Linux squid server configuration-Linux Enterprise Application-Linux server application information. The following is a detailed description. Configure the squid Server
Lab environment setup:
1. Our linux system requires two NICs: eth0 and eth1.
2. assign an IP address to each Nic. You can set the ip address to: eth0: 10.0.0.1 (simulated as an intranet ip address) and eth1: 172.16.16.69 (simulated as an Internet ip address)
First, check whether the squid server has been installed in RHEL4Z. If not, run the rpm command to install it. In the system's 2nd CDs.
# Rpm-q squit
Package squit is not installed
# Mount/dev/cdrom/media/cdrom
# Cd/media/cdrom/RedHat/RPMS/
# Rpm-ivh squid-2.5.STABLE6-3.i386.rpm
Warning: squid-2.5.STABLE6-3.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing... ######################################## ### [100%]
1: squid ####################################### #### [100%]
The squid service program is not automatically started by default in RHEL4. You need to set it to automatically start.
# Chkconfig -- list squid
Squid 0: off 1: off 2: off 3: off 4: off 5: off 6: off
# Chkconfig -- level 2345 squid on
Squid server Initialization
Before we use the squid server for the first time, we need to use the squid-z command to initialize the squid server.
# Ls/var/spool/squid
# Squid-z
Note: If the initialization is successful, it will display: 15:07:51 | Creating Swap Directories
If such information is displayed: FATAL: cocould not determine fully qualified hostname. Please set 'visible _ hostname'
Squid Cache (Version 2.5.STABLE6): Terminated abnormally.
CPU Usage: 0.064 seconds = 0.008 user + 0.056 sys
Maximum Resident Size: 0 KB
Page faults with physical I/o: 0
Aborted
We need to add a line in the main configuration file:
# Vi/etc/squid. conf
Visible_hostname squid // Where squid is the name of your current host
After saving and exiting, execute squid-z again.
# Ls/var/spool/squid
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Start squid service
# Service squid start
Starting squid:. [OK]
Modify the configuration file of the squid Server
# Vi/etc/squid. conf
Find the following line:
Http_port 3128
Modify it:
Http_port 3128 8080 or
Http_port 8080
The Service port of the squid server is configured using the http_port configuration item. The default value is 3128. To facilitate user use, you can change it to 8080 or provide services on multiple ports. Http_port configuration items support providing proxy services on multiple ports
Find the following line:
Cache_mem 8 MB
Modify it:
Cache_mem 64 MB
This line is used to set the buffer memory quantity. The performance of the squid server has a great relationship with the number of buffer memory used by the squid server. Generally, the more memory is used, the squid server performs better and can be configured as needed.
Find the following line:
Cache_dir ufs/var/spool/squid 100 16 256
This line is used to set the working directory path and attributes of the squid server. "100 16 256" indicates that the maximum capacity in the directory is 100 MB, and the number of first-level subdirectories in the directory is 16, there are 256 sub-directories. In actual application, you can adjust it according to the actual situation.
Find the following line:
Cache_access_log/var/log/squid/access. log
This behavior is the log storage path of the squid service. If it is enabled, all access records of the client will be recorded here. You can view the access status of the client by viewing log records.
After all the configurations are complete, save and exit.
Configure access configuration
The squid server provides powerful access control functions. In the squid. conf configuration file, the access control function is implemented by http_access and acl Configuration items.
# Grep ^ acl/etc/squid. conf
Acl QUERY urlpath_regex cgi-bin \?
Acl all src 0.0.0.0/0.0.0.0
Acl manager proto cache_object
Acl localhost src 127.0.0.1/255.255.255.255
Acl to_localhost dst 127.0.0.0/8
Acl SSL_ports port 443 563
Acl Safe_ports port 80 # http
Acl Safe_ports port 21 # ftp
Acl Safe_ports port 443 563 # https, snews
Acl Safe_ports port 70 # gopher
Acl Safe_ports port 210 # wais
Acl Safe_ports port 1025-65535 # unregistered ports
Acl Safe_ports port 280 # http-mgmt
Acl Safe_ports port 488 # gss-http
Acl Safe_ports port 591 # filemaker
Acl Safe_ports port 777 # multiling http
Acl CONNECT method CONNECT
# Grep ^ http_access/etc/squid. conf
Http_access allow manager localhost
Http_access deny manager
Http_access deny! Safe_ports
Http_access deny CONNECT! SSL_ports
Http_access allow localhost
Http_access deny all
Next we will add an access control list
# Vi/etc/squid. conf
Acl mynetwork src 10.0.0.0/8 // This row needs to be added to the acl settings
Http access allow mynetwork // This line needs to be added before the http_access deny all setting row in the squid. conf file
Restart the squid service.
# Service squid restart
Stopping squid:. [OK]
Starting squid:. [OK]
At this time, we can verify the effect on the client.
Right-click IE properties, find "connection"-"LAN Settings" in the pop-up window, select proxy server, and select "use proxy server for LAN ", in "Address", enter the IP address of the squid server: 10.0.0.1. In "Port", enter the port number as 3128.
Click "OK" and enter the website in IE to check whether the website can be accessed.
Configure transparent Proxy Server
To build a transparent proxy server, you must set the squid proxy service and the iptables firewall separately.
By default, the squid server does not support transparent proxy services. Therefore, we need to configure the following in the configuration file:
# Vi/etc/squid. conf
// Add the upper and lower columns at the end of the configuration file
Httpd_accel_host virtual
Httpd_accel_port 80
Httpd_accel_with_proxy on
Httpd_accel_uses_host_header on
Restart the service
# Service squid restart
Stopping squid:. [OK]
Starting squid:. [OK]
Modify the firewall configuration script
# Iptables-t nat-a prerouting-s 10.0.0.0/8-p tcp -- dport 80-j REDIRECT -- to-ports 3128
The preceding command adds a rule to the PREROUTING rule chain in the nat rule table. In the rule, "-s 10.0.0.0/8" indicates that the packet comes from "10.0.0.0 "; "-p tcp" indicates that the protocol of the data packet is TCP; "-- dport 80" indicates that the destination port for data packet access is 80; "-j REDIRECT" means to REDIRECT qualified packets; "-- to-ports 3128" means to REDIRECT qualified packets to port 3128.
Note that you must save the settings after you modify iptables.
# Iptables-save
# Iptables-t nat-L
Chain PREROUTING (policy ACCEPT)
Target prot opt source destination
REDIRECT tcp -- 10.0.0.0/8 anywhere tcp dpt: http redir ports 3128
Chain POSTROUTING (policy ACCEPT)
Target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
In this way, we have configured the transparent proxy.
At this time, we can return to the client, right-click the properties of IE, find "connection"-"LAN Settings" in the pop-up window, select proxy server, remove the "use proxy server for LAN" check box and click "OK ". Then, log on to the website. If you can log on successfully, it will be successful.
// Note: If the logon fails, configure the DNS server address.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.