The CentOS system squid reverse Proxy

After the CentOS networking, run yum to install

Default is SQUID3

Yum Install Squid

After the installation is complete, the default squid does not start, but the service already exists in the service and we can start or stop it by command

Serivce Squid Status//Determine if the service is running Serivce squid start//start squidservice squid stop//stop squid

After installation, Squid does not run.

---------------------------------------------

Squid use:

1. Cache Proxy Server: When the proxy site requests the same file multiple times, squid takes data from its own buffer pool and improves performance. Can realize the interoperability of LAN to the Internet.

2. Security: The address information exposed to the outside world is Squid Proxy server information, if you receive a network attack, its own services are not affected.

3. Access policy: Built-in firewall can limit access time, download attachment size. and other settings.

Agent:

Forward proxy: Through the proxy server, intranet access to the extranet

Reverse proxy: Through Proxy server, extranet access intranet

Transparent proxy: Do not need to know ip,port and other information, automatically through the agent to complete, the client does not know that they are online through proxy form.

Use Squid to modify configuration files

Vi/etc/squid/squid.conf

The default profile is bloated, there is a squid.conf.bak in/etc/squid this is the same backup file as squid.conf.

-----------------------------------

Environment

Squid 3 configuration file has been simplified, many of the online configuration is 2 version, not to use, look at the SQUID3 configuration file, this is a simplest

Remove the original squid.conf

RM squid.conf

Create squid.conf

VI squid.conf

The contents of the configuration file are as follows:

Http_port 3128 #squid Run port, the default is 3128visible_hostname localhost.localdomain#squid machine hostnameacl innet src 10.0.2.0/24 #访问squid允许通过网关http_access Allow Innet#acl Firewall allows innet to be configured within the gateway IP through http_access deny all# deny other network segment access

Common commands are as follows:

Service Squid start# Start Services service Squid stop# stop service squid restart# restart service squid-k reconfigure# Hot Deployment Profile/usr/local/squid/ Sbin/squid-z Initialize cache space/usr/local/squid/sbin/squid start/usr/local/squid/sbin/squid-k shutdown Stop/usr/local/squid/sbin/ Squid-k reconfigure reload configuration file/usr/local/squid/sbin/squid-k rotate round-robin log

You can start after the modification.

Set the browser to proxy mode, through our set of agents to access, so the Squid proxy server will automatically forward the request information.

After setting up, we can enter the URL address for Web page access

If you enter an incorrect IP address then squid will get an error.

Let's modify the gateway address of the firewall ACL

In fact, including the administrator contact mailbox and other information can be configured, more detailed setup information can be self-Google

#acl all src 0.0.0.0/0.0.0.0 and http_access the Allow all option defines an access control list. For details see and squid Software # carry documentation. The access control list here allows all access to the proxy service because the agent is accelerating the Web server. ACL all src 0.0.0.0/0.0.0.0 #允许所有IP访问acl manager proto HTTP #manager URL protocol is httpacl Localho                 St src 127.0.0.1/255.255.255.255 #允午本机IPacl to_localhost DST 127.0.0.1 #允午目的地址为本机IPacl safe_ports Port 80 # The port that allows security updates is 80acl Connect method connect #请求方法以CONNECThttp_access allow all #允许所有人使用 The agent. Because this is the Agent Acceleration Web server http_reply_access Allow all #允许所有客户端使用该代理acl overconnlimit maxconn #限制每个IP最大允许 16 connections to prevent attack Http_access deny overconnlimiticp_access deny all #禁止从邻居服务器缓冲内发送和接收ICP请求. Miss_access Allo W all #允许直接更新请求ident_lookup_access deny all #禁止lookup检查DNShttp_port 8080 tra Nsparent #指定Squid监听浏览器客户请求的端口号.                Hierarchy_stoplist Cgi-bin? #用来强制某些特定的对象不被缓存, mainly for the purpose of security. ACL QUERY Urlpath_regex cgi-bin \?cache deny Querycache_mem 1 GB #这是一个优化选项, increasing this memory value facilitates caching. It should be noted that: #一般来说如果系统有内存, set this value to (n/) 3M. It's 3G, so here 1gfqdncache_size #FQDN cache size Maximum_object_size_in_memory 2 MB #允许最大的文件载入内存memory_replacemen T_policy Heap Lfuda #动态使用最小的, move out of memory Cachecache_replacement_policy heap Lfuda #动态使用最小的, remove drive Cachecache_dir ufs/home/c Ache #高速缓存目录 UFS type use buffer value max. 1000MB space, #32个一级目录, 512 Two-level directories Max_open_disk_fds 0 # Allow maximum number of open files, 0 unlimited minimum_object_size 1 KB #允午最小文件请求体大小maximum_object_size MB #允午 Maximum file request body size Cache_swap_low #最小允许使用swap 90%cache_swap_high #最多允许使用 Swap 95%ipcache_size 2048 # IP Address cache size 2mipcache_low #最小 Allow Ipcache to use swap 90%ipcache_high #最大允许ipcache使用swap 90%access_log/var/log/squid/access . logSquid #定义日志存放记录cache_log/var/log/squid/cache.log squidcache_store_log None #禁止store日志emulat E_httpd_log on #将使Squid仿照Web服务器的格式创建访问记录. If you want to use #Web访问记录分析程序, you need to set this parameter. Refresh_pattern. 0 20% 4320 override-expire override-lastmod reload-into-ims ignore-reload #更新cache规则acl buggy_server url_regex ^http://. http://#只允许http的请求broken_posts allow Buggy_serveracl Apache rep_header Server ^apache #允许apa Che's code broken_vary_encoding allow apacherequest_entities off #禁止非http的标分准请求 to prevent attack head Er_access header allow all #允许所有的http报头relaxed_header_parser on #不严格                        Parses the HTTP header. Client_lifetime minute #最大客户连接时间 120 min cache_mgr [email protected] #指定当缓冲出现问题时向缓冲管理者发送告警信息的地址信息. Cache_effective_user Squid #这里以用户squid的身份Squid服务器cache_effective_group SqUidicp_port 0 #指定Squid从邻居服务器缓冲内发送和接收ICP请求的端口号. #这里设置为0是因为这里配置Squid为内部Web服务器的加速器, #所以不需要使用邻居服务器的缓冲. 0 is disabled # Cache_peer setting allows the host to update the cache because it is native so 127.0.0.1cache_peer 127.0.0.1 parent 0 no-query Default Multicast-responder No-netdb-exchangecache_peer_domain 127.0.0.1 hostname_aliases 127.0.0.1error_directory/us R/share/squid/errors/simplify_chinese #定义错误路径always_direct allow all # cache missing or absent is to permit all requests to be forwarded directly to the original server I Gnore_unknown_nameservers on #开反DNS查询, when the domain name address is not the same, access Coredump_dir/var/log/squid is forbidden #定义dump的目录max_fil                                Edesc 2048 #最大打开的文件描述half_closed_clients off #使Squid在当read不再返回数据时立即关闭客户端的连接. #有时read不再返回数据是由于某些客户关闭TCP的发送数据 #而仍然保持接收数据. The squid does not distinguish between TCP semi-shutdown and full shutdown. Buffered_logs on #若打开选项 "buffered_logs" can slightly increase the speed at which some of the log files are written, which is primarily an optimization feature. #防止天涯盗链, passed on to Baidu ACL Tianya referer_regex-i tianyahttp_access deny TIanyadeny_info tianya# block Baidu Spider ACL Baidu req_header user-agent baiduspiderhttp_access deny baidu# limit the maximum number of connections for the same IP client ACL Overconnlimit maxconn 128http_access deny overconnlimit# prevents people from being exploited as an HTTP proxy, setting the allowed IP address ACL myip DST 222.18.63.37http_access Deny!myip# allows local management of ACL manager Proto Cache_objectacl Localhost src 127.0.0.1 222.18.63.37http_access allow manager localhos TCACHEMGR_PASSWD 53034338 allhttp_access deny manager# only allow 80 port proxy ACL all src 0.0.0.0/0.0.0.0acl safe_ports Port # httph Ttp_access Deny! Safe_portshttp_access allow All#squid information settings visible_hostname happy.swjtu.edu.cncache_mgr [email protected]# Basic setup Cache_effective_user squidcache_effective_group squidtcp_recv_bufsize 65535 bytes#2.6 Reverse proxy acceleration Configuration Cache_peer 127.0.0.1 Parent 0 no-query originserver# Error document error_directory/usr/local/squid/share/errors/simplify_chinese# single use, Do not use this feature Icp_port 0hierarchy_stoplist cgi-bin? ACL QUERY Urlpath_regex cgi-bin \?. php. CGI. avi. wmv. rm. RAM. mpg. mpeg. Zi P. execache deny Queryacl Apache Rep_header ServEr ^apachebroken_vary_encoding allow apacherefresh_pattern ^ftp:1440 20% 10080refresh_pattern ^gopher:             1440 0% 1440refresh_pattern. 0 20% 4320cache_store_log Nonepid_filename/usr/local/squid/var/logs/squid.pidemulate_httpd_log onlogformat Combine D%>a%ui%un [%tl] "%rm%ru http/%rv"%Hs%<st "%{referer}>h" "%{user-agent}>h"%ss:%shcache_log/usr/local/s Quid/var/logs/cache.logaccess_log/usr/local/squid/var/logs/access.log combinedcoredump_dir/usr/local/squid/var/ Cachecache_dir Ufs/usr/local/squid/var/cache 10000 256dns_children 32hosts_file/etc/hostscache_mem Swap_low 90cache_swap_high 95maximum_object_size 32768 kbmaximum_object_size_in_memory 4096 KBemulate_httpd_log on# Prevent hotlinking ACLs picurl url_regex-i \.bmp$ \.png$ \.jpg$ \.gif$ \.jpeg$acl mystie1 referer_regex-i happy.swjtu.edu.cnhttp_access Allow Mystie1 picurlacl nullref referer_regex-i ^ $http _access allow Nullrefacl hasref referer_regex-i. +http_access deNY hasref Picurl  

The CentOS system squid reverse Proxy