Linux under Configuration Squid
1. What is squid
Squid cache (squid) is a popular free software (GNU General Public License) proxy server and Web cache server. Squid has a wide range of uses, from caching related requests as Web server cache servers to increasing the speed of Web servers, to sharing network resources for a group of people and caching the World Wide Web, domain name systems and other network searches, to help network security by filtering traffic, to LAN through proxy Internet. Squid is primarily designed to operate on Unix-type systems.
Squid's development history is quite long, the function is also quite perfect. In addition to HTTP, for FTP and HTTPS support is also very good, in the 3.0 beta version also support IPV6.
Squid can do proxies can also do cache;
Squid cache can not only save valuable bandwidth resources, but also can greatly reduce the server I/O
Squid can not only do the forward proxy, but also can do reverse proxy.
Forward agent, squid behind is the client, the client Internet to go through squid; reverse proxy, squid is behind the server, the server returned to the user data need to go squid.
Positive agents used in the enterprise's office environment, employees need to access the Internet through Squid agent to the Internet, which can save network bandwidth resources. And the reverse proxy is used to build the site static items (images, HTML, streaming media, JS, CSS, etc.) cache server, which is used in the site architecture.
2, to build squid forward agent
Official website for http://www.squid-cache.org/
Install command: Yum install-y squid
Squid-v view version and compilation parameters (Squid cache:version 3.1.10)
>/etc/squid/squid.conf emptying the configuration file;
Vim/etc/squid/squid.conf
Add the following configuration:
Http_port 3128acl manager proto cache_objectacl localhost src 127.0.0.1/32 ::1acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1acl localnet src 10.0.0.0/8 # RFC1918 possible internal networkacl Localnet src 172.16.0.0/12 # rfc1918 possible internal networkacl localnet src 192.168.0.0/16 # rfc1918 possible internal networkacl ssl_ports port 443acl safe_ports port 80 8080acl safe_ports port 21acl safe_ports port 443acl connect method connecthttp_access allow manager localhosthttp_access deny managerhttp_access deny ! safe_portshttp_access deny connect ! Ssl_portshttp_access allow localnethttp_access allow localhosthttp_access alLow allcache_dir aufs /data/cache 1024 16 256cache_mem 128 mbhierarchy _stoplist cgi-bin ?coredump_dir /var/spool/squidrefresh_pattern ^ftp: 1440 20% 10080refresh_pattern ^gopher: 1440 0% 1440refresh_pattern -i (/cgi-bin/|\?) 0 0% 0refresh_pattern \. (Jpg|png|gif|mp3|xml) 1440 50% 2880 ignore-reloadrefresh_pattern . 0 20% 4320###### ###################################################&nThe end of the BSP;
Configuration explanation:
ACL safe_ports Port 8080 # http Ports
ACL safe_ports Port # FTP ports
ACLS safe_ports Port 443 # HTTPS ports
Cache_dir Aufs/data/cache #缓存空间1024M大小 16 first-level directories, 256 sub-directories
Cache_mem MB #缓存可以使用的内存大小; access to data in memory is fast;
Mkdir/data/cache #创建缓存目录
Chown-r Squid:squid/data/cache #更改缓存目录权限
Squid-z #初始化缓存目录, squid new version 3.1 can be omitted
/etc/init.d/squid Start #启动squid服务
Squid-k check #可以检测配置文件是否有错; can be shortened to-kche
Squid-k Rec #可以重新加载配置, shorthand for reconfig;
Service squid restart #重启squid服务; Restart regular very slow, you can first killall squid, in the start service;
Detection configuration file, error:Could not determine this machines public hostname. Please configure one or set ' Visible_hostname '. There is no public hostname defined, the Visible_hostname visual hostname needs to be configured; (squid problem, the host name of squid will be displayed in the browser)
In the configuration file, add: Visible_hostname yonglinux will not error;
[Email protected] ~]# squid-k CHECK2015/05/25 03:09:18| Warning:could not determine this machines public hostname. Please configure one or set ' Visible_hostname '. 2015/05/25 03:09:18| Warning:could not determine this machines public hostname. Please configure one or set ' Visible_hostname '. Squid:ERROR:No running Copy
Test on another Linux: curl-x192.168.22.30:3128 www.qq.com
Specify the 3128-port access site of the proxy server 192.168.22.30, provided that the proxy server can access the website;
The role of the proxy server is to allow local users to access the site quickly, on the other hand can control the user access to which websites; During work prohibit employees to watch video, shopping;
Access to pictures, test cache, Cache time, X-cache for hit, description squid cache function; first time for Miss;
[[email protected] ~]# curl-x192.168.22.30:3128 ' http://www.51cto.com/images/home/images/logo.jpg '-ihttp/1.0 200 OKServer:TengineDate:Sun, 13:42:43 gmtcontent-type:image/jpegcontent-length:5309last-modified:wed, Jan 07:55:12 Gmtexpires:sun, 13:42:43 gmtcache-control:max-age=604800load-balancing:web39accept-ranges:b Ytesage:29661x-cache:hit from Yonglinuxx-cache-lookup:hit from yonglinux:3128via:1.0 yonglinux (squid/3.1.10) Connection:keep-alive
set up Squid Proxy server to proxy only a few domain names
Set the domain name whitelist, allow Baidu Sohu can access, others are refused;
Vim/etc/squid/squid.conf The following content is added to the Squid config file ACL below;
ACL http Proto http
ACL Good_domain dstdomain. baidu.com. sohu.com
Http_access Allow HTTP Good_domain
Http_access deny HTTP!good_domain
Use Curl test white list, Baidu, Sohu return status code is OK,QQ not whitelist return 403;
[[email protected] ~]# curl -x192.168.22.30:3128 www.sohu.com -ihttp/1.0 200 okcontent-type: text/htmldate: sun, 24 may 2015 13:57:32 gmtserver : swsvary: accept-encodingcache-control: no-transform, max-age=120expires: sun, 24 may 2015 13:59:32 gmtlast-modified: sun, 24 may 2015 13:57:21 GMTX-RS: 11172604.20347654.12509576FSS-Cache: HIT from 9861864.17726194.11198816x-cache: miss from yonglinuxx-cache-lookup: miss from yonglinux:3128via: 1.0 yonglinux (squid/3.1.10) connection: keep-alive[[email protected] ~]# curl -x192.168.22.30:3128 www.qq.com -ihttp/1.0 403 forbiddenserver: squid/3.1.10mime-version: 1.0date: sun, 24 may 2015 22:04:30 gmtcontent-type: text/htmlcontent-length: 3254x-squid-error: err_access_denied 0vary: accept-languagecontent-language: enx-cache: MISS from yonglinuxX-Cache-Lookup: NONE from yonglinux:3128Via: 1.0 yonglinux (squid/3.1.10) connection: keep-alive
Restrict certain domain names from being accessed by proxy
Set the domain name blacklist, do not allow access to taobao.com JD.com;
Vim/etc/squid/squid.conf Add the following to the Squid config file acl
ACL http Proto http
ACL Bad_domain dstdomain. taobao.com. JD.com
Http_access deny HTTP Bad_domain
Use Curl Test blacklist, Taobao, JD return status code for 403,51cto not blacklist return OK;
[[email protected] ~]# curl -x192.168.22.30:3128 www.taobao.com -ihttp/1.0 403 forbiddenserver: squid/3.1.10mime-version: 1.0date: sun, 24 may 2015 21:35:22 gmtcontent-type: text/htmlcontent-length: 3266x-squid-error: err_access_ denied 0vary: accept-languagecontent-language: enx-cache: miss from yonglinuxx-cache-lookup: none from yonglinux:3128via: 1.0 yonglinux (Squid/ 3.1.10) connection: keep-alive[[email protected] ~]# curl -x192.168.22.30:3128 www.jd.com -ihttp/1.0 403 forbiddenserver: squid/3.1.10mime-version: 1.0date: sun, 24 may 2015 21:35:32 gmtcontent-type: text/htmlcontent-length: 3254x-squid-error: err_access_denied 0vary: accept-languagecontent-language: enx-cache: miss from yonglinuxx-cache-lookup: none from yonglinux:3128via: 1.0 yonglinux (squid/3.1.10) Connection: Keep-alive
[Email protected] ~]# curl-x192.168.22.30:3128 www.51cto.com-IHTTP/1.0 OKServer:TengineDate:Sun, 2015 13:3 1:21 Gmtcontent-type:text/htmlvary:accept-encodingload-balancing:web39x-cache:miss from YonglinuxX-Cache-Lookup: MISS from yonglinux:3128via:1.0 yonglinux (squid/3.1.10) connection:keep-alive
using IE Browser test, you need to set up a proxy server , menu bar--Tools--internet options--Connection-LAN settings, check proxy server-Advanced, fill the Squid Proxy server address and port number;
650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s3.51cto.com/wyfs02/m01/6d/68/wkiol1vj6y3rstbnaaj-49855ng024.jpg "title=" share3.jpg "alt=" Wkiol1vj6y3rstbnaaj-49855ng024.jpg "/>
Access to JD.com Taobao.com, prompting for an error, Access denied, issued by a previously defined visual hostname, and access to other sites is normal;
650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s3.51cto.com/wyfs02/m01/6d/6c/wkiom1vj6bciiv_laakzsi7wupg889.jpg "title=" share4.jpg "alt=" wKiom1Vj6bCiiV_ Laakzsi7wupg889.jpg "/>
3, build Squid reverse proxy
Vim/etc/squid/squid.conf #如下变更
Previously added domain name White/blacklist related configuration removed;
Http_port 3128 Change to Http_port Accel Vhost Vport
Add the following content:
Cache_peer 14.17.42.40 Parent 0 originserver Name=a
Cache_peer 180.97.33.107 Parent 0 originserver Name=b
Cache_peer_domain a www.qq.com
Cache_peer_domain b www.baidu.com
The 3128 port of listening is changed to 80 port, and the port of IE browser proxy server should be changed to 80;
14.17.42.40 is the IP address of the ping www.qq.com;
If it is squid to proxy all the domain names on the web, then write this: Cache_peer 192.168.10.111 0 originserver #只需要这一行, cache_peer_domain can be omitted;
/etc/init.d/squid restart
IE Browser test reverse proxy , Access baidu.com, qq.com can access, other Web site tip: Your request cannot be forwarded at this time
650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s3.51cto.com/wyfs02/m00/6d/6c/wkiom1vj6fxgdvn8aamqf9jmj4k031.jpg "title=" share5.jpg "alt=" Wkiom1vj6fxgdvn8aamqf9jmj4k031.jpg "/>
Using Curl Testing
[Email protected] ~]# curl-x192.168.22.30:80 www.qq.com-IHTTP/1.0 Okserver:squid/3.4.1date:sun, May 2015 14:22 : gmtcontent-type:text/html; Charset=gb2312vary:accept-encodingvary:accept-encodingexpires:sun, 14:23:47 gmtcache-control:max-age= 60vary:accept-encodingvary:accept-encodingx-cache:hit from Shenzhen.qq.comx-cache:miss Yonglinuxx-cache-lookup:miss from yonglinux:80via:1.0 yonglinux (squid/3.1.10) connection:keep-alive
Access qq.com returns the hit from shenzhen.qq.com, stating that qq.com itself has also done a reverse proxy;
Squid also has a lot of configuration, follow-up will continue to update;
This article is from the "Model Student's Learning blog" blog, please be sure to keep this source http://8802265.blog.51cto.com/8792265/1655196
Configure Squid proxy server under Linux