CENTOS 6.6 under Squid installation configuration

One, Proxy server

Proxy server is an important server security feature that works primarily in the session layer of the Open Systems Interconnection (OSI) model, and thus acts as a firewall. Proxy servers are mostly used to connect to the Internet and local area network (LAN).

Squid cache (squid) is a popular free software that complies with the GNU General Public License. Squid as the Web server's front cache server, you can proxy users to the Web server to request data and cache, can also be used in the LAN, so that local network users through the proxy Internet. Squid is primarily designed to run on a Linux-type system.

Squid category

According to the different types of agents, squid agent can be divided into a forward proxy and reverse proxy, the forward proxy, according to the implementation of different ways, but also can be divided into ordinary agents and transparent agents.

· Normal Proxy: Requires the client to specify the address and port of the proxy server in the browser;

· Transparent proxy: The gateway host for the enterprise (shared access to the Internet), the client does not need to specify the proxy server address, port and other information, the proxy server needs to set a firewall policy to transfer the client's Web Access data to the agent service process;

· Reverse proxy: Refers to the proxy server to accept the connection request on the Internet, and then forward the request to the server on the internal network, and the results obtained from the server to the Internet to request the connection of the client, when the proxy server appears as a server.

Official address: http://www.squid-cache.org/

Reference Document: http://www.squid-cache.org/Doc/config/

Operating system: CentOS release 6.4 (Final)

Second, the system environment

Operating system: CentOS release 6.6 (Final)

Squid version: squid-3.1.10-29.el6.i686

Selinux=disabled

HTTP service:stoped

Firewall: Normal proxy mode off, other modes open

Third, installation Squid Service

3.1 Check if squid software is installed

# Rpm-qa|grep Squid

3.2 If it is not installed, install it using the Yum method

# yum-y Install Squid

650) this.width=650; "title=" image "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M01/6C/88/ Wkiom1vli4da3vczaagtkfd1zxs432.jpg "width=" 558 "height=" 367 "/>

3.3 Setting up boot from

Chkconfig--level squid on//automatic squid service on 3 and 5 levels

Four, Squid configuration file description for the server

Http_port 3128//Set IP and port number for listening

CACHE_MEM//extra memory for squid, squid memory is always x * 10+15+ "Cache_mem", where x is the capacity of Squid cache (in GB), such as the following cache size is 100M, That is, 0.1GB, the total memory consumption is 0.1*10+15+64=80m, the recommended size is physical memory of 1/3-1/2 or more.

Maximum_object_size 4 MB//Set squid disk cache Max file, files over 4M not saved to hard disk

Minimum_object_size 0 KB//Set Squid disk cache minimum file

Maximum_object_size_in_memory 4096 KB//Set squid memory cache Max file, files over 4M not saved to memory

Cache_dir UFS/VAR/SPOOL/SQUID 100 16 256//define the cache storage path for squid, cache directory capacity (in units m), number of cache directories, number of cache directories in level two

Logformat combined%&gt;a%ui%un [%tl] "%rm%ru http/%rv"%Hs%<st "%{referer}>h" "%{user-agent}&gt;h"%Ss: %sh//log File Log format

Access_log/var/log/squid/access.log combined//log file storage path and log format

Cache_log/var/log/squid/cache.log//Set cache log

Logfile_rotate//log Round 60 days

Cache_swap_high//cache directory usage is greater than 95%, start cleaning up the old cache

Cache_swap_low//cache directory Cleanup to 90% stops.

ACL localnet src 192.168.1.0/24//define local network segment

Http_access Allow LocalNet//allows local network segments to be used

Http_access deny all//Reject All

Visible_hostname CENTOSSD//host Name

cache_mgr [email protected]//admin mailbox

V. General Agency Services

The standard, traditional proxy service requires the client to specify the address and port of the proxy server in the browser.

The experimental topology diagram is as follows:

650) this.width=650; "title=" clip_image004 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image004 "src=" http://s3.51cto.com/wyfs02/M02/6C/88/ Wkiom1vli4gjpkspaabh7fwkpb8219.jpg "width=" 558 "height=" 228 "/>

5.1 Configuring the Squid Proxy server IP address

Change the IP address of the eth0 to 192.168.1.168 (intranet address)

Modify the IP address of the eth1 to 192.168.0.128 (the extranet address)

As shown in the following configuration:

650) this.width=650; "title=" clip_image006 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image006 "src=" http://s3.51cto.com/wyfs02/M00/6C/84/ Wkiol1vljpwanzjraaifpzbw0pm813.jpg "width=" 558 "height=" 393 "/>

5.2 Editing Squid Master profile/etc/squid/squid.conf

Back up the existing configuration file Mv/etc/squid/squid.conf/etc/squid/squid.conf.bak

Editing a configuration file vi/etc/squid/squid.conf

Http_port 3128

Cache_mem MB

Maximum_object_size 4 MB

Cache_dir UFS/VAR/SPOOL/SQUID 100 16 256

Access_log/var/log/squid/access.log

ACL localnet src 192.168.1.0/24

Http_access Allow LocalNet

Http_access Deny All

Visible_hostname CENTOSSD

Cache_mgr [email protected] //Can not be added

5.3 Initialization

# squid–z

Several common commands

650) this.width=650; "title=" clip_image007 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image007 "src=" http://s3.51cto.com/wyfs02/M01/6C/84/ Wkiol1vljpwrg3tkaacw9f4sfxi938.jpg "width=" 535 "height="/>

5.4 Starting Squid

650) this.width=650; "title=" clip_image008 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image008 "src=" http://s3.51cto.com/wyfs02/M02/6C/84/wKioL1VLJPWTiI_ Haaa4pilwrdo227.jpg "width=" 566 "height=" "/>"

5.5 Configuring the Web server

Configuration server does not do details again

View Web server IP address

650) this.width=650; "title=" clip_image010 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image010 "src=" Http://s3.51cto.com/wyfs02/M00/6C/84/wKioL1VLJPah_ Aezaadqs2n6kyq795.jpg "width=" 557 "height=" 157 "/>

5.6 Configuring the Client IP address

650) this.width=650; "title=" clip_image012 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image012 "src=" http://s3.51cto.com/wyfs02/M01/6C/84/ Wkiol1vljpbjfsuhaadaz6-ael0350.jpg "width=" 311 "height=" 303 "/>

5.7 Configuring the browser agent

650) this.width=650; "title=" clip_image014 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image014 "src=" http://s3.51cto.com/wyfs02/M02/6C/84/wKioL1VLJPfzKR_ Vaagsrtusq0i739.jpg "width=" 557 "height=" 341 "/>

5.8 Testing

650) this.width=650; "title=" clip_image016 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image016 "src=" http://s3.51cto.com/wyfs02/M00/6C/84/ Wkiol1vljpjypnpnaai-emdbdzc243.jpg "width=" 557 "height=" 502 "/>

The test was successful.

If you want to test domain access can be tested by setting up local DNS or modifying the Hosts file, not detailed here.

You can see that the client can communicate with the proxy server and cannot communicate with the Web server.

5.9 Test Error page

650) this.width=650; "title=" clip_image018 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image018 "src=" http://s3.51cto.com/wyfs02/M01/6C/84/ Wkiol1vljpjrrtinaaeep0pta9i242.jpg "width=" 631 "height=" 355 "/>

You can see the parameters set in the Squid configuration file displayed on the error page.

Vi. Transparent Proxy Services

The gateway host for the enterprise, the client does not need to specify the proxy server address, port and other information, through Iptables the client's Web Access data to the agent service program processing.

The experimental topology diagram is as follows:

650) this.width=650; "title=" clip_image020 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image020 "src=" http://s3.51cto.com/wyfs02/M02/6C/84/ Wkiol1vljpmqiwysaabonhi4bnu286.jpg "width=" 557 "height=" 234 "/>

6.1 Modifying Squid Master profile/etc/squid/squid.conf

Add the transparent keyword after http_port 3128.

Http_port 3128 Transparent

Cache_mem MB

Maximum_object_size 4 MB

Cache_dir UFS/VAR/SPOOL/SQUID 100 16 256

Access_log/var/log/squid/access.log

ACL localnet src 192.168.1.0/24

Http_access Allow LocalNet

Http_access Deny All

Visible_hostname CENTOSSD

Cache_mgr [email protected]

6.2 Reload

Reload let the above configuration take effect.

#/etc/init.d/squid Reload

6.3 Add Iptables rule to redirect internal HTTP requests to Port 3128

A) Start iptables service

b) [[email protected] desktop]# service iptables start

c) iptables:applying firewall rules: [OK]

d) Clear existing rules

650) this.width=650; "title=" clip_image022 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image022 "src=" http://s3.51cto.com/wyfs02/M00/6C/84/ Wkiol1vljpmtliqgaac6dzcgipm276.jpg "width=" 557 "height=" 178 "/>

e) save Iptables settings

650) this.width=650; "title=" clip_image024 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image024 "src=" http://s3.51cto.com/wyfs02/M01/6C/84/ Wkiol1vljpqdomoiaabkx86jaow165.jpg "width=" 543 "height=" "/>"

f) view Nat table

650) this.width=650; "title=" clip_image026 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image026 "src=" http://s3.51cto.com/wyfs02/M02/6C/84/ Wkiol1vljprht52yaab42kcxq_y005.jpg "width=" 558 "height=" "/>

g) Add NAT rules and save

Configure Iptables to set NAT, that is, transparent proxy
iptables-t nat-a prerouting-i eth0-p tcp--dport 80-j REDIRECT--to-ports 3128
If only set the following sentence and the above sentence is not set, the client can also surf the internet, but not through squid ha ~
Iptables-t nat-a postrouting-o Eth1-j Masquerade

650) this.width=650; "title=" clip_image028 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image028 "src=" http://s3.51cto.com/wyfs02/M00/6C/84/ Wkiol1vljpuwyfioaad1fmtjsvk332.jpg "width=" 558 "height=" 233 "/>

Save Iptables Settings
Service Iptables Save

650) this.width=650; "title=" clip_image030 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image030 "src=" http://s3.51cto.com/wyfs02/M01/6C/84/ Wkiol1vljpvs5jhbaaba018qxh4272.jpg "width=" 558 "height="/>

6.4 Client Settings

1) Set up the network

650) this.width=650; "title=" clip_image032 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image032 "src=" http://s3.51cto.com/wyfs02/M02/6C/84/ Wkiol1vljpuhqg5xaaduen5tymi984.jpg "width=" 346 "height=" 349 "/>

Set the gateway as the Proxy Server intranet address

2) the Proxy server Option scratch will be used in the browser.

650) this.width=650; "title=" clip_image033 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image033 "src=" http://s3.51cto.com/wyfs02/M00/6C/84/ Wkiol1vljpzhj9wqaae17gi71vq829.jpg "width=" 384 "height=" 339 "/>

6.5 Browser Access Test

650) this.width=650; "title=" clip_image035 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image035 "src=" http://s3.51cto.com/wyfs02/M01/6C/84/ Wkiol1vljp3xgkodaagwe7kf6zk438.jpg "width=" 557 "height=" 341 "/>

Description transparent proxy settings succeeded

Seven, reverse proxy services

Provides cache acceleration for Internet users to access enterprise Web sites.

The experimental topology diagram is as follows:

650) this.width=650; "title=" clip_image037 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image037 "src=" http://s3.51cto.com/wyfs02/M02/6C/88/ Wkiom1vli4qhff-yaabm89hens4164.jpg "width=" 558 "height=" 249 "/>

Intranet server is server R2

7.1 Shutting down the intranet server firewall

7.2 Modifying the Web Server home page

Creating Catalogs and Home pages

650) this.width=650; "title=" clip_image039 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image039 "src=" http://s3.51cto.com/wyfs02/M00/6C/88/wKiom1VLI4rQ_ Qxdaact4ijsjpe388.jpg "width=" 558 "height=" 262 "/>

7.3 Configuring Squid

Http_port Accel Vhost//This parameter is used to support host mappings

Http_access Allow all

Cache_peer 192.168.1.118 Parent 0 originserver round-robin weight=1//Specify the location of the 1th real server

Cache_peer 192.168.1.119 Parent 0 originserver round-robin weight=1//Specify the location of the 2nd real server

Visible_hostname CENTOSSD

7.4 Start Squid Service

650) this.width=650; "title=" clip_image041 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image041 "src=" http://s3.51cto.com/wyfs02/M01/6C/88/ Wkiom1vli4qy5csaaabcl4avnfc033.jpg "width=" 558 "height="/>

Note: To ensure that the The port is not being used

7.6 Testing

Squid uses Round-robin, so client access will poll two Web servers with "Ctrl + F5" to refresh the test in depth.

Web1

650) this.width=650; "title=" clip_image043 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image043 "src=" http://s3.51cto.com/wyfs02/M02/6C/88/ Wkiom1vli4uassmyaaboc-ravkw903.jpg "width=" 558 "height=" 142 "/>

Web2

650) this.width=650; "title=" clip_image045 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image045 "src=" http://s3.51cto.com/wyfs02/M00/6C/88/ Wkiom1vli4uz2xnvaabl5m9dr3u784.jpg "width=" 558 "height=" 136 "/>

Eight, the log

Take a look at the log information again. , all actions are recorded in the log.

Use Tail–f to monitor changes in the last line of the log in real time.

650) this.width=650; "title=" clip_image047 "style=" border-left-0px; border-right-width:0px; border-bottom-width:0px; border-top-width:0px "border=" 0 "alt=" clip_image047 "src=" http://s3.51cto.com/wyfs02/M01/6C/88/ Wkiom1vli43wc9wpaajv0nff2c4360.jpg "width=" 557 "height=" 313 "/>

Note: This article has read http://zpp2009.blog.51cto.com/730423/297023

Http://bbs.51cto.com/thread-564760-1.html

Http://www.cnblogs.com/mchina/p/3812190.html

Three articles, thanks to three bloggers!

CENTOS 6.6 under Squid installation configuration