-I ppp0-p tcp -- dport 30000: 40000-j ACCEPT

# SSH
/Sbin/iptables-a input-I eth0-m mac -- mac-source 00: F0: 4B: 92: B7: 87-p tcp -- dport 22-j ACCEPT
/Sbin/iptables-a input-p tcp -- dport 22-j DROP

# MAIL
/Sbin/iptables-a input-I ppp0-p tcp -- dport 25-j ACCEPT
/Sbin/iptables-a input-I ppp0-p tcp -- dport 110-j ACCEPT

# Anything else not allowed
/Sbin/iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
/Sbin/iptables-a input-I ppp0-j DROP


V. Appendix: configurations of some common functions of squid

# Allow a specific network segment to access the Internet through the proxy server:
Acl one_clients src 192.168.0.0/255.255.255.0
Http_access allow one_clients

# Identify customers with ARP addresses:
Acl OK arp 00: 20: ed: 39: 48: b3 00: 01: 02: 98: 87: 88 00: 10: 60: 73: CE: BD
Http_access allow OK

# Cache_dir ufs/var/spool/Squid 100 16 256 specify Squid to store the size of the swap space and its directory structure of the object. 100 is the size of swap space, which is 100 MB. 16 and 256 are the number of level-1 and level-2 directories respectively.

# Restrict Internet computers to use proxies, and only allow IP addresses to be 192.168.0.2 ~ Access the host of 192.168.0.255.
Acl our_clients src 192.168.0.0/255.255.255.0
Acl other_clients src 0.0.0.0/0.0.0.0
Http_access allow our_clines
Http_access deny other_clients (prohibit other users from accessing the Internet through the local machine)

# Time limit. Only IP address 192.168.1.1 ~ is allowed ~ 192.168.1.255 machines are used from to every Monday to Friday. If you do not want to restrict Monday to Friday, remove the second line "MTWHF" below. "!" Indicates that the logic is not.
Acl allow_time time MTWHF --
Http_access allow work_clients allow_time
Http_access deny! Work_clients

# Restrict the types of files downloaded by users, such as. avi. mp3
Acl mmxfile urlpath_regex? I. mp3 $. avi $ (-I parameter case-insensitive, for example, mp3 = MP3)
Http_access deny mmxfile

# Shielding websites with specific keywords:
Acl refused_sites url_regex sex
You can also easily manage the sites to be banned in the document as follows:
Acl refused_sites url_regex "/etc/squid/refused_sites.txt"
Http_access deny fefused_sites
Http_access allow all
Note: These Rules are matched in the order they are arranged. The rules in the list always follow the top-down order. Because deny is in the front, access from all computers will be blocked, including the Intranet. We can define multiple ACL rules, but the names cannot be the same.

Note:

If a SQUID error occurs during startup, you can view its LOG file/VAR/LOG/SQUID during troubleshooting, which contains detailed records of SQUID errors. My squid configuration file ftp: // test: 123456@nero.3322.org/squid

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.