Combination of DNS round robin and squid reverse proxy in Linux

1. Install Reverse Proxy Server
1. Download the reverse proxy server software using squid ,:

Http://www.squid-cache.org/Versions/v2/2.2/squid-2.2.STABLE5-src.tar.gz

The downloaded file is stored in the/usr/local/squid/src directory. The file name is
Squid-2.2.STABLE5-src.tar.gz;

2. Unzip the agent server package:

Enter the/usr/local/squid/src directory and enter the following command:

Gzip-DC squid-2.2.STABLE5-src.tar.gz | tar-xvf-

This command unlocks the proxy server package, creates a directory called a squid-2.2.STABLE5, and places all the files in it.

3. Compile the source program

First, run the configuration script to generate a compilation script suitable for your machine. Command Format:

./Configure

The default installation path is/usr/local/squid.

To change the installation path, use the following format:

./Configure-Prefix =/Some/other/directory

This method is compiled and installed in/Some/other/directory.

After the compilation script is generated, you can start compiling. Command:

Make

4. Install the Squid Proxy Server

After compilation, run the following command to install the SDK:

Make install

After the installation is complete, a squid directory is generated in the specified installation path. The squid directory contains three directories: etc, bin, and logs. Among them, "etc" is the configuration file, "bin" is the execution file, and "logs" is the log file.

Ii. debugging reverse proxy servers
After the installation is complete, debug the server so that it can work as required. There is only one squid configuration file. In the etc directory, the name is squid. conf, and all configuration options are in this file. Each configuration item has a description. We will only introduce several projects related to reverse proxy.

First, find the following configuration items in the squid file:

Cache_mem

Here, you can add the size of memory that you want to use for the cache for squid. NOTE: If your machine has n MB of memory, we recommend that you add N/3 numbers here.

Cache_dir/usr/local/squid/cache 100 16 256

The first number 100 here is the size of the hard disk space you want to use as the cache for squid. The unit is MB. If you want to allocate 100 MB of space as a cache, write here.

ACL, http_access, icp_access

Enter the "allowedip" and "allowedip1" ACL access control lists. Enter the IP address of the public server. For example, the external addresses of the two web servers in this example are 202.99.157.10 and 202.99.157.18,

ACL manager proto cache_object
ACL localhost SRC 127.0.0.1/255.255.255.255
ACL all SRC 0.0.0.0/0.0.0.0
ACL allowedip SRC 202.99.157.10/255.255.255.255
ACL allowedip1 SRC 202.99.157.18/255.255.255.255
Http_access deny manager all
Http_access allow allowedip
Http_access allow allowedip1
Http_access deny all
Icp_access allow allowedip
Icp_access allow allowedip1
Icp_access deny all
Cache_mgr webmaster@test.com.cn

Enter the email address of the cache administrator. If an error occurs, the system automatically notifies the cache administrator.

* ***** All of the above are common settings of squid. The following are the settings of reverse proxy ******

Httpd_accel_host test.com.cn
Httpd_accel_host test1.com.cn

Set the Host Name of the reverse proxy.

Httpd_accel_port 80

Set the Web Service port number of the reverse proxy.

# Httpd_accel_with_proxy off

Whether to enable the common proxy service when the reverse proxy is enabled

After modifying the configuration file, initialize the configuration file before running the Squid proxy server. The command is as follows:

%/Usr/local/squid/bin/squid-z
%/Usr/local/squid/bin/squid

Check the cache. Log File to ensure that all parts are running properly. If there is an error message or the system cannot be started normally, it is generally caused by the access permission of directories and files. Please carefully check the permission settings for each directory and file. Note that the squid directory should be set to writable before initialization, And the created cache directory and logs directory should be set to writable. If everything works, you can use it. The default service port is 3128.

After the reverse proxy server software is installed, set the HTTP service of the server on port 80 to disabled.

3. Adjust DNS server settings
Assume that the DNS server (hereinafter referred to as the standard DNS server) Resolves test.com.cn to 202.99.157.10 and test1.com.cn to 202.99.157.18, when we configure the DNS Service of the reverse proxy server (called the internal DNS server), we can perform the following changes to the web address of the internal address:

Host Name standard DNS resolution to internal
DNS resolution is

Http://www.test.com.cn/202.99.157.10 192.168.1.10
Http://www.test1.com.cn/202.99.157.18 192.168.1.18

Then, bind the 202.99.157.10 and 202.99.157.18 IP addresses to the reverse proxy server. In this way, access to http://www.test.com.cn/and http://www.test1.com.cn/ will be resolved by the standard DNS to the reverse proxy server, by default, the web server's service port is 80. However, because the HTTP service of port 80 of the reverse proxy server has been terminated, the access will fail. To make this access request successful, you need to establish a connection between the reverse proxy server and the real http://www.test.com.cn/and the Web server of the http://www.test1.com.cn. To establish a connection with a real Web server with an internal address, first bind an internal IP address to the reverse proxy server, for example, 192.168.1.2. The rest is done by the transparent proxy software transproxy. The transproxy service software enables connection between port 81 and squid by setting the internal DNS. After the transparent proxy software transproxy is set, you need to set ipchains rules to forward the HTTP requests sent from outside to port 80 of the reverse proxy server to port 81 of transproxy, in this way, the external connection is established between the reverse proxy and the Real Web server.

4. Install transparent agent software
Http://transproxy.sourceforge.net/transparent agent help documentation
The installation of the transparent Proxy Server involves the following steps: Download, decompress, compile, install, and configure. First need to go to http://www.transproxy.nlc.net.au/transproxy-1.3.tgz or http://sourceforge.net/project/showfiles.php? Group_id = 18383 download the transproxy package and put it in the/usr/local/src directory. Then decompress the package using gzip. The specific command is:

Gzip-DC transproxy-1.3.tgz | tar-xvf-

Decompress the package and generate the tproxy directory under the/usr/local/src directory, which is the transproxy source program. (If you do not decompress the package, you can directly make the package.) enter the directory, use the make command to compile the software, and use the make install command to install transproxy. The compilation and installation of transproxy are very simple. You need to configure transproxy below. Depending on the severity of the system load, transproxy can be configured to run in two modes: inetd mode when the load is light and standalone server mode when the load is heavy. The configuration method is as follows:

1. inetd method:

Add the following line to the/etc/services file:

Tproxy 81/tcp # transproxy

Add the following line to the/etc/inetd. conf file:

Tproxy stream tcp Nowait nobody/usr/sbin/tcpd tproxy 202.99.157.10 3128

Or

Tproxy stream tcp Nowait nobody/usr/sbin/tcpd tproxy 202.99.157.18 3128

2. standalone server mode:

Add the following line to the/etc/rc. d/rc. Local file:

/Usr/local/sbin/tproxy-s 81-r nobody 202.99.157.10 3128

Or

/Usr/local/sbin/tproxy-s 81-r nobody 202.99.157.18 3128

After the configuration is complete, restart the reverse proxy server to implement all the new functions.

5. Set forwarding rules

Ipchains-A input-p tcp-D 202.99.157.10/255.255.255.255 80-J redirect 81
Ipchains-A input-p tcp-D 202.99.157.18/255.255.255.255 80-J redirect 81

All HTTP requests sent to ports 80 of 202.99.157.10 and 202.99.157.18 will be forwarded to port 81 managed by transproxy.

So far, the transparent reverse proxy configuration has been completed.

Let's simulate an Internet user's access to the Web server http://www.test.com.cn/with an internal IP address (192.168.1.10. First, the user's request is parsed from the standard DNS server to 202.99.157.10, then the user's machine sends a request to port 80 of 202.99.157.10, requiring browser quota control, transproxy sends the request to squid, let squid go to http://www.test.com.cn. The internal DNS server on the reverse proxy server. 192.168.1.10 is the real Web server on our http://www.test.com.cn/. the 80 port of the server is open to the httpservice. In this way, squid retrieves the page from the 192.168.1.10 server and returns it to 202.99.157.10. Then it returns it to the users on the Internet who have requests for http://www.test.com.cn/and puts the page in squidcache. This completes the access process from an Internet user to a Web server with an internal IP address. Later, Internet users will access the region.

Internet users.

From the preceding access examples, we can see that when users on the Internet access the Web server http://www.test.com.cn/, they do not actually provide a license. In case the proxy server is broken, it will not cause any damage to your web server. You only need to restore the reverse proxy server. Therefore, this method protects your web server to a certain extent. In addition, when the number of web views is large, the squid reverse proxy can accelerate the page browsing speed.

Vi. Others

During the reverse proxy application process, pay attention to the access control function. You should only allow access to your internal server, rather than access to other servers. Otherwise, your reverse proxy server will become a public proxy server without verification on the Internet, which is dangerous. In addition, if you have multiple Web servers, you can select one with better performance as the reverse proxy server. Some internal Web servers can be replaced by PCs or low-end servers, because the external access pressure is mainly concentrated on the reverse proxy server.

In addition, this solution will be more perfect if combined with the firewall solution under Linux.