[Integration] install and configure squid

Squid-usage in Linux
From: http://www.topcmm.com/(17:04:00)

As the most popular operating system, Linux has become increasingly popular. Although Linux software is not rich yet,
It is too early to replace windows as an ordinary PC operating system. However, in the server field, Linux is always stable and operable.
And has excellent software support. Squid is one of them. Linux and squid combination as proxy
The server has far higher performance than WINNT and msproxy2.0 (personal opinion). It is more than enough for a small LAN proxy of several hundred people. Lower
I will introduce the installation and usage of squid in detail. I hope you will like it.

1. Squid Introduction

Squid is a software used to cache Internet data. It receives user download requests and automatically processes the downloaded data.
That is to say, when a user wants to download a home page, it sends an application to squid, needs squid to download it for it, and then squid
Connect to the requested website and request the Home Page. Then, the home page is sent to the user and a backup is retained. When other users apply for the same page
Squid immediately transmits the saved backup to the user, making the user feel that the speed is quite fast. Currently, squid can proxy HTTP, FTP,
Gopher, SSL, and WAIS protocols. Currently, they cannot proxy protocols such as pop and nntp. However, someone has begun modifying squid.
For a long time, squid will be able to proxy these protocols.

Can Squid cache any data? No. Like cached credit card accounts, scripts that can be executed remotely, frequently changed
Homepage is inappropriate and insecure. Squid can be automatically processed. You can also set squid as needed,
To filter out what you don't want.

Squid can work in many operating systems, such as Aix, Digital UNIX, FreeBSD, HP-UX, Irix, Linux,
NetBSD, nextstep, SCO, Solaris, OS/2, and many others recompile squid in other operating systems.

Squid's requirement for hardware is that the memory must be large and should not be less than 128 M. The faster the hard disk speed, the better. It is best to use dedicated server SCSI.
Hard Disk, processor requirements are not high, more than MH can be.

2. Squid compilation and running

In fact, the current Linux release kit basically has compiled squid. What you do is to install it. If you have
If you do not have a compiled squid or want to use the latest version, download it from ftp: squid.nlanr.net and compile it by yourself.

Squid compilation is very simple, because it basically configures itself. The most common problem is that your system does not
Suitable compiler, which can be solved by installing the appropriate compiler. If you have other questions, you can ask experienced users or
Go to the corresponding email list to find help.

Before compiling squid, it is best to create a user and group dedicated to running squid. I created
Squid user and group. The user directory is set to/usr/local/squid. Then Su downloads the squid from squid.nlanr.net.
To the/usr/local/squid/src directory, run the following command to decompress the squid source file:

% Tar xzf squid-2.0.RELEASE-src.tar.gz

% Cd/usr/local/squid/src/squid-*. *. Release/

%./Configure

% Make

% Make install

The first command generates a new subdirectory/squid-*. *. Release/in the directory/usr/local/squid/src /. Command
./Configure will automatically query your system configuration and the header files used in your system. ./Configure without parameters will
Install squid in the/usr/local/squid directory. If you want to use another directory, run the following command:
./Configure -- prefix =/Some/other/directory. This will install squid in the/Some/other/directory.
Make command to compile squid, make install command to install squid.

The following directory appears in the directory/usr/local/squid:

/Bin

/Cache

/Etc

/Logs/

/Src (self-created)

The directory/bin contains squid executableProgramIncluding squid itself and ftpget.

Directory/cache contains squid cached data, including directories such as/00/01/02/AND/03/. These directories
There are also subdirectories in the directory, because it is easier and faster to search for a file from thousands of files in a directory.

The/etc directory contains the unique configuration file squid. conf of squid.

The/logs directory contains squid logs.

3. Configure the squid. conf file

After squid is installed, a sample squid. conf file is automatically generated in the/usr/local/squid/etc directory.
Each option is described in detail. You can modify the file to meet different needs.

In general, there are several important options:

· HTTP _ port: Set the port of the squid listener. You 'd better set a memorable port number for client configuration.
Easy to remember. The port number on my machine is 8080. The default value is 3128.

· Cache _ mem: Set the physical memory occupied by squid. Based on my experience, the size of cache_mem should not exceed your service.
1/3 of the physical memory of the machine. Otherwise, the overall performance of the machine will be affected.

· Maximum _ object_size: set the maximum object size that squid can receive. The default value of squid is 4 m.
If you think it is too big, you can set it based on your own needs.

· Cache _ DIR: Set the cache location and size. The general format is as follows:
"Cache_dir/usr/local/squid/cache 100 16 256 ". /Usr/local/squid/cache indicates the cache location;
100 represents the maximum cache size of 100 MB; 16 and 256 represent the number of level-1 and level-2 directories.

· Cache _ effective_user: Set the valid users who use the cache. The default value is user nobody.
If there is a user nobody, it is best to create one or run squid as a non-root user.

Below is a simple squid. conf file:

# Squid. conf-a very basic config file for squid

# Turn logging to it's lowest level

Debug_options all, 1

# Defines a group (or access control list) that includes des all IP addresses

ACL all SRC 0.0.0.0/0.0.0.0

# Define RAM used

Cache_mem 32 m

# Defines the cache size

Cache_dir/usr/local/squid/cache 100 16 256

# Allow all sites to use connect to us via HTTP

Http_access allow all

# Allow all sites to use us as a sibling

Icp_access allow all

# Test the following sites to check that we are connected

Dns_testnames internic.net usc.edu cs.colorado.edu mit.edu yale.edu

# Run as the squid user

Cache_inclutive_user squid

This configuration file allows everyone to use squid, create a m cache, use 32 M memory, in the default location
"/Usr/local/squid/cache" cached data. All cached data is saved as a group squid and user squid. The port is 3128.
Although this configuration is not safe, it can be used.

4. Run squid

First, log in as root. Run the following command:

%/Usr/local/squid/bin/squid-z

This command will generate all the cache directories of squid.

If you want to run squid on the front-end, run the following command:

%/Usr/local/squid/bin/squid-ncd1

This command officially starts squid. If everything is normal, you will see a line of output

Ready to serve requests.

If you want to run squid in the background and use it as an genie process, run the following command:

%/Usr/local/squid/bin/squid

Check whether squid runs the command:

% Squid-K check

The output will tell you the current status of squid.

Squid installation configuration squid

Operation System : RedHat 9.0, kernel: 2.4.20-31.9, other system suites have been updated to the latest through Apt

1. Compile and install squid

Because squid has high requirements on system hardware, we should try our best to optimize it during installation.

# Groupadd squid
# Useradd squid

Add suqid User And user groups

# Export cflages = '-O2-mcpu = pentium4-March = pentium4-mmmx-MSSE-msse2'
You can select parameters based on your CPU.
GCC-3.1 and above can be optimized for CPU optimization:

Pentium2:-O2-mcpu = i686-March = i686-mmmx
Pentium3:-O2-mcpu = pentium3-March = pentium3-mmmx-MSSE
Pentium4:-O2-mcpu = pentium4-March = pentium4-mmmx-MSSE-msse2

#. /Configure -- prefix =/usr/local/squid -- enable-gnuregex -- enable-async-IO = 80 -- enable-ICMP -- enable-kill-parent-hack -- enable-SNMP -- disable-Ident-lookups -- enable-cahce-digests -- enable-ARP-ACL -- enable-err-Language = "simplify_chinese" -- enable-default-err-extensions ages = "simplify_chinese "-- enable-poll -- enable-Linux-netfilter -- enable-underscore

# Make
# Make install


My personal Installation Software I prefer to use the source code package to compile it myself. I think you know what you are doing, and you can install it if you don't know what to do with the RPM package. Next we will explain each compilation parameter. Of course, you can use./configure -- help to view other parameters and explain each parameter in English.

-- Prefix =/usr/local/squid: Specifies the installation path of the software.
-- Enable-gnuregex: Because squid uses a large number of string processing for various judgments, this item can be used for better processing.
-- Enable-async-IO = 80: Set Run squid in async mode. In my understanding, it is set to run squid with a thread. If Server The configuration is good, with more than 1 GB Memory If the CPU uses SMP, you can set it to 160 or higher. If Service Is set according to the actual situation. In addition, this item also has another cache File Support for aufs
-- Enable-ICMP: Supported By ICMP
-- Enable-kill-parent-hack: Do you want to disable suqid together with the parent process?
-- Enable-SNMP: This option allows MRTG to monitor the server's traffic status using the SNMP protocol. Therefore, you must select this option to enable squid to support the SNMP interface.
-- Disable-Ident-lookups: prevents the system from using the identity recognition method specified by rfc931.
-- Enable-cahce-digests: accelerate the cache content retrieval speed during requests.
-- Enable-ARP-ACL: You can directly use the MAC address of the client in Rule settings. Address Proceed Management To prevent customers from using IP spoofing.
-- Enable-err-Language = "simplify_chinese" and
-- Enable-default-err-ages = "simplify_chinese": Specifies whether an error is displayed. The error page is in simplified format.Chinese
-- Enable-Poll: the poll () function should be enabled instead of the select () function. Generally, Poll (polling) is better than select, but configure (script Program ) It is known that poll is invalid on some platforms. If you think you are smarter than configure compiling and configuring a script program, you can use this option to enable poll. In short, this can improve performance.
-- Enable-Linux-netfilter: supports transparent proxy.
-- Enable-underscore Access This address.

Here we have installed it, and the next step is to modify the configuration file.


2. Modify the definition configuration parameters
The following is my squid. conf file


# Network options (related Network Option)
#----------------------------------------------------------
Http_port 3128 # proxy Port
Icp_port 3130 # ICP Port

# Options which affect the neighbor Selection Algorithm (Act on neighbor selection) Algorithm )
#-----------------------------------------------------------
# Disable Cache
Hierarchy_stoplist cgi-bin?
Hierarchy_stoplist-I ^ https :\?
ACL query urlpath_regex-I cgi-bin \? \. Asp \. php \. jsp \. cgi
ACL denyssl urlpath_regex-I ^ https :\
No_cache deny Query
No_cache deny denyssl
# The above mentioned items mean that the URLs that contain cgi-bin and those that start with https: \ should not be cached,
# Do not cache dynamic scripts such as ASP, CGI, and PHP,
# Because these scripts are usually dynamically updated Data Do not synchronize.
# There is also https: // The enabled non-cache is because we generally conduct e-commerce transactions,
# For example, this is used for bank payment. It is not dangerous to cache the credit card number.


# Options which affect the cache size (the option that defines the cache size)
#----------------------------------------------------------

Cache_mem 8 Mb # additional memory usage, which can be set according to your system, generally 1/3 of the actual memory

Cache_swap_low 90 # minimum cache percentage
Cache_swap_high 95 # Maximum Cache percentage, that is, the usage percentage of the above extra memory

Maximum_object_size 4096 kb # Maximum Cache size of a single file. If the Maximum Cache size is exceeded, the file is not cached.

Maximum_object_size_in_memory 8 KB # Maximum Cache size of a single file in the memory. exceeding this size will not be cached in the memory.

# The IP address obtained by DNS resolution has the size of the cache, which can speed up resolution.
Ipcache_size 1024
Ipcache_low 90
Ipcache_high 95
Fqdncache_size 1024


# Logfile pathnames and cache directories (defines the path of the log file and the cache directory)
#-----------------------------------------------------------------------------

# <Directory>
# The aufs is supported only when the -- enable-async-io option is added during compilation,
# Depending on your host,
# Dir1 and dir2 are the sizes of two directories, which are usually 16 256 or 64 64,
# Generally, the number should be a multiple of 16. It is said that the performance will be better!

Cache_dir aufs/cache1 100 16 256
Cache_dir aufs/cache2 100 16 256

# Log storage location
Cache_access_log/usr/local/squid/var/logs/access. Log
Cache_log/usr/local/squid/var/logs/cache. Log

# Tag: cache_store_log
Cache_store_log/usr/local/squid/var/logs/store. Log

# Tag: pid_filename
Pid_filename/usr/local/squid/var/logs/squid. PID
# Options for External Support Programs (External Support Program Options)
#----------------------------------------------------------

# Use proxy to log on to the anonymous FTP service
# Tag: ftp_user
Ftp_user squid @ # User Name
Ftp_passive on # Passive Mode

# Authentication
# Auth_param basic children 5
# Auth_param basic realm Squid proxy-caching Web Server
# Auth_param basic credentialsttl 2 hours
# Auth_param basic casesensitive off

# Options for tuning the cache (the cache adjustment option)
#----------------------------------------------------------

# Tag: refresh_pattern cache updateTime Set
# <Minimum Time> <percentage> <maximum time>

Refresh_pattern ^ ftp: 1440 20% 10080
Refresh_pattern ^ gopher: 1440 0% 1440
Refresh_pattern. 0 20% 4320

# If the first line of the above line starts with FTP, after one day (1440 minutes,
# If the proxy uses this file again, the data in the cache will be updated!

# Timeouts (timeout)
# ---------------------------------------------------------- # Connect to other Machine Maximum try time
Connect_timeout 1 minute

# Timeout value for connecting to the upper-layer proxy
Peer_connect_timeout 30 seconds

# Return timeout
Request_timeout 2 minutes

# Duration
Persistent_request_timeout 1 minute


# Access Controls)
#----------------------------------------------------------
# Tag: ACL
# Examples:
# ACL myexample dst_as 1241
# ACL password proxy_auth required
# ACL fileupload req_mime_type-I ^ multipart/form-data $
# ACL Java Script rep_mime_type-I ^ application/X-JavaScript $
#
# Recommended minimum Configuration:
ACL all SRC 0.0.0.0/0.0.0.0
ACL manager proto cache_object
ACL localhost SRC 127.0.0.1/255.255.255.255
ACL to_localhost DST 127.0.0.0/8
ACL ssl_ports port 443 563
ACL safe_ports port 80 # HTTP
ACL safe_ports port 21 # ftp
ACL safe_ports port 443 563 # https, snews
ACL safe_ports port 70 # Gopher
ACL safe_ports port 210 # wais
ACL safe_ports port 1025-65535 # unregistered ports
ACL safe_ports port 280 # http-Mgmt
ACL safe_ports port 488 # GSS-HTTP
ACL safe_ports port 591 # FileMaker
ACL safe_ports port 777 # multiling HTTP
ACL connect method connect