1. What is squid service?
The Proxy service (caching service) provides the ability to cache the data accessed by the user, and when the user accesses the same data the next time, the Squid agent can extract the data from the cache, which can be accessed directly, improves access speed and reduces bandwidth usage.
2. The application Environment
Company existing 100 users need to all the Internet, through the routing switch can be achieved, can also be an IP address per person, through the above way online can not cache user access to data.
There are three ways to proxy 3.squid:
Normal Proxy: The client must specify the IP address of the proxy server and the port number of the proxy service in its browser, in order to be able to surf the Internet through the proxy server instead of all the clients in the LAN.
Transparent proxy: The client does not need to specify the IP address of the proxy server and the Proxy service listener in its own browser.
Reverse proxy: A server that accesses a private network instead of a public network client.
What does 4.squid restrict clients from accessing what kind of resources through their own?
Use ACLs (access control lists) to restrict clients from accessing resources by themselves.
*acl to be called first, but can only be defined without invoking the
* When the ACL is invoked, it is executed, and the back is not viewed
* So when you call the ACL, you need to put a small area on top of the wide
5.squid Advantages:
1) Increase the speed of access through the cache.
2) provides a way to access the Internet with a private IP.
3) Improve the security of the network.
4) To facilitate the management of users.
6.squid Disadvantages:
1) A single point of failure is generated.
2) network is slow when simultaneous access.
7. Process name Squid
Process Owner/Group Squid
Port number 3128
Data Transfer Protocol TCP
Experiment (I.)
Purpose of the experiment: to build a general agent
Lab Environment: 3 servers
PC1 host name: localhost IP address: 192.168.1.10 Intranet Client
PC2 Host Name: FANLJ Proxy Server (eth0 connection intranet IP address 192.168.1.254,eth1 connection extranet IP address 1.1.1.254)
PC3 Host Name: Fanxiaohui IP Address: 1.1.1.1 extranet Web Service
Experimental requirements:
PC2 Agent Intranet User PC1 can access the Web services of the extranet.
Set up the experiment environment to install the above requirements, and test whether it can ping 1.1.1.254 and 1.1 on PC2.1.1.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/84/wKiom1XlSLDA48GYAAHLK6N0F80591.jpg "title=" Qq20150901144406.png "alt=" Wkiom1xlslda48gyaahlk6n0f80591.jpg "/>
Create a Web page index.html on the external Web, the content is 1.1.1.1
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/72/82/wKioL1XlXkrBvC0gAABLizch0eM843.jpg "title=" Qq20150901160723.png "alt=" Wkiol1xlxkrbvc0gaablizch0em843.jpg "/>
Test whether you can access the contents of the Web on PC2
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/82/wKioL1XlXgiiC9ScAAA8I2v0CRQ653.jpg "title=" Qq20150901160609.png "alt=" Wkiol1xlxgiic9scaaa8i2v0crq653.jpg "/>
PC2 Deployment Squid Agent, can replace the intranet user PC1 user can access the content of Pc3web
1. Check if the package is installed and install the Squid package if it is not installed.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/85/wKiom1XlW_TwJCg9AAA9kFZQCko619.jpg "title=" Qq20150901160552.png "alt=" Wkiom1xlw_twjcg9aaa9kfzqcko619.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/72/85/wKiom1XlXQ6zO5U-AAE_rIB16-4134.jpg "title=" Qq20150901161107.png "alt=" Wkiom1xlxq6zo5u-aae_rib16-4134.jpg "/>
2. Modify the main configuration file, Http_port Access squid port for 3128,cache_dir cache storage directory, UFS directory fixed format,/var/spool/squid for the location of storage, 100 for the size of the cache, 16 for/var/spool /squid Directory has 16 directories, 256 for 16 directories have 256 subdirectories, Cache_mem to take out the actual physical memory 32M cache, visible_hostname for the host name, When the hostname of the system and the host name in the Hosts file is inconsistent, you must specify the hostname in the Squid configuration file, and the default squid service 127.0.0.1 the internet instead of the private IP address.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/72/82/wKioL1XlZjfixvUpAAAz3-5FESg495.jpg "title=" Qq20150901164112.png "alt=" Wkiol1xlzjfixvupaaaz3-5fesg495.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/91/wKioL1XnBU2RW_2rAAGfyUHruks732.jpg "title=" Qq20150902221202.png "alt=" Wkiol1xnbu2rw_2raagfyuhruks732.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/83/wKioL1XlZpCjcZGdAACK_QkUEYc797.jpg "title=" Qq20150901164240.png "alt=" Wkiol1xlzpcjczgdaack_qkueyc797.jpg "/>
3. Restart the Squid service and see if there are 16 directories in the/var/spool/squid directory.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/72/86/wKiom1XlZMfA6Ok_AAB5wVXjdYQ402.jpg "title=" Qq20150901164352.png "alt=" Wkiom1xlzmfa6ok_aab5wvxjdyq402.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/72/86/wKiom1XlZReRGzHbAAB2FmIrkUk724.jpg "title=" Qq20150901164456.png "alt=" Wkiom1xlzrergzhbaab2fmirkuk724.jpg "/>
viewing ports and processes
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/72/83/wKioL1XlaSXQNKIwAAFPoywEekw658.jpg "title=" Qq20150901165326.png "alt=" Wkiol1xlasxqnkiwaafpoyweekw658.jpg "/>
4. In the client PC1 test, the client must specify the IP address of the proxy server and the port that the Proxy service listens on in its own browser.
On the client browser, select Edit---preferences----advanced----Network---Settings----manually configure the agent to point to itself the IP address and port of the squid agent is 3128.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/86/wKiom1XlaI-De6ZyAADBHyj5vJ0361.jpg "title=" Qq20150901170015.png "alt=" Wkiom1xlai-de6zyaadbhyj5vj0361.jpg "/>
Enter http://1.1.1.1 directly in your browser
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/72/86/wKiom1XlaQPCy65OAACD8Y-0F7k956.jpg "title=" Qq20150901170210.png "alt=" Wkiom1xlaqpcy65oaacd8y-0f7k956.jpg "/>
5. On the proxy server, see those clients that have access to the 1.1.1.1
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/86/wKiom1XlaevzKIY2AADIKHYiY0g492.jpg "title=" Qq20150901170520.png "alt=" Wkiom1xlaevzkiy2aadikhyiy0g492.jpg "/>
Common Agent Disadvantages:
The client must specify the IP address of the proxy server in its own browser.
Experiment (II)
Experiment Purpose: Configure transparent proxy
Transparent proxy Advantages: The client does not need to specify the IP address of the proxy server in its own browser and the proxy service to listen, as long as the gateway specifies the IP address of the proxy server's private network interface can be online.
Experimental requirements: The client does not specify the interface and IP address of the agent in its own browser to be able to surf the Internet.
Configure the pre-condition of squid transparent agent?
Enterprise Gateways (shared access to the Internet)
The Firewall service must be running on a single server with the proxy service
A firewall policy needs to be set up (the client's Web Access data is forwarded to the agent service process)
1, the client access to the Web site request package, send a proxy server
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/72/94/wKiom1Xm5QSSlzZyAAFBb64-Nlc708.jpg "title=" Qq20150902200250.png "alt=" Wkiom1xm5qsslzzyaafbb64-nlc708.jpg "/>
2, run the Firewall service on the proxy server, write the firewall rules, transfer the local access to the Web request to the agent service of the machine
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/94/wKiom1Xm5iORV6lQAAA1axR6J0E322.jpg "title=" Qq20150902200655.png "alt=" Wkiom1xm5iorv6lqaaa1axr6j0e322.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/72/90/wKioL1Xm6E_jzSv8AABV2SR7NA0443.jpg "title=" Qq20150902200625.png "alt=" Wkiol1xm6e_jzsv8aabv2sr7na0443.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/72/94/wKiom1Xm5jbQTRd0AADuU-3Hh9o891.jpg "title=" Qq20150902200818.png "alt=" Wkiom1xm5jbqtrd0aaduu-3hh9o891.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/72/94/wKiom1Xm-PHir4IXAADvFe-gSkg475.jpg "title=" Qq20150902212830.png "alt=" Wkiom1xm-phir4ixaadvfe-gskg475.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/72/94/wKiom1Xm5tSwJBfIAAAmuKm0PBw979.jpg "title=" Qq20150902201114.png "alt=" Wkiom1xm5tswjbfiaaamukm0pbw979.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/91/wKioL1Xm9QPTOlxqAAF38T7OEiw600.jpg "title=" Qq20150902210233.png "alt=" Wkiol1xm9qptolxqaaf38t7oeiw600.jpg "/>
iptables -t table name management options chain name match condition -j processing action
table name (different tables have different functions)
Filter packet filtering
mangle packet marking
NAT Convert packets (source address \ Destination \ port)
raw Tracking Packet Status
Administrative options
-l view
-D Delete
-a add
-f empty
Chain (direction of packet transmission reference to firewall native)
input packets that go into the firewall
output packets that go out of the firewall
forward packets that pass through the firewall
postrouting After routing
prerouting before routing
Matching criteria
-i Specifies that the packet goes from that physical interface to the
-s the source address of the specified packet
-p Specifies the data transfer Protocol
--dport the destination port of the specified packet
Handling actions
Drop drop
REJECT refused
DNAT Destination Address Translation
SNAT Source Address Translation
REDIRECT Port Status
3. In the client test, open the client browser input http://1.1.1.1
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/91/wKioL1Xm-5WDgvDTAACdqZbDx9w850.jpg "title=" Qq20150902213042.png "alt=" Wkiol1xm-5wdgvdtaacdqzbdx9w850.jpg "/>
Experiment (iii) SQUID reverse proxy
Reverse proxy: A server that accesses a private network instead of a public network client.
Experiment Objective: To configure the reverse proxy of squid
Experimental requirements: Public network users to access the private network of the server content.
Lab Environment: 3 servers
PC1 host name: localhost IP address: 192.168.1.10 Intranet Web Server
PC2 Host Name: FANLJ Proxy Server (eth0 connection intranet IP address 192.168.1.254,eth1 connection extranet IP address 1.1.1.254)
PC3 hostname: Fanxiaohui IP Address: 1.1.1.1 external client (user)
Environmental analysis: External network users to access the intranet Web server must be accessed through a proxy server, the proxy server must listen on port 80 to make the extranet access to the intranet, so the proxy server httpd access must stop, if the proxy server has httpd service, Then the extranet can only access Web services on the proxy.
1. Modify the master configuration file so that the proxy server does the reverse proxy. Cache_peer is the address of the true back-end server, the parent proxy server and the implementation of the Web server relationship, 80 represents the port of Access, 0 represents the interface to communicate with other proxy servers, and Originserver represents the real host that provides the server.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/94/wKioL1XnlR_jgmAYAAICg79GPao854.jpg "title=" Qq20150903082544.png "alt=" Wkiol1xnlr_jgmayaaicg79gpao854.jpg "/>
2. The proxy server stops the firewall and checks whether 80 ports are occupied, and if the occupation is released, start the Squid service from the new.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/72/98/wKiom1Xnw__Sc-HFAADHGbldvqI266.jpg "title=" Qq20150903115433.png "alt=" Wkiom1xnw__sc-hfaadhgbldvqi266.jpg "/>
3. On the Web server side 192.168.1.10 make a page page and see if httpd is turned on
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/72/98/wKiom1Xnwf_Bm-KhAAF6ONcTRPw544.jpg "title=" Qq20150903114616.png "alt=" Wkiom1xnwf_bm-khaaf6onctrpw544.jpg "/>
4. Public network users see if they can access the Web server.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/72/95/wKioL1XnxKTixBAqAAB1f9gX0iY425.jpg "title=" Qq20150903114831.png "alt=" Wkiol1xnxktixbaqaab1f9gx0iy425.jpg "/>
Experiment (iv) access to virtual hosts based on domain names and ports.
Experiment Objective (a): When the extranet user accesses www.tarena.com, the intranet server displays Wwwpage page, (http://www.tarena.com display wwwpage)
User access bbs.tarena.com, the intranet server side display Bbspage page (http://bbs.tarena.com display bbspage).
1. The intranet server creates two folders to hold the page: Wwwpage and Bbspage
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/9B/wKiom1XoGYyCDMTQAABLSEH41EE681.jpg "title=" Qq20150903175940.png "alt=" Wkiom1xogyycdmtqaablseh41ee681.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/72/97/wKioL1XoG7fDdqnsAABzvjOovrU956.jpg "title=" Qq20150903175949.png "alt=" Wkiol1xog7fddqnsaabzvjoovru956.jpg "/>
2. Create a domain-based virtual host on the intranet server that displays different pages when the extranet user accesses different addresses.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/9B/wKiom1XoHI_hWk2uAADwgtOfU_g512.jpg "title=" Qq20150903181202.png "alt=" Wkiom1xohi_hwk2uaadwgtofu_g512.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/72/97/wKioL1XoHtijeIGaAAEPUtWnY6w364.jpg "title=" Qq20150903181320.png "alt=" Wkiol1xohtijeigaaaeputwny6w364.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/98/wKioL1XoIbjALTMeAABIsHUF19A054.jpg "title=" Qq20150903182536.png "alt=" Wkiol1xoibjaltmeaabishuf19a054.jpg "/>
3. Test whether your own access can be resolved
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/98/wKioL1XoKXHQyo61AABGbDtNt94327.jpg "title=" Qq20150903185835.png "alt=" Wkiol1xokxhqyo61aabgbdtnt94327.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/9B/wKiom1XoJ6ahF5dPAACSLQ1PW8s911.jpg "title=" Qq20150903190003.png "alt=" Wkiom1xoj6ahf5dpaacslq1pw8s911.jpg "/>
4. Configure the DNS service on the Squid server to parse www.tarena.com and bbs.tarena.com.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/72/9B/wKiom1XoHkbAcJRbAAD8l-M3Y8k763.jpg "title=" Qq20150903181951.png "alt=" wkiom1xohkbacjrbaad8l-m3y8k763.jpg "/>650" this.width=650; "src=" http://s3.51cto.com /wyfs02/m00/72/9b/wkiom1xohk_s4tvkaabjt-v9dvm713.jpg "title=" Qq20150903181929.png "alt=" WKiom1XoHk_ S4tvkaabjt-v9dvm713.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/9B/wKiom1XoMyPzg8NVAAEL2rLPSbk826.jpg "title=" Qq20150903194842.png "alt=" Wkiom1xomypzg8nvaael2rlpsbk826.jpg "/>
5. Test on an external network client to see if it can be accessed www.tarena.com and Bbs.tarena.com
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/72/98/wKioL1XoKmnz0G-5AAA6XZsiZlk179.jpg "title=" Qq20150903190241.png "alt=" Wkiol1xokmnz0g-5aaa6xzsizlk179.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/72/9B/wKiom1XoM5_TwyrmAACWXfiM5eI799.jpg "title=" Qq20150903195030.png "alt=" Wkiom1xom5_twyrmaacwxfim5ei799.jpg "/>
This article is from the "Down to earth" blog, make sure to keep this source http://343614597.blog.51cto.com/7056394/1691703
Building and configuration management of Squid cache service