Through the establishment of a dedicated WWW (FTP) agent to meet the user's main needs, through the erection of SOCKS5 agents to meet the needs of users.
I. Analysis of the user
Existing network situation:
Our campus network through the optical cable has 31 buildings connected, optical cable total length of about 15Km, the vast majority of buildings to achieve structural wiring, connected to the campus network of network multimedia classrooms, teaching base, laboratories, room and so on about dozens of, network computers up to more than 3,000 units. Our school currently exports 2, a rate of 10M bps, through the fiber-optic access to the Chinese Education Research Network cernet, another rate of 4M bps connected to China Telecom.
User's needs:
The subject of the campus network of our school is the students and teachers in the school. According to statistics, about 80% of users use WWW, FTP and other resources. Our school existing chinanet IP 126, it is impossible for all users to use. Setting up a proxy server to enable all users to use network resources is the simplest and relatively safe and reliable method. Through the establishment of a dedicated WWW (FTP) agent to meet the user's main needs, through the erection of SOCKS5 agents to meet the needs of users.
Second, hardware and software selection
Hardware
Cache server can be a common PC server plus cache software (such as squid, Inktomi) composition, can also be a hardware and software system and a dedicated cache server. According to the actual situation of the export of chinanet, the maximum incoming data per second is about 500k/s for the 4Mbps rate exit. The backbone of our school network nodes for the double gigabit connection, to reach some of the laboratory is hundred trillion, to reach the hostel for 10M. The maximum amount of data sent is approximately 12m/s. The amount of data transferred is not very large, and using a traditional IA32 architecture server can meet the requirements. The mainframe room of our school Network Center uses the cabinet to store the server. HP's LH6000 server, with a strong scalability, is a new type of server. The proxy server is not heavily computational, and requires a higher level of IO. This requirement can be achieved through a custom configuration LH6000. By using RAID, you can improve disk performance and increase the reliability of your data. The proxy server software consumes a large amount of memory. LH6000 can support 8GB of memory. The final selection is configured as follows:
Configuration
Processor: Intel Xeon processor
Memory: 2G
Disk controllers: Integrated dual-channel ULTRA3 SCSI HP netraid controller with 32MB cache
Additional single channel: Ultra Wide SCSI Controller
Built-in storage: Hot-swappable 5x18g semi-high drive
Network card: Built-in Intel 82559 100M network card
Power supply: 3 hot-swappable power Supplies
RAID uses the RAID5 mode, which writes data to the disks in the array, and parity data is stored on each disk in the array, allowing a single disk to go wrong. RAID 5 is also a data parity to ensure data security, but it is not a separate hard disk to store data parity bit, but to the data section of the check bit interaction on each hard disk. In this way, any hard drive that is damaged can reconstruct the corrupted data based on the parity bit on the other hard disk.
Software
Squid Internet Object Cache (a later version of Harvest Project) is a research program that the U.S. government has been heavily instrumental in. Squid is an open source proxy server software. It is a fully functional proxy server software running for UNIX systems. It can be cached for HTTP protocols, FTP protocols, and other protocols that use URL positioning. It enables the client to use the SSL protocol for data transfer. It can use the ICP, HTCP, CARP, Cache Digests and other protocols and methods and other running Squid server to collaborate. It supports SNMP protocols and can be coordinated and managed using the appropriate software. And can configure a detailed access control list (ACL).
Operating system
The former school's proxy server uses Linux as the operating system. This is because the previous proxy server is often also used as a different server. Many server software is developed specifically for Linux, or it is most efficient to run on Linux. Squid itself is developed for the Unix-like operating system. There is not much demand for the system itself. At present, our school Chinanet proxy server is using FreeBSD as the operating system.
There are several reasons why Linux is not selected:
The core development of Linux is relatively open, and the core of FreeBSD is done by a strict team of core. Relative inspection is more stringent. More stable than the BSD kernel from the core.
Linux is less loaded than FreeBSD. For a high load of procedural error tolerance, BSD far stronger than Linux.
Many famous websites, such as: Yahoo, NetEase and other famous commercial website use is FreeBSD, stability and performance has already passed many experts ' evaluation, far stronger than Linux.
In the famous article "Linux vs Bsd:a Tale of two System", this evaluates FreeBSD: FreeBSD focuses on the Intel architecture PC and Server Platfor MS, and on providing the best performance and stability possible. The Dec/compaq Alpha is also supported.
But FreeBSD also has weaknesses that are less than Linux. Mainly in the performance of disk IO. This is mainly because the file system used by FreeBSD is not as-ufs as the ext2/ext3 used on Linux. But there will be a lot of improvement after adding softupdate. And abroad agent configured using RAID5 mode, disk using high speed SCSI hard disk, in the above hardware configuration, read squid cache number k size small file using ext2 and ufs+softupdate the difference in efficiency of less than one out of 10,000. For a proxy server with a load of thousands of users, this efficiency difference can be ignored.
Based on the above reasons, the final selection of FreeBSD as a proxy server operating system.
Third, the Proxy Server Software installation
Squid installation
FreeBSD itself's ports program has a stable version of squid. The latest version of Squid is 2.4.stable6. Executing make;make install in the FreeBSD/usr/ports/www/squid directory downloads, compiles, and eventually installs the latest version of the Squid code into the appropriate path in/usr.
Squid itself will be installed under the/usr/local/sbin
Squid cache directory defaults to/usr/local/squid/cache
Squid's log directory defaults to/usr/local/squid/logs
Squid's config file directory defaults to/usr/local/etc/squid
This installation is preferable to a package installation that uses a binary system directly. Because binary package is not guaranteed to work stably on a custom system. Download source code before compiling locally, first check the source code MD5 checksum, so that I can get the source is unmodified version. and then compile locally. Finally, install to the appropriate directory.
Squid's configuration
Squid's configuration file is squid.conf
Some of the parameters are configured as follows: (in order to ensure proxy server security, some of the parameters with * instead)
Http_port 8080 Sets the HTTP proxy port to 8080 cache_peer pa.us.ircache.net sibling 3128 3130 login=*:*
Cache_peer sj.us.ircache.net Sibling 3128 3130 login=*:*
Cache_peer * Parent 13280 4827 HTCP *:*
These lines are the characteristics of using squid to work in conjunction with several other machines, with a few components cache_peer. The specific settings in the later part of the optimization will be explained.