Configuration of squid service on Linux

Article Title: configuration of squid service on Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

The proxy server is one of the common servers in the network. It provides file caching, replication, address filtering, and other services, making full use of limited outbound bandwidth to speed up access to internal hosts.

It can solve the problem that multiple users need to access the Internet at the same time, but the total IP address is insufficient. It can also be used as a firewall to isolate the Intranet and the Internet, and can provide the monitoring network and record transmission information function, and add

Strong LAN security. Its main functions include the following...

1. shared network: it is one of the most important services of the proxy server. The intranet host can access the Internet at the same time through the proxy server, not limited by the number of public IP addresses...

2. Accelerate access and save communication bandwidth:

3. prevent internal hosts from being attacked: internal hosts are accessed through proxy servers. In this process, internal host addresses and other information are not sent to the outside, so that external attackers cannot access

Through scanning, the internal host is penetrated to protect the internal host...

4. restrict user access and improve network management: Set access policies and permissions on the proxy server.

Proxies are divided into common proxies. (The standard traditional proxy server requires the client to specify the IP address of the proxy server in the browser ...)

Transparent proxy. (For enterprise gateway hosts, shared access to the Internet, the client does not need to specify the Proxy Server IP address, port and other information, you need to set a firewall policy to access the client's web

Data is transferred to the proxy service for processing ..)

Reverse Proxy. (use the client as the destination and the internet server as the client)

Squid is the most popular high-performance free application layer proxy server on Linux and Unix platforms. It features flexible permission management, high performance, and fast efficiency.

Package name: squid

Service name: squid

Main Program:/usr/sbin/squid

Main configuration file:/etc/squid. conf

Default port: 3128

Default access log file:/var/log/squid/access. log

Http_port IP: Port (set the IP address and port of the squid listener)

Cache_mem specifies the amount of physical memory used as high-speed cache. If this server is only used for Internet sharing and there are no other services, it can increase the physical memory by 1/2, but if there are other services

The size of cache_mem should not exceed 1/3 of the physical memory. Otherwise, the overall performance of the server will be affected.

Cache_dir ufs/var/spool/squid 4096 16 256 specify the size of the hard disk buffer. ufs indicates the buffer storage type, which is generally ufs, /var/spool/squid indicates the directory where the hard disk is cached.

, 4096 indicates that the maximum cache space is 4096 MB, and 16 indicates the number of first-level subdirectories that squid can create in the directory where the hard disk buffer is stored. The default value is 16 ,; 256 indicates that sub-directories of level 2 can be created.

Number. The default value is 256.

Cache_effective_user squid sets the valid users who use the cache. (default)

Cache_effective_group squid: Set the valid user group for caching (default)

Dns_nameservers IP in order to enable Squid to resolve the domain name, you must tell the squid valid DNS server ..

Cache_access_log defines the path of the access record log file. This log records the detailed information about the user's access to the Internet. You can view the access record of each client through the log file...

Do not do bad things at home...

Cache_log sets the path of the log file that records the cached information...

Cache_store_log defines the path of the log file that records the call of a webpage in the cache...

Visible_hostname defines the name of the host running squid. When an access error occurs, the value of this option is displayed on the error prompt page. We recommend that you enter the IP address of the host ..

Cache_mgr defines setting the squid administrator's d E-mail address. When an access error occurs, this option is displayed on the page.

Rule: You can also use acl to define the squid Access Control List. The following is its option information ..

Src IP source IP address (Client IP address ).

Dst IP address (IP address of the server ).

Scrdomain source name (the domain to which the client belongs ).

Dstdomain target name (the domain to which the server belongs ).

A time in a day and a day in a week.

Url_regex URL rule expression

Urlpath_regex: URL-path skips the URL rule expression matching the protocol and host name.

Proxy_auth performs User Authentication through external programs.

Maxconn maximum number of connections from a single IP address.

Time syntax [week] [time period]. You can use these keywords M (Mondy), T (Tuesday )...

Time period: one time-another time

Let's simulate an experiment environment. The squid Proxy Server assumes that the outer Nic IP address is 192.168.0.195, the inner Nic IP address is 192.168.10.10, the inner Client IP address is 192.168.10.11, and the outer network has

The IP address of the web server: 192.168.0.197. when the client is not allowed to access the Internet from to, files ending with .rmvband hosts are not downloaded. the maximum size of a single file cannot exceed

Over 10 M, proxy port is 8080, the error message is displayed in Chinese, Administrator mailbox is root@test.com, memory size 64 M, cache directory 1024 M, must have visible Host Name

Now we can use this information to configure the Squid server...

[Root @ station195 ~] # Yum-y install squid (I have configured the yum source on the local machine and directly install it using yum)

[Root @ station195 ~] # Cd/etc/squid/

[Root @ station195 squid] # cp-p squid. conf squid. conf. bak (back up the file)

[Root @ station195 squid] # vim squid. conf

Cache_mgr root@example.com

Http_port 192.168.10.10: 8080 transparent

Error_directory/usr/share/squid/errors/Simply_Chinese

Visible_hostname station195.example.com

Cache_mem 64 MB

Reply_body_max_size 1024000000 allow all

Cache_dir ufs/var/spool/squid 1024

Acl mynetwork src 192.168.10.0/24

Acl worktime time-

Acl worktime time-

Http_access allow mynetwork! Worktime

Acl nomp3 url_regex-I ^ http. * \. mp3 $

Acl normvb url_regex-I ^ http. * \. rmvb $

Http_access allow mynetwork! Nomp3

Http_access allow mynetwork! Normvb

# Squid-z (initialize the swqp directory)

# Squid-k parse (Test Configuration File Syntax Information)

# Service squid restart (restart service)

The client gateway points to 192.168.10.10

To enable the routing function of squid server ....

# Vim/etc/sysctl. conf

Net. ipv4.ip _ forward = 1 (change the value of this item to 1, indicating that the network interface should be forwarded)

# Sysctl-p (it does not take effect immediately after modification, but it takes effect only after you read the configuration file again ..)

# Cat/proc/sys/net/ipv4/ip_forward (the returned value is 1, which proves that the routing function has been enabled ..)

# Iptables-t nat-a prerouting-I eth1-s 192.168.10.0/24-p tcp -- dport 80-j REDIRECT -- to-ports 8080

# Service iptables save

The test results are all successful. If you are late, you will not be able to capture the picture. You can try it in imitation. If you have any questions, please leave a message for me. You are welcome to join us...