Forward proxy of Squid proxy under rhel6

Squid cache (squid for short) is a popular free software (GNU General Public License) proxy server and Web Cache Server. Squid has a wide range of uses, from cache-related requests as front cache servers of web servers to improving the speed of web servers, to cache the World Wide Web for a group of people to share network resources, domain Name System and other network search, to help network security by filtering traffic, to the LAN through the proxy to access the Internet. Squid is designed to run in UNIX systems.

The following describes its first role: Forward proxy

Forward proxyIsOrigin server)To get content from the original server, the client sends a request to the proxy and specifies the target (original server ), then the proxy transfers the request to the original server and returns the obtained content to the client. The client must make some special settings before using the forward proxy.

#Yum install squid-y// Install squid in yum

#Vim/etc/sysctl. conf// Modify and enable the route forwarding function

#Grep-I ip_forward/etc/sysctl. conf

Net. ipv4.ip _ forward = 1

#Sysctl-P// Make the route forwarding function take effect

Net. ipv4.ip _ forward = 1

Net. ipv4.conf. Default. rp_filter = 1

......

#

 

Configuration File Modification

#Vim/etc/squid. conf// Modify the squid master configuration file

# Grep-ve '^ # | ^ $'/etc/squid. conf

ACL manager proto cache_object

ACL localhost SRC 127.0.0.1/32: 1

ACL to_localhost DST 127.0.0.0/80.0.0.0/32: 1

ACL localnet SRC 10.0.0.0/8 # rfc1918 possible internal network

ACL localnet SRC 172.16.0.0/12 # rfc1918 possible internal network

ACL localnet SRC 192.168.0.0/16 # rfc1918 possible internal network

ACL localnet SRC fc00:/7 # RFC 4193 local private network range

ACL localnet SRC fe80:/10 # RFC 4291 link-local (directly plugged) Machines

ACL host1 src192.168.0.0/24 # custom host

ACL ssl_ports port 443

ACL safe_ports port 80 # HTTP

ACL safe_ports port 21 # ftp

ACL safe_ports port 443 # https

ACL safe_ports port 70 # Gopher

ACL safe_ports port 210 # wais

ACL safe_ports port 1025-65535 # unregistered ports

ACL safe_ports port 280 # http-Mgmt

ACL safe_ports port 488 # GSS-HTTP

ACL safe_ports port 591 # FileMaker

ACL safe_ports port 777 # multiling HTTP

ACL connect method connect

Http_access allow managerlocalhost

Http_access deny Manager

Http_access deny! Safe_ports

Http_access deny connect! Ssl_ports

Http_accessallow host1 # Allow access from custom hosts

Http_access allow localnet

Http_access allow localhost

Http_access deny all

Http_port 8080 # proxy port, used to use port 8080

Hierarchy_stoplist cgi-bin?

Cache_dir ufs/var/spool/squid 100 16 256

# UFS is a cache storage type. The buffer value used in this directory is 100 mb. The number of first-level subdirectories allowed to be created under "/var/spool/squid" is 16, the number of level-2 subdirectories that can be created under each level-1 subdirectory is 256

Coredump_dir/var/spool/squid

Refresh_pattern ^ ftp: 1440 20% 10080

Refresh_pattern ^ gopher: 1440 0% 1440

Refresh_pattern-I (/cgi-bin/| \?) 0 0% 0

Refresh_pattern. 0 20% 4320

// Add and modify the red part to build a simple squid forward proxy.

// Note: cache_men cannot exceed a value in cache_dir. Otherwise, the following error occurs,

Stop squid: 16:05:46 | warning cache_mem is larger than totaldisk cache space!

#Squid-z// Initialize the cache space

15:29:37 | warningcache_mem is larger than total disk cache space!

15:29:37 | creatingswap directories // view the swap cache directory

15:29:37 |/var/spool/squid exists

15:29:37 | makingdirectories in/var/spool/squid/00

15:29:37 | makingdirectories in/var/spool/squid/01

15:29:37 | makingdirectories in/var/spool/squid/02

15:29:37 | makingdirectories in/var/spool/squid/03

15:29:37 | makingdirectories in/var/spool/squid/04

15:29:37 | makingdirectories in/var/spool/squid/05

15:29:37 | makingdirectories in/var/spool/squid/06

15:29:37 | makingdirectories in/var/spool/squid/07

15:29:37 | makingdirectories in/var/spool/squid/08

15:29:37 | makingdirectories in/var/spool/squid/09

15:29:37 | makingdirectories in/var/spool/squid/0a

15:29:37 | makingdirectories in/var/spool/squid/0b

15:29:37 | makingdirectories in/var/spool/squid/0c

15:29:37 | makingdirectories in/var/spool/squid/0d

15:29:37 | makingdirectories in/var/spool/squid/0e

15:29:37 | making directoriesin/var/spool/squid/0f

[Root @ localhost ~] #

#/Etc/init. d/squid start

 

Client browser configuration proxy

Open the Internet browser option and select LAN Settings in the connection:

 

 

Add the squid Host IP address and proxy Port:

 

#Tail-F/var/log/squid/access. Log// View proxy client access records

1345532445.463 166 192.168.0.229 tcp_miss/200 2126 gethttp: // news.baidu.com/z/resource/bg2.png-Direct/123.125.114.18 image/PNG

1345532445.467 3193 192.168.0.229 tcp_miss/200 188665 gethttp: // eiv.baidu.com/mapm2/jingyi/120705_jj_01/984bg.jpg-Direct/123.125.115.43image/JPEG

1345532445.869 218 192.168.0.229 tcp_miss/200 423 gethttp: // news.baidu.com/c_n? -Direct/123.125.114.18 text/html

1345532446.055 170 192.168.0.229 tcp_miss/200 1020 gethttp: // news.baidu.com/nocache/mp/ B .jpg? -Direct/123.125.114.18 image/JPEG

1345532446.303 515 192.168.0.229 tcp_miss/200 3653 gethttp: // your-Direct/61.135.185.26 image/JPEG

 

View hit rate

#Squidclient-P 8080 Mgr: info

HTTP/1.0 200 OK

Server: Squid/3.1.10

Mime-type: 1.0

Date: Tue, 21 Aug 2012 07: 12: 28gmt

Content-Type: text/plain

Expires: Tue, 21 Aug 7:20:28 GMT

Last-modified: Tue, 21 Aug GMT

X-Cache: Miss fromlocalhost. localdomain

X-Cache-lookup: Miss fromlocalhost. localdomain: 8080

Via: 1.0 localhost. localdomain (squid/3.1.10)

Connection: Close

 

Squid object cache: version3.1.10

Start Time: Tue, 21 Aug 2012 06:59:03 GMT

Current Time: Tue, 21 Aug 2012 07:12:28 GMT

Connection information for squid:

Numberof clients accessing cache: 2

Numberof HTTP requests encoded ed: 130

Numberof ICP messages encoded ed: 0

Numberof ICP messages sent: 0

Numberof queued ICP replies: 0

Numberof HTCP messages received ed: 0

Numberof HTCP messages sent: 0

Requestfailure ratio: 0.01

Averagehttp requests per minute since start: 9.7

Averageicp messages per minute since start: 0.0

Selectloop called: 382483 times, 2.107-MS AVG

......

#

Obtain squid running status information:Squidclient-P 8080 Mgr: info

Obtain squid memory usage:Squidclient-P 80mgr: Mem

Obtain the disk usage of squid:Squidclient-P 8080 Mgr: diskd

For more information, see squidclient-P 8080 Mgr:

 

ACL rule restriction Configuration

# Deny news # filter websites with news contained in all URLs

ACL newsurl_regex-I News
 

# Filter the news keyword in the URL

Http_accessdeny news

# Deny Video # filter mainstream video websites

ACL videodstdomain .youku.com .56.com .tudou.com .qiyi.com

Http_accessdeny video

ACL worktimetime mtwhf-

Http_accessdeny! Worktime
# Cannot be accessed during the period from

After adding the preceding configuration to the configuration file, refresh the squid service.

 

 

 

 

 

Time acl allows you to control access based on time. The time is the specific time of the day and the day of the week. The date is represented by a single letter, as shown in the following table. The time is expressed in 24 hours. [Week]: these keywords can be used: m (Monday), T (Tuesday), w (Wednesday wesday wedday), H (Thursday), F (Friday), A (Saturday) and S (Sunday)
[Time period]: It can be expressed. For example:

Aclworktime time mtwhf--From Monday to Friday

 

Access Control Application Instance

1) prohibit clients with IP addresses 192.168.16.200 from accessing the Internet.

ACL badclientip1 src192.168.16.200

Http_access deny badclientip1

2) Prohibit all clients in the subnet 192.168.1.0 from accessing the Internet.

ACL badclientnet1 src192.168.1.0/255.255.255.0

Http_access denybadclientnet1

3) prohibit users from accessing websites with the IP address 210.21.118.68.

ACL badsrvip1 dst210.21.118.68

Http_access deny badsrvip1

4) prohibit users from accessing websites with the domain name www.163.com.

ACL baddomain1 dstdomain -iwww.163.com

Http_access deny baddomain1

5) prohibit users from accessing websites with a domain name containing 163.com.

ACL badurl1 url_regex -i163.com

Http_access deny badurl1

6) prohibit users from accessing URLs whose domain names contain the sex keyword.

ACL badurl2 url_regex-I sex

Http_access deny badurl2

7) the maximum number of concurrent connections of clients whose IP address is 192.168.16.200 is 5.

ACL clientip1 src192.168.16.200 ACL conn5 maxconn 5 http_access deny Client1 conn1

8) Disable all clients in the subnet 192.168.2.0 from accessing the Internet from to from Monday to Friday.

ACL clientnet1 src192.168.2.0/255.255.255.0 ACL worktime time mtwhf-http_access denyclientnet1 worktime

9) prohibit the client from downloading *. MP3, *. EXE, *. zip, and *. RAR files.

ACL badfile1 urlpath_regex-I \. MP3 $ \. EXE $ \. Zip $ \. rar $ http_access deny badfile1

10) prohibit QQ from accessing the Internet through the Squid proxy.

Acl qq url_regex -itencent.com http_access deny QQ