One, Proxy server
Proxy server is an important server security feature that works primarily in the session layer of the Open Systems Interconnection (OSI) model, and thus acts as a firewall. Proxy servers are mostly used to connect to the Internet and local area network (LAN).
Squid cache (squid) is a popular free software that complies with the GNU General Public License. Squid as the Web server's front cache server, you can proxy users to the Web server to request data and cache, can also be used in the LAN, so that local network users through the proxy Internet. Squid is primarily designed to run on a Linux-type system.
Squid category
According to the different types of agents, squid agent can be divided into a forward proxy and reverse proxy, the forward proxy, according to the implementation of different ways, but also can be divided into ordinary agents and transparent agents.
· Normal Proxy: Requires the client to specify the address and port of the proxy server in the browser;
· Transparent proxy: The gateway host for the enterprise (shared access to the Internet), the client does not need to specify the proxy server address, port and other information, the proxy server needs to set a firewall policy to transfer the client's Web Access data to the agent service process;
· Reverse proxy: Refers to the proxy server to accept the connection request on the Internet, and then forward the request to the server on the internal network, and the results obtained from the server to the Internet to request the connection of the client, when the proxy server appears as a server.
Official address: http://www.squid-cache.org/
Reference Document: http://www.squid-cache.org/Doc/config/
Operating system: CentOS release 6.4 (Final)
Second, the system environment
Operating system: CentOS release 6.6 (Final)
Squid version: squid-3.1.10-29.el6.i686
Selinux=disabled
HTTP service:stoped
Firewall: Normal proxy mode off, other modes open
Third, installation Squid Service
3.1 Check if squid software is installed
# Rpm-qa|grep Squid
3.2 If it is not installed, install it using the Yum method
# yum-y Install Squid
650) this.width=650; "title=" image "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M01/6C/88/ Wkiom1vli4da3vczaagtkfd1zxs432.jpg "width=" 558 "height=" 367 "/>
3.3 Setting up boot from
Chkconfig--level squid on//automatic squid service on 3 and 5 levels
Four, Squid configuration file description for the server
Http_port 3128//Set IP and port number for listening
CACHE_MEM//extra memory for squid, squid memory is always x * 10+15+ "Cache_mem", where x is the capacity of Squid cache (in GB), such as the following cache size is 100M, That is, 0.1GB, the total memory consumption is 0.1*10+15+64=80m, the recommended size is physical memory of 1/3-1/2 or more.
Maximum_object_size 4 MB//Set squid disk cache Max file, files over 4M not saved to hard disk
Minimum_object_size 0 KB//Set Squid disk cache minimum file
Maximum_object_size_in_memory 4096 KB//Set squid memory cache Max file, files over 4M not saved to memory
Cache_dir UFS/VAR/SPOOL/SQUID 100 16 256//define the cache storage path for squid, cache directory capacity (in units m), number of cache directories, number of cache directories in level two
Logformat combined%>a%ui%un [%tl] "%rm%ru http/%rv"%Hs%<st "%{referer}>h" "%{user-agent}>h"%Ss: %sh//log File Log format
Access_log/var/log/squid/access.log combined//log file storage path and log format
Cache_log/var/log/squid/cache.log//Set cache log
Logfile_rotate//log Round 60 days
Cache_swap_high//cache directory usage is greater than 95%, start cleaning up the old cache
Cache_swap_low//cache directory Cleanup to 90% stops.
ACL localnet src 192.168.1.0/24//define local network segment
Http_access Allow LocalNet//allows local network segments to be used
Http_access deny all//Reject All
Visible_hostname CENTOSSD//host Name
cache_mgr [email protected]//admin mailbox
V. General Agency Services
The standard, traditional proxy service requires the client to specify the address and port of the proxy server in the browser.
The experimental topology diagram is as follows:
650) this.width=650; "title=" clip_image004 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image004 "src=" http://s3.51cto.com/wyfs02/M02/6C/88/ Wkiom1vli4gjpkspaabh7fwkpb8219.jpg "width=" 558 "height=" 228 "/>
5.1 Configuring the Squid Proxy server IP address
Change the IP address of the eth0 to 192.168.1.168 (intranet address)
Modify the IP address of the eth1 to 192.168.0.128 (the extranet address)
As shown in the following configuration:
650) this.width=650; "title=" clip_image006 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image006 "src=" http://s3.51cto.com/wyfs02/M00/6C/84/ Wkiol1vljpwanzjraaifpzbw0pm813.jpg "width=" 558 "height=" 393 "/>
5.2 Editing Squid Master profile/etc/squid/squid.conf
Back up the existing configuration file Mv/etc/squid/squid.conf/etc/squid/squid.conf.bak
Editing a configuration file vi/etc/squid/squid.conf
Http_port 3128
Cache_mem MB
Maximum_object_size 4 MB
Cache_dir UFS/VAR/SPOOL/SQUID 100 16 256
Access_log/var/log/squid/access.log
ACL localnet src 192.168.1.0/24
Http_access Allow LocalNet
Http_access Deny All
Visible_hostname CENTOSSD
Cache_mgr [email protected] //Can not be added
5.3 Initialization
# squid–z
Several common commands
650) this.width=650; "title=" clip_image007 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image007 "src=" http://s3.51cto.com/wyfs02/M01/6C/84/ Wkiol1vljpwrg3tkaacw9f4sfxi938.jpg "width=" 535 "height="/>
5.4 Starting Squid
650) this.width=650; "title=" clip_image008 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image008 "src=" http://s3.51cto.com/wyfs02/M02/6C/84/wKioL1VLJPWTiI_ Haaa4pilwrdo227.jpg "width=" 566 "height=" "/>"
5.5 Configuring the Web server
Configuration server does not do details again
View Web server IP address
650) this.width=650; "title=" clip_image010 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image010 "src=" Http://s3.51cto.com/wyfs02/M00/6C/84/wKioL1VLJPah_ Aezaadqs2n6kyq795.jpg "width=" 557 "height=" 157 "/>
5.6 Configuring the Client IP address
650) this.width=650; "title=" clip_image012 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image012 "src=" http://s3.51cto.com/wyfs02/M01/6C/84/ Wkiol1vljpbjfsuhaadaz6-ael0350.jpg "width=" 311 "height=" 303 "/>
5.7 Configuring the browser agent
650) this.width=650; "title=" clip_image014 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image014 "src=" http://s3.51cto.com/wyfs02/M02/6C/84/wKioL1VLJPfzKR_ Vaagsrtusq0i739.jpg "width=" 557 "height=" 341 "/>
5.8 Testing
650) this.width=650; "title=" clip_image016 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image016 "src=" http://s3.51cto.com/wyfs02/M00/6C/84/ Wkiol1vljpjypnpnaai-emdbdzc243.jpg "width=" 557 "height=" 502 "/>
The test was successful.
If you want to test domain access can be tested by setting up local DNS or modifying the Hosts file, not detailed here.
You can see that the client can communicate with the proxy server and cannot communicate with the Web server.
5.9 Test Error page
650) this.width=650; "title=" clip_image018 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image018 "src=" http://s3.51cto.com/wyfs02/M01/6C/84/ Wkiol1vljpjrrtinaaeep0pta9i242.jpg "width=" 631 "height=" 355 "/>
You can see the parameters set in the Squid configuration file displayed on the error page.
Vi. Transparent Proxy Services
The gateway host for the enterprise, the client does not need to specify the proxy server address, port and other information, through Iptables the client's Web Access data to the agent service program processing.
The experimental topology diagram is as follows:
650) this.width=650; "title=" clip_image020 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image020 "src=" http://s3.51cto.com/wyfs02/M02/6C/84/ Wkiol1vljpmqiwysaabonhi4bnu286.jpg "width=" 557 "height=" 234 "/>
6.1 Modifying Squid Master profile/etc/squid/squid.conf
Add the transparent keyword after http_port 3128.
Http_port 3128 Transparent
Cache_mem MB
Maximum_object_size 4 MB
Cache_dir UFS/VAR/SPOOL/SQUID 100 16 256
Access_log/var/log/squid/access.log
ACL localnet src 192.168.1.0/24
Http_access Allow LocalNet
Http_access Deny All
Visible_hostname CENTOSSD
Cache_mgr [email protected]
6.2 Reload
Reload let the above configuration take effect.
#/etc/init.d/squid Reload
6.3 Add Iptables rule to redirect internal HTTP requests to Port 3128
A) Start iptables service
b) [[email protected] desktop]# service iptables start
c) iptables:applying firewall rules: [OK]
d) Clear existing rules
650) this.width=650; "title=" clip_image022 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image022 "src=" http://s3.51cto.com/wyfs02/M00/6C/84/ Wkiol1vljpmtliqgaac6dzcgipm276.jpg "width=" 557 "height=" 178 "/>
e) save Iptables settings
650) this.width=650; "title=" clip_image024 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image024 "src=" http://s3.51cto.com/wyfs02/M01/6C/84/ Wkiol1vljpqdomoiaabkx86jaow165.jpg "width=" 543 "height=" "/>"
f) view Nat table
650) this.width=650; "title=" clip_image026 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image026 "src=" http://s3.51cto.com/wyfs02/M02/6C/84/ Wkiol1vljprht52yaab42kcxq_y005.jpg "width=" 558 "height=" "/>
g) Add NAT rules and save
Configure Iptables to set NAT, that is, transparent proxy
iptables-t nat-a prerouting-i eth0-p tcp--dport 80-j REDIRECT--to-ports 3128
If only set the following sentence and the above sentence is not set, the client can also surf the internet, but not through squid ha ~
Iptables-t nat-a postrouting-o Eth1-j Masquerade
650) this.width=650; "title=" clip_image028 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image028 "src=" http://s3.51cto.com/wyfs02/M00/6C/84/ Wkiol1vljpuwyfioaad1fmtjsvk332.jpg "width=" 558 "height=" 233 "/>
Save Iptables Settings
Service Iptables Save
650) this.width=650; "title=" clip_image030 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image030 "src=" http://s3.51cto.com/wyfs02/M01/6C/84/ Wkiol1vljpvs5jhbaaba018qxh4272.jpg "width=" 558 "height="/>
6.4 Client Settings
1) Set up the network
650) this.width=650; "title=" clip_image032 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image032 "src=" http://s3.51cto.com/wyfs02/M02/6C/84/ Wkiol1vljpuhqg5xaaduen5tymi984.jpg "width=" 346 "height=" 349 "/>
Set the gateway as the Proxy Server intranet address
2) the Proxy server Option scratch will be used in the browser.
650) this.width=650; "title=" clip_image033 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image033 "src=" http://s3.51cto.com/wyfs02/M00/6C/84/ Wkiol1vljpzhj9wqaae17gi71vq829.jpg "width=" 384 "height=" 339 "/>
6.5 Browser Access Test
650) this.width=650; "title=" clip_image035 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image035 "src=" http://s3.51cto.com/wyfs02/M01/6C/84/ Wkiol1vljp3xgkodaagwe7kf6zk438.jpg "width=" 557 "height=" 341 "/>
Description transparent proxy settings succeeded
Seven, reverse proxy services
Provides cache acceleration for Internet users to access enterprise Web sites.
The experimental topology diagram is as follows:
650) this.width=650; "title=" clip_image037 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image037 "src=" http://s3.51cto.com/wyfs02/M02/6C/88/ Wkiom1vli4qhff-yaabm89hens4164.jpg "width=" 558 "height=" 249 "/>
Intranet server is server R2
7.1 Shutting down the intranet server firewall
7.2 Modifying the Web Server home page
Creating Catalogs and Home pages
650) this.width=650; "title=" clip_image039 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image039 "src=" http://s3.51cto.com/wyfs02/M00/6C/88/wKiom1VLI4rQ_ Qxdaact4ijsjpe388.jpg "width=" 558 "height=" 262 "/>
7.3 Configuring Squid
Http_port Accel Vhost//This parameter is used to support host mappings
Http_access Allow all
Cache_peer 192.168.1.118 Parent 0 originserver round-robin weight=1//Specify the location of the 1th real server
Cache_peer 192.168.1.119 Parent 0 originserver round-robin weight=1//Specify the location of the 2nd real server
Visible_hostname CENTOSSD
7.4 Start Squid Service
650) this.width=650; "title=" clip_image041 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image041 "src=" http://s3.51cto.com/wyfs02/M01/6C/88/ Wkiom1vli4qy5csaaabcl4avnfc033.jpg "width=" 558 "height="/>
Note: To ensure that the The port is not being used
7.6 Testing
Squid uses Round-robin, so client access will poll two Web servers with "Ctrl + F5" to refresh the test in depth.
Web1
650) this.width=650; "title=" clip_image043 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image043 "src=" http://s3.51cto.com/wyfs02/M02/6C/88/ Wkiom1vli4uassmyaaboc-ravkw903.jpg "width=" 558 "height=" 142 "/>
Web2
650) this.width=650; "title=" clip_image045 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image045 "src=" http://s3.51cto.com/wyfs02/M00/6C/88/ Wkiom1vli4uz2xnvaabl5m9dr3u784.jpg "width=" 558 "height=" 136 "/>
Eight, the log
Take a look at the log information again. , all actions are recorded in the log.
Use Tail–f to monitor changes in the last line of the log in real time.
650) this.width=650; "title=" clip_image047 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image047 "src=" http://s3.51cto.com/wyfs02/M01/6C/88/ Wkiom1vli43wc9wpaajv0nff2c4360.jpg "width=" 557 "height=" 313 "/>
Note: This article has read http://zpp2009.blog.51cto.com/730423/297023
Http://bbs.51cto.com/thread-564760-1.html
Http://www.cnblogs.com/mchina/p/3812190.html
Three articles, thanks to three bloggers!
CENTOS 6.6 under Squid installation configuration