Squid Proxy Server--basic article

First, Caching Agent Overview

Application layer of Agent service software, squid mainly provides cache acceleration, application layer filtering control function

1, the agency's working mechanism

First case: There is a cache in the Squid server

When a client requests a Web page through a proxy, the specified proxy server checks its own cache and, if there is already a page in the cache that the client needs, feeds the page content in the cache directly to the client;

Second case: No cache in Squid server

If there are no pages in the cache for the client to access, the proxy server sends access requests to the Internet, and when the returned Web page is obtained, the page data is saved to the cache and sent to the client

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/72/24/wKioL1XdmAKh6v03AACWyp2pfp0359.jpg "title=" Depth 20150826183214.png "alt=" Wkiol1xdmakh6v03aacwyp2pfp0359.jpg "/>

The Cache Accelerator object of HTTP proxy is mainly static web elements such as text and images. With the caching mechanism, when clients access the same Web element at different times, or when different clients access the same Web element, they can get results directly from the proxy server's cache. This greatly reduces the process of submitting duplicate Web requests to the Internet, increasing the responsiveness of the client to Web Access

Because the client's Web Access request is actually replaced by proxy server, it can hide the real IP address of the user and play a certain protective role. On the other hand, the proxy server acts like a "broker", so it has the opportunity to filter control for the target to be accessed, the address of the client, the time period of the visit, etc.

2, the basic type of agent

Depending on the implementation, the proxy service can be divided into two common proxy services: traditional agent and transparent proxy.

A. Traditional proxy: That is, ordinary proxy services, the first must be in the client browser, QQ chat tool, download software and other programs to manually set the proxy server address and port, and then use the proxy to access the network. For Web browsers, domain name resolution requests when visiting a Web site are also sent to the specified proxy server

B. Transparent proxy: Provide the same functions and services as the traditional proxy, the difference is that the client does not need to specify the address and port of the proxy server, but instead through the default route, the firewall policy will redirect the Web Access, the actual still to the proxy server to handle. The redirection process is "Transparent" to the client, and the user does not even know that they are using the proxy service, so it is called a "transparent proxy." When a transparent proxy is used, the domain name resolution request when the Web browser accesses the site will be forwarded to the DNS server preferentially

In practical application, the traditional agent in the Internet environment, such as the use of agents for the QQ program can hide the native real IP address, for the download tool to use multiple agents to circumvent the server's concurrent connection restrictions. and transparent proxy in the LAN environment, such as the Linux gateway to enable transparent proxy, LAN host without additional settings to enjoy better internet speed

Second, installation and operation control

1. Build and install Squid

When you configure the compilation options for squid, set the installation directory to/usr/local/squid, and the other specific options are based on actual requirements, as described in "./configure--help" before configuration

[Email protected] ~]# TAR-ZXF squid-3.5.7.tar.gz

[Email protected] ~]# CD squid-3.5.7/

[Email protected] squid-3.5.7]#/configure--prefix=/usr/local/squid--sysconfdir=/etc/--enable-linux-netfilter-- Enable-arp-acl--enable-linux-tproxy--enable-async-io=100--enable-err-language= "Simplify_Chinese"-- Enable-underscore--enable-poll--enable-gnuregex

[[email protected] squid-3.5.7]# make && make install

The above options mean the following:

--PREFIX=/USR/LOCAL/SQUID \ \ Installation directory

--sysconfdir=/etc/\ \ Modify the configuration file to a different directory separately

--ENABLE-ARP-ACL \ \ Can be set in rules to be managed directly from the client Mac to prevent clients from using IP spoofing

--enable-linux-netfilter \ \ Use kernel filtering

--enable-linux-tproxy \ \ Support Transparent mode

--enable-async-io= value \ \ Asynchronous I/O for improved storage performance

--enable-err-language= "Simplify_chinese" \ \ error message display language

--enable-underscore \ \ Allow underline in URL

--enable-poll \ \ Use poll () mode to improve performance

--enable-gnuregex \ \ Use the GNU regular expression

After the installation is complete, create a linked file, create users and groups

[Email protected] ~]# ln-s/usr/local/squid/sbin/*/usr/local/sbin/

[Email protected] ~]# useradd-m-s/sbin/nologin Squid

[Email protected] ~]# chown-r squid:squid/usr/local/squid/var/

2, squid configuration file

Squid service configuration file located in/etc/squid.conf, fully understand the role of configuration lines will help administrators flexibly configure the proxy service according to the actual situation, more detailed configuration items please refer to the/etc/squid.conf.documented file

ACL localnet src 10.0.0.0/8 # RFC1918 possible Internal network

ACL localnet src 172.16.0.0/12 # RFC1918 possible Internal network

ACL localnet src 192.168.0.0/16 # RFC1918 possible Internal network

ACL localnet src FC00::/7 # RFC 4193 local private network range

ACL localnet src FE80::/10 # RFC 4291 link-local (directly plugged) machines

ACL ssl_ports port 443

ACL safe_ports Port # http

ACL safe_ports Port # FTP

ACL safe_ports Port 443 # HTTPS

ACL safe_ports Port # Gopher

ACL safe_ports Port # WAIS

ACL safe_ports Port 1025-65535 # unregistered ports

ACL safe_ports Port 280 # HTTP-MGMT

ACL safe_ports Port 488 # gss-http

ACL safe_ports Port 591 # FileMaker

ACL safe_ports Port 777 # multiling HTTP

ACL Connect method Connect

Http_access Deny! Safe_ports

Http_access Deny CONNECT! Ssl_ports

http_access allow localhost Manager

Http_access Deny Manager

Http_access Allow LocalNet

http_access allow localhost

Http_access Deny All

Http_port 3128 \ \ is used to specify the address and port on which the Proxy service listens (the default port number is 3128)

Cache_effective_user squid \ \ Specify squid's program user, used to set initialization, run-time cache account

Cache_effective_group squid \ \ Default to cache_effective_user the base group for the specified account

Coredump_dir/usr/local/squid/var/cache/squid

Refresh_pattern ^ftp:1440 20% 10080

Refresh_pattern ^gopher:1440 0% 1440

Refresh_pattern-i (/cgi-bin/|\?) 0 0% 0

Refresh_pattern. 0 20% 4320

3. Squid operation control

1) Check that the configuration syntax is correct

[Email protected] ~]# Squid-k Parse

2) Start and stop squid

The first time the Squid service is started, the cache directory is automatically initialized. In the absence of a Squid service script available, you can also directly call the Squid program to start the service, you need to first initialize

[[email protected] ~]# squid-z \\-z option to initialize the cache directory

[[email protected] ~]# squid \ \ Start Squid service

Confirm Squid service is in normal listening state

[Email protected] ~]# NETSTAT-UTPLN | grep "Squid"

TCP6 0 0::: 3128:::* LISTEN 19958/(squid-1)

3) Use Squid service script

To make it easier to start, stop, and reload squid services, you can write shell service scripts and manage them using chkconfig and service tools

#!/bin/bash# chkconfig: 2345 90 25# config: /etc/squid.conf# pidfile:  /usr/local/squid/var/run/squid.pid# description: squid - internet object  Cachepid= "/usr/local/squid/var/run/squid.pid" conf= "/etc/squid.conf" cmd= "/usr/local/squid/sbin/squid" case  "$"  instart) netstat -utpln | grep squid &>/dev/nullif [ $?  -eq 0 ]thenecho  "squid is running" ELSE$CMDFI;; Stop) $CMD  -k kill &>/dev/nullrm -rf  $PID  &>/dev/null;; Status) [ -f  $PID  ] &>/dev/nullif [ $? -eq 0 ]thennetstat  -utpln | grep squidelseecho  "squid is not running" FI;; Restart) $0 stop &>/dev/nullecho  "is closing squid ..." $0 start &>/dev/nullecho   "Starting squid ...";; Reload) $CMD  -k reconfigure;; Check) $CMD  -k parse;; *) echo  "usage: { start | stop | restart | reload | check |  status} ";; Esac

[Email protected] ~]# chmod +x/etc/init.d/squid

[[email protected] ~]# chkconfig--add squid \ \ Add as System service

[Email protected] ~]# chkconfig squid on

This way, you can start, stop, restart, and reload squid servers with squid scripts by adding the corresponding start, stop, restart, reload parameters at execution time

This article from "Painting" blog, reproduced please contact the author!

Squid Proxy Server--basic article