High-speed Internet proxy server solution

This article uses the well-known Squid Proxy Software in combination with ramdisk technology and DNS Cache Server to build a high-speed proxy server on the FreeBSD system. The ram-based Directory Pool (sometimes called ramdisk) can significantly improve the performance of applications, especially for those with more severe I/O. Because all I/O operations in the ram-based Directory Pool are actually completed in Ram. This is easily implemented on FreeBSD. The preliminary use of this high-speed Proxy Server found that the speed of Website access indeed had a qualitative leap. Squid is responsible for proxy www. Other network services use the PF Nat implementation, and squid transparent proxy (port forwarding) is set in PF ).
After the server is powered off or shut down, the content cached by squid will disappear immediately. However, as a proxy server, it will not be shut down frequently. This should be no problem. Now let's take a look at the specific operation process. If you are interested, try it.

Author: llzqq
Contact: LLZQQ@126.COM
Applicable to: common users
Source: www. chinaunix. net

1. First install squid

1.0 use ports to install squid

# Cd/usr/ports/www/squid
# Vi makefile

Add the following compilation Parameters

-- Disable-Ident-lookups
-- Disable-Internal-DNS
-- Enable-PF-transparent
-- Enable-default-err-Language = simplify_chinese
-- Disable-hostname-Checks

# Make install clean

1.1 configure the squid service

# Vi/usr/local/etc/squid. conf
======================================================== ========
Http_port 127.0.0.1: 3128 // squid server listening address and port
Cache_mem 56 MB // squid memory size control
Cache_swap_low 80 // cache directory space usage control
Cache_swap_high 90 // cache directory space usage control
Maximum_object_size_in_memory 32 KB // maximum size of files that can be cached in the memory
Cache_dir ufs/usr/local/squid/cache 200 16 256 // disk cache directory size setting
Cache_access_log NONE // log is disabled to improve performance
Cache_log none
Cache_store_log none
Emulate_httpd_log on // enable HTTP log format
Dns_children 15 // query the number of DNS server threads
ACL our_networks SRC 192.168.0.0/16 // defines the lan cidr Block
Http_access allow our_networks // The CIDR block that can be defined
Http_access deny all // deny of other network segments

Http_reply_access allow all // allow to respond to other common requests
Icp_access allow all // allow to respond to other common requests
Miss_access allow all // allow to respond to other common requests

Cache_mgr llzqq@126.com // contact the squid Administrator
Visible_hostname llzqq.3322.org // squid Host Name
Httpd_accel_port 80 // web host port
Httpd_accel_single_host off // if you want to use reverse proxy and only one host can enable this option
Httpd_accel_with_proxy on // whether to proxy the local web host
Httpd_accel_host virtual // allow host_header, which is required by http1.1 and transparent proxy
Httpd_accel_uses_host_header on // allow host_header, which is required by http1.1 and transparent proxy
Error_directory/usr/local/etc/squid/errors/simplify_chinese // language in which error is displayed
Ie_refresh on // compatible with older ie browsers
======================================================== ========

1.2 manually create a high-speed cache

# Mdmfs-m-s 204 m-o time-O noatime-P 0700-V 2-W squid: Squid md0 \
/Usr/local/squid/Cache

-M indicates creating a malloc type. The default value is swap.
-O is optimization, optional time and space
-O is the mount option.
-P is the mount point permission.
-V is the UFS version (1, 2)
-W is the owner and group
Md0 is the device name.
/Usr/local/squid/cache is the mount point
Note: you do not need to create md0 first. mdmfs will create it by yourself.

Detailed parameter description here: http://www.freebsd.org/cgi/man.cgi? Query = mdmfs & sektion = 8

1.3 create a cache directory

# Squid-z

1.4 customize squid startup tutorial

# Vi/usr/local/etc/rc. d/squid. Sh

======================================================== ========
#! /Bin/sh
# Llzqq@126.com
Case "$1" in
Start)
If [! /Usr/local/squid/Cache/00]; then
/Usr/local/sbin/squid-d
Echo "Squid start successful"
Else
/Usr/local/sbin/squid-z
Sleep 5
/Usr/local/sbin/squid-d
Fi
;;
Stop)
/Usr/local/sbin/squid-K kill
;;
Reload)
/Usr/local/sbin/squid-K reconfigure
;;
*)
Echo "Use: Start | stop | reload"
;;
Esac
Exit 0
======================================================== ========

# Chmod 555/usr/local/etc/rc. d/squid. Sh

1.5 set Automatic attaching of cache at startup

# Vi/etc/fstab
Add the following line to the end of the file
/Dev/md0/usr/local/squid/cache MFs RW,-s204m 2 0

2. Install the DNS cahce Server

2.0 use ports to install bind

# Cd/usr/ports/DNS/bind9
# Make install clean
# Vi/etc/namedb/named. conf
======================================================== ========
ACL "Trust-Lan" {127.0.0.1/8; 192.168.0.0/16 ;};
Options {
Directory "/etc/namedb ";
PID-file "/var/run/named/PID ";
Version "0.0.0 ";
Recursion yes;
Allow-recursion {
"Trust-Lan ";
};
Auth-nxdomain no;
Listen-on {192.168.0.20; 192.168.1.10; 127.0.0.1 ;};
Forwarders {
202.99.160.68;
202.99.168.8 ;};
};
Logging {
Channel warning
{File "/var/log/named/dns_warnings" versions 3 size 1240 K;
Severity warning;
Print-category Yes;
Print-severity yes;
Print-time Yes;
};
Channel general_dns
{File "/var/log/named/dns_logs" versions 3 size 1240 K;
Severity Info;
Print-category Yes;
Print-severity yes;
Print-time Yes;
};
CATEGORY default {warning ;};
CATEGORY queries {general_dns ;};
};
Zone "."{
Type hint;
File "named. Root ";
};

Zone "0.0.127.in-ADDR. Arpa "{
Type master;
File "localhost. Rev ";
};
======================================================== ========

2.1 Update the root zone File

# Cd/etc/namedb
# Rm named. Root
# Wget ftp://ftp.internic.org/domain/named.root

2.2 create a log file

# Mkdir/var/log/named/
# Touch/var/log/named/dns_warnings
# Touch/var/log/named/dns_logs
# Chown BIND: wheel/var/log/named /*

2.3 generate localhost. Rev

# Cd/etc/namedb
# Chmod 755 make-localhost
#./Make-localhost

2.4 generate rndc-Key

# Cd/usr/local/etc
#/Usr/local/sbin/rndc-confgen> rndc. conf

In rndc. conf:
# Use with the following in named. conf, adjusting the allow list as needed:
Add the following parts to/etc/namedb/named. conf and remove the comments.

2.5 run the test

#/Usr/local/sbin/named-GC/etc/namedb/named. conf
23-Jan-2006 21:03:03. 224 starting bind 9.3.2-GC/etc/namedb/named. conf
23-Jan-2006 21:03:03. 229 loading configuration from '/etc/namedb/named. conf'
23-Jan-2006 21:03:03. 230 no IPv6 interfaces found
23-Jan-2006 21:03:03. 230 listening on IPv4 interface rl0, 192.168.0.20 #53
23-Jan-2006 21:03:03. 230 listening on IPv4 interface rl1, 192.168.1.10 #53
23-Jan-2006 21:03:03. 231 listening on IPv4 interface lo0, 127.0.0.1 #53
23-Jan-2006 21:03:03. 235 Command Channel listening on 127.0.0.1 #953
23-Jan-2006 21:03:03. 235 ignoring config file logging statement due to-G Option
23-Jan-2006 21:03:03. 254 zone 0.0.127.in-ADDR. Arpa/In: loaded serial 20051219
23-Jan-2006 21:03:03. 254 running

2.6 status check

# Rndc status
Number of zones: 1
Debug level: 0
Xfers running: 0
Xfers deferred: 0
SOA queries in progress: 0
Query logging is off
Recursive clients: 0/1000
TCP clients: 0/100
Server is up and running

2.7 create a STARTUP script

# Vi/usr/local/etc/rc. d/named. Sh
=========================== ======
#! /Bin/sh
# Start and Stop bind service on FreeBSD
# LLZQQ@126.COM
#
./Etc/rc. subr
Name = "named"
Start_cmd = "start"
Stop_cmd = "stop"

Start ()
{
If ["$ named_enable" = "yes"]; then
/Usr/local/sbin/named-u bind-C/etc/namedb/named. conf &
Echo "named started"
Fi
}

Stop ()
{
Pkill named
Echo "named stoped"
}

Load_rc_config $ name
Run_rc_command "$1"
=========================== ======

# Chmod 555/usr/local/etc/rc. d/named. Sh

3. Firewall settings

# Vi/etc/PF. conf
=========================== ================================
Ext_if = "{fxp0 }"
Int_if = "{rl0, rl1 }"
Int_net = "{192.168.0.0/16 }"
Loop = "lo0"
Noroute = "{127.0.0.1/8, 192.168.0.0/16,172.16 .0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"
Ports = "{20, 21, 22, 25, 53, 80,110 }"
Squid = "{127.0.0.1 }"

Set block-policy return
Set Optimization aggressive
Set loginterface fxp0
Set skip on lo0

Scrub in all
Nat on $ ext_if from $ int_net to any-> $ ext_if

### Squid transparent
RDR on $ int_if proto TCP from any to any port 80-> $ squid port 3128

Antispoof for $ ext_if inet

Block all
Block return
Block in quick on $ ext_if OS NMAP
Block in quick on $ ext_if from $ noroute to any
Block out quick on $ ext_if from any to $ noroute

Pass quick on $ loop all
Pass quick on $ int_if all
Pass in on $ ext_if proto {TCP, UDP} from any to any port $ ports keep state
Pass in quick proto TCP from any to any port 55000> <56000 keep state
Pass out on $ ext_if all keep state
=========================== ================================

4. Other network settings

# Vi/etc/rc. conf
Hostname = "llzqq.3322.org"
Defaultrouter = "61.211.x.x"
Ifconfig_rl0 = "Inet 192.168.0.20 netmask 255.255.255.0"
Ifconfig_rl1 = "Inet 192.168.1.10 netmask 255.255.255.0"
Ifconfig_fxp0 = "Inet 61.211.x.x netmask has been released successfully"
Named_enable = "yes"
Pf_enable = "yes" # Set to yes to enable packet filter (PF)
Pf_rules = "/etc/PF. conf" # Rules definition file for PF
Pf_program = "/sbin/pfctl" # Where the pfctl program lives
Pf_flags = "" # additional flags for pfctl
Pflog_enable = "yes" # Set to yes to enable packet filter Logging
Pflog_logfile = "/var/log/pflog" # Where pflogd shocould store the logfile
Pflog_program = "/sbin/pflogd" # Where the pflogd program lives
Pflog_flags = ""

# Vi/etc/resolv. conf
Nameserver 211.98.2.4
Nameserver 202.99.168.8
Nameserver 202.99.160.68

# Vi/etc/sysctl. conf
Net. inet. IP. Forwarding = 1
Net. inet. IP. check_interface = 1
Net. inet. tcp. blackhole = 2
Net. inet. UDP. blackhole = 1
Net. inet. tcp. recvspace = 65535
Net. inet. tcp. sendspace = 65535

# Vi/boot/loader. conf
Kern. maxfiles = "65536"

The client sets the IP address of the gateway and DNS as the IP address of this Squid proxy server.

This completes.

/Files/studio313/q.rar