Configure Squid proxy server under Linux

Linux under Configuration Squid

1. What is squid

Squid cache (squid) is a popular free software (GNU General Public License) proxy server and Web cache server. Squid has a wide range of uses, from caching related requests as Web server cache servers to increasing the speed of Web servers, to sharing network resources for a group of people and caching the World Wide Web, domain name systems and other network searches, to help network security by filtering traffic, to LAN through proxy Internet. Squid is primarily designed to operate on Unix-type systems.

Squid's development history is quite long, the function is also quite perfect. In addition to HTTP, for FTP and HTTPS support is also very good, in the 3.0 beta version also support IPV6.

Squid can do proxies can also do cache;

Squid cache can not only save valuable bandwidth resources, but also can greatly reduce the server I/O

Squid can not only do the forward proxy, but also can do reverse proxy.

Forward agent, squid behind is the client, the client Internet to go through squid; reverse proxy, squid is behind the server, the server returned to the user data need to go squid.

Positive agents used in the enterprise's office environment, employees need to access the Internet through Squid agent to the Internet, which can save network bandwidth resources. And the reverse proxy is used to build the site static items (images, HTML, streaming media, JS, CSS, etc.) cache server, which is used in the site architecture.

2, to build squid forward agent

Official website for http://www.squid-cache.org/

Install command: Yum install-y squid

Squid-v view version and compilation parameters (Squid cache:version 3.1.10)

>/etc/squid/squid.conf emptying the configuration file;

Vim/etc/squid/squid.conf

Add the following configuration:

Http_port 3128acl manager proto cache_objectacl localhost src 127.0.0.1/32  ::1acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1acl localnet src  10.0.0.0/8     # RFC1918 possible internal networkacl  Localnet src 172.16.0.0/12  # rfc1918 possible internal networkacl  localnet src 192.168.0.0/16 # rfc1918 possible internal networkacl  ssl_ports port 443acl safe_ports port 80 8080acl safe_ports port  21acl safe_ports port 443acl connect method connecthttp_access allow  manager localhosthttp_access deny managerhttp_access deny ! safe_portshttp_access deny connect ! Ssl_portshttp_access allow localnethttp_access allow localhosthttp_access alLow allcache_dir aufs /data/cache 1024 16 256cache_mem 128 mbhierarchy _stoplist cgi-bin ?coredump_dir /var/spool/squidrefresh_pattern ^ftp:            1440    20%      10080refresh_pattern ^gopher:        1440     0%      1440refresh_pattern -i  (/cgi-bin/|\?)  0     0%      0refresh_pattern \. (Jpg|png|gif|mp3|xml)  1440    50%     2880     ignore-reloadrefresh_pattern .                0       20%     4320###### ###################################################&nThe end of the BSP; 

Configuration explanation:

ACL safe_ports Port 8080 # http Ports

ACL safe_ports Port # FTP ports

ACLS safe_ports Port 443 # HTTPS ports

Cache_dir Aufs/data/cache #缓存空间1024M大小 16 first-level directories, 256 sub-directories

Cache_mem MB #缓存可以使用的内存大小; access to data in memory is fast;

Mkdir/data/cache #创建缓存目录

Chown-r Squid:squid/data/cache #更改缓存目录权限

Squid-z #初始化缓存目录, squid new version 3.1 can be omitted

/etc/init.d/squid Start #启动squid服务

Squid-k check #可以检测配置文件是否有错; can be shortened to-kche

Squid-k Rec #可以重新加载配置, shorthand for reconfig;

Service squid restart #重启squid服务; Restart regular very slow, you can first killall squid, in the start service;

Detection configuration file, error:Could not determine this machines public hostname. Please configure one or set ' Visible_hostname '. There is no public hostname defined, the Visible_hostname visual hostname needs to be configured; (squid problem, the host name of squid will be displayed in the browser)

In the configuration file, add: Visible_hostname yonglinux will not error;

[Email protected] ~]# squid-k CHECK2015/05/25 03:09:18| Warning:could not determine this machines public hostname. Please configure one or set ' Visible_hostname '. 2015/05/25 03:09:18| Warning:could not determine this machines public hostname. Please configure one or set ' Visible_hostname '. Squid:ERROR:No running Copy

Test on another Linux: curl-x192.168.22.30:3128 www.qq.com

Specify the 3128-port access site of the proxy server 192.168.22.30, provided that the proxy server can access the website;

The role of the proxy server is to allow local users to access the site quickly, on the other hand can control the user access to which websites; During work prohibit employees to watch video, shopping;

Access to pictures, test cache, Cache time, X-cache for hit, description squid cache function; first time for Miss;

[[email protected] ~]# curl-x192.168.22.30:3128 ' http://www.51cto.com/images/home/images/logo.jpg '-ihttp/1.0 200  OKServer:TengineDate:Sun, 13:42:43 gmtcontent-type:image/jpegcontent-length:5309last-modified:wed, Jan 07:55:12 Gmtexpires:sun, 13:42:43 gmtcache-control:max-age=604800load-balancing:web39accept-ranges:b Ytesage:29661x-cache:hit from Yonglinuxx-cache-lookup:hit from yonglinux:3128via:1.0 yonglinux (squid/3.1.10) Connection:keep-alive

set up Squid Proxy server to proxy only a few domain names

Set the domain name whitelist, allow Baidu Sohu can access, others are refused;

Vim/etc/squid/squid.conf The following content is added to the Squid config file ACL below;

ACL http Proto http

ACL Good_domain dstdomain. baidu.com. sohu.com

Http_access Allow HTTP Good_domain

Http_access deny HTTP!good_domain

Use Curl test white list, Baidu, Sohu return status code is OK,QQ not whitelist return 403;

[[email protected] ~]# curl -x192.168.22.30:3128 www.sohu.com -ihttp/1.0  200 okcontent-type: text/htmldate: sun, 24 may 2015 13:57:32 gmtserver : swsvary: accept-encodingcache-control: no-transform, max-age=120expires: sun,  24 may 2015 13:59:32 gmtlast-modified: sun, 24 may 2015 13:57:21  GMTX-RS: 11172604.20347654.12509576FSS-Cache: HIT from  9861864.17726194.11198816x-cache: miss from yonglinuxx-cache-lookup: miss from  yonglinux:3128via: 1.0 yonglinux  (squid/3.1.10) connection: keep-alive[[email  protected] ~]# curl -x192.168.22.30:3128 www.qq.com -ihttp/1.0 403  forbiddenserver: squid/3.1.10mime-version: 1.0date: sun, 24 may 2015  22:04:30 gmtcontent-type: text/htmlcontent-length:  3254x-squid-error: err_access_denied 0vary: accept-languagecontent-language: enx-cache:  MISS from yonglinuxX-Cache-Lookup: NONE from yonglinux:3128Via: 1.0  yonglinux  (squid/3.1.10) connection: keep-alive

Restrict certain domain names from being accessed by proxy

Set the domain name blacklist, do not allow access to taobao.com JD.com;

Vim/etc/squid/squid.conf Add the following to the Squid config file acl

ACL http Proto http

ACL Bad_domain dstdomain. taobao.com. JD.com

Http_access deny HTTP Bad_domain

Use Curl Test blacklist, Taobao, JD return status code for 403,51cto not blacklist return OK;

[[email protected] ~]# curl -x192.168.22.30:3128 www.taobao.com -ihttp/1.0  403 forbiddenserver: squid/3.1.10mime-version: 1.0date: sun, 24 may 2015  21:35:22 gmtcontent-type: text/htmlcontent-length: 3266x-squid-error: err_access_ denied 0vary: accept-languagecontent-language: enx-cache: miss from  yonglinuxx-cache-lookup: none from yonglinux:3128via: 1.0 yonglinux  (Squid/ 3.1.10) connection: keep-alive[[email protected] ~]# curl -x192.168.22.30:3128  www.jd.com -ihttp/1.0 403 forbiddenserver: squid/3.1.10mime-version: 1.0date:  sun, 24 may 2015 21:35:32 gmtcontent-type: text/htmlcontent-length:  3254x-squid-error: err_access_denied 0vary: accept-languagecontent-language: enx-cache:  miss from yonglinuxx-cache-lookup: none from yonglinux:3128via: 1.0 yonglinux  (squid/3.1.10) Connection:  Keep-alive

[Email protected] ~]# curl-x192.168.22.30:3128 www.51cto.com-IHTTP/1.0 OKServer:TengineDate:Sun, 2015 13:3 1:21 Gmtcontent-type:text/htmlvary:accept-encodingload-balancing:web39x-cache:miss from YonglinuxX-Cache-Lookup: MISS from yonglinux:3128via:1.0 yonglinux (squid/3.1.10) connection:keep-alive

using IE Browser test, you need to set up a proxy server , menu bar--Tools--internet options--Connection-LAN settings, check proxy server-Advanced, fill the Squid Proxy server address and port number;

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s3.51cto.com/wyfs02/m01/6d/68/wkiol1vj6y3rstbnaaj-49855ng024.jpg "title=" share3.jpg "alt=" Wkiol1vj6y3rstbnaaj-49855ng024.jpg "/>

Access to JD.com Taobao.com, prompting for an error, Access denied, issued by a previously defined visual hostname, and access to other sites is normal;

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s3.51cto.com/wyfs02/m01/6d/6c/wkiom1vj6bciiv_laakzsi7wupg889.jpg "title=" share4.jpg "alt=" wKiom1Vj6bCiiV_ Laakzsi7wupg889.jpg "/>

3, build Squid reverse proxy

Vim/etc/squid/squid.conf #如下变更

Previously added domain name White/blacklist related configuration removed;

Http_port 3128 Change to Http_port Accel Vhost Vport

Add the following content:

Cache_peer 14.17.42.40 Parent 0 originserver Name=a

Cache_peer 180.97.33.107 Parent 0 originserver Name=b

Cache_peer_domain a www.qq.com

Cache_peer_domain b www.baidu.com

The 3128 port of listening is changed to 80 port, and the port of IE browser proxy server should be changed to 80;

14.17.42.40 is the IP address of the ping www.qq.com;

If it is squid to proxy all the domain names on the web, then write this: Cache_peer 192.168.10.111 0 originserver #只需要这一行, cache_peer_domain can be omitted;

/etc/init.d/squid restart

IE Browser test reverse proxy , Access baidu.com, qq.com can access, other Web site tip: Your request cannot be forwarded at this time

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s3.51cto.com/wyfs02/m00/6d/6c/wkiom1vj6fxgdvn8aamqf9jmj4k031.jpg "title=" share5.jpg "alt=" Wkiom1vj6fxgdvn8aamqf9jmj4k031.jpg "/>

Using Curl Testing

[Email protected] ~]# curl-x192.168.22.30:80 www.qq.com-IHTTP/1.0 Okserver:squid/3.4.1date:sun, May 2015 14:22 : gmtcontent-type:text/html; Charset=gb2312vary:accept-encodingvary:accept-encodingexpires:sun, 14:23:47 gmtcache-control:max-age= 60vary:accept-encodingvary:accept-encodingx-cache:hit from Shenzhen.qq.comx-cache:miss Yonglinuxx-cache-lookup:miss from yonglinux:80via:1.0 yonglinux (squid/3.1.10) connection:keep-alive

Access qq.com returns the hit from shenzhen.qq.com, stating that qq.com itself has also done a reverse proxy;

Squid also has a lot of configuration, follow-up will continue to update;

This article is from the "Model Student's Learning blog" blog, please be sure to keep this source http://8802265.blog.51cto.com/8792265/1655196

Configure Squid proxy server under Linux