一、Squid代理服务器
1.代理服务器的概念
Squid主要提供缓存加速、应用层过滤控制的功能
2.代理服务器的作用
代理服务器是一个位于客户端和原始(资源)服务器之间的服务器,为了从原始服务器取得内容,客户端向代理服务器发送一个请求并指定目标原始服务器,然后代理服务器向原始服务器转交请求并将获得的内容返回给客户端
3.代理的工作机制
代替客户机向网站请求数据,从而可以隐藏用户的真实IP地址。
将获得的网页数据(静态 Web 元素)保存到缓存中并发送给客户机,以便下次请求相同的数据时快速响应
4.代理的类型
传统代理:适用于Internet,需在客户机指定代理服务器的地址和端口
透明代理:客户机不需指定代理服务器的地址和端口,而是通过默认路由、防火墙策略将Web访问重定向给代理服务器处理
反向代理:如果 Squid 反向代理服务器中缓存了该请求的资源,则将该请求的资源直接返回给客户端;否则反向代理服务器将向后台的 WEB 服务器请求资源,然后将请求的应答返回给客户端,同时也将该应答缓存(静态)在本地,供下一个请求者使用
5.缓存代理
缓存代理对于Web至关重要,尤其对于大型高负载Web站点。缓存可作为性能优化的一个重要手段,可以极大减轻后端服务器的负载。通常对于静态资源,即较少经常更新的资源,如图片,css或js等进行缓存,从而在每次刷新浏览器的时候,不用重新请求,而是从缓存里面读取,这样就可以减轻服务器的压力
6.缓存代理的作用
资源获取:代替客户端实现从原始服务器的资源获取;
加速访问:代理服务器可能离原始服务器更近,从而起到一定的加速作用;
缓存作用:代理服务器保存从原始服务器所获取的资源,从而实现客户端快速的获取;
隐藏真实地址:代理服务器代替客户端去获取原始服务器资源,从而隐藏客户端真实信息。
二、安装Squid服务
1.安装前准备
| 服务器 | IP |
|---|---|
| Squid服务器 | 192.168.247.135 |
| web服务器 | 192.168.247.80 |
| 客户机 | 192.168.247.90 |
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@localhost ~]# setenforce 0
2.编译安装 Squid
yum -y install gcc gcc-c++ make
tar zxvf squid-3.5.28.tar.gz -C /opt/
cd /opt/squid-3.5.28
./configure --prefix=/usr/local/squid \ #指定安装目录路径
--sysconfdir=/etc \ #指定配置文件路径
--enable-arp-acl \ #MAC地址管控,防止客户端使用IP欺骗
--enable-linux-netfilter \ #使用内核过滤
--enable-linux-tproxy \ #支持透明模式
--enable-async-io=100 \ #异步IO,提升存储性能
--enable-err-language="Simplify_Chinese" \ #错误信息的显示语言
--enable-underscore \ #允许URL中有下划线
--disable-poll \ #关闭默认使用 poll 模式
--enable-epoll \ #开启epoll模式提升性能
--enable-gnuregex #使用GNU正则表达式
make && make install
ln -s /usr/local/squid/sbin/* /usr/local/sbin/
useradd -M -s /sbin/nologin squid
chown -R squid:squid /usr/local/squid/var/ #此目录用于存放缓存文件
[root@localhost ~]# yum -y install ggc gcc-c++ make
已加载插件:fastestmirror, langpacks
Determining fastest mirrors
* base: mirrors.aliyun.com
......
更新完毕:
gcc-c++.x86_64 0:4.8.5-44.el7 make.x86_64 1:3.82-24.el7
作为依赖被升级:
cpp.x86_64 0:4.8.5-44.el7 gcc.x86_64 0:4.8.5-44.el7 gcc-gfortran.x86_64 0:4.8.5-44.el7
libgcc.x86_64 0:4.8.5-44.el7 libgfortran.x86_64 0:4.8.5-44.el7 libgomp.x86_64 0:4.8.5-44.el7
libquadmath.x86_64 0:4.8.5-44.el7 libquadmath-devel.x86_64 0:4.8.5-44.el7 libstdc++.x86_64 0:4.8.5-44.el7
libstdc++-devel.x86_64 0:4.8.5-44.el7
完毕!
[root@localhost ~]# cd /opt
[root@localhost opt]# tar xf squid-3.5.28.tar.gz
[root@localhost opt]# cd /opt/squid-3.5.28
[root@localhost squid-3.5.28]# ./configure --prefix=/usr/local/squid \
> --sysconfdir=/etc \
> --enable-arp-acl \
> --enable-linux-netfilter \
> --enable-linux-tproxy \
> --enable-async-io=90 \
> --enable-err-language="Simplify_Chinese" \
> --enable-underscore \
> --disable-poll \
> --enable-epoll \
> --enable-gnuregex
checking for a BSD-compatible install... /usr/bin/install -c
[root@localhost squid-3.5.28]# make -j4 && make install
Making all in compat
make[1]: 进入目录“/opt/squid-3.5.28/compat”
depbase=`echo assert.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual -Werror -pipe -D_REENTRANT -g -O2 -march=native -std=c++11 -MT assert.lo -MD -MP -MF $depbase.Tpo -c -o assert.lo assert.cc &&\
mv -f $depbase.Tpo $depbase.Plo
......
[root@localhost squid-3.5.28]# ln -s /usr/local/squid/sbin/* /usr/local/sbin/
[root@localhost squid-3.5.28]# useradd -M -s /sbin/nologin squid
[root@localhost squid-3.5.28]# chown -R squid:squid /usr/local/squid/var/
2.修改 Squid 的配置文件
vim /etc/squid.conf
......
--56行--插入
http_access allow all #放在 http_access deny all 之前,允许任意客户机使用代理服务,控制规则自上而下匹配
http_access deny all
http_port 3128 #用来指定代理服务监听的地址和端口(默认的端口号为 3128)
--61行--插入
cache_effective_user squid #添加,指定程序用户,用来设置初始化、运行时缓存的账号,否则启动不成功
cache_effective_group squid #添加,指定账号基本组
coredump_dir /usr/local/squid/var/cache/squid #指定缓存文件目录
3.Squid 的运行控制
#检查配置文件语法是否正确
squid -k parse
#启动 Squid,第一次启动 Squid 服务时,会自动初始化缓存目录
squid -z #-z 选项用来初始化缓存目录
squid #启动 squid 服务
netstat -anpt | grep "squid"
[root@localhost squid-3.5.28]# squid -k parse
2023/07/03 14:29:19| Startup: Initializing Authentication Schemes ...
2023/07/03 14:29:19| Startup: Initialized Authentication Scheme 'basic'
2023/07/03 14:29:19| Startup: Initialized Authentication Scheme 'digest'
2023/07/03 14:29:19| Startup: Initialized Authentication Scheme 'negotiate'
2023/07/03 14:29:19| Startup: Initialized Authentication Scheme 'ntlm'
2023/07/03 14:29:19| Startup: Initialized Authentication.
2023/07/03 14:29:19| Processing Configuration File: /etc/squid.conf (depth 0)
2023/07/03 14:29:19| Processing: acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
2023/07/03 14:29:19| Processing: acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
2023/07/03 14:29:19| Processing: acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
2023/07/03 14:29:19| Processing: acl localnet src fc00::/7 # RFC 4193 local private network range
2023/07/03 14:29:19| Processing: acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
2023/07/03 14:29:19| Processing: acl SSL_ports port 443
2023/07/03 14:29:19| Processing: acl Safe_ports port 80 # http
2023/07/03 14:29:19| Processing: acl Safe_ports port 21 # ftp
2023/07/03 14:29:19| Processing: acl Safe_ports port 443 # https
2023/07/03 14:29:19| Processing: acl Safe_ports port 70 # gopher
2023/07/03 14:29:19| Processing: acl Safe_ports port 210 # wais
2023/07/03 14:29:19| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2023/07/03 14:29:19| Processing: acl Safe_ports port 280 # http-mgmt
2023/07/03 14:29:19| Processing: acl Safe_ports port 488 # gss-http
2023/07/03 14:29:19| Processing: acl Safe_ports port 591 # filemaker
2023/07/03 14:29:19| Processing: acl Safe_ports port 777 # multiling http
2023/07/03 14:29:19| Processing: acl CONNECT method CONNECT
2023/07/03 14:29:19| Processing: http_access deny !Safe_ports
2023/07/03 14:29:19| Processing: http_access deny CONNECT !SSL_ports
2023/07/03 14:29:19| Processing: http_access allow localhost manager
2023/07/03 14:29:19| Processing: http_access deny manager
2023/07/03 14:29:19| Processing: http_access allow localnet
2023/07/03 14:29:19| Processing: http_access allow localhost
2023/07/03 14:29:19| Processing: http_access allow all
2023/07/03 14:29:19| Processing: http_access deny all
2023/07/03 14:29:19| Processing: http_port 3128
2023/07/03 14:29:19| Processing: cache_effective_user squid
2023/07/03 14:29:19| Processing: cache_effective_group squid
2023/07/03 14:29:19| Processing: coredump_dir /usr/local/squid/var/cache/squid
2023/07/03 14:29:19| Processing: coredump_dir /usr/local/squid/var/cache/squid
2023/07/03 14:29:19| Processing: refresh_pattern ^ftp: 1440 20% 10080
2023/07/03 14:29:19| Processing: refresh_pattern ^gopher: 1440 0% 1440
2023/07/03 14:29:19| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2023/07/03 14:29:19| Processing: refresh_pattern . 0 20% 4320
[root@localhost squid-3.5.28]# squid -z
[root@localhost squid-3.5.28]# squid
[root@localhost squid-3.5.28]# netstat -anpt | grep "squid"
tcp6 0 0 :::3128 :::* LISTEN 10219/(squid-1)
4.创建 Squid 服务脚本
vim /etc/init.d/squid
#!/bin/bash
#chkconfig: 2345 90 25
PID="/usr/local/squid/var/run/squid.pid"
CONF="/etc/squid.conf"
CMD="/usr/local/squid/sbin/squid"
case "$1" in
start)
netstat -natp | grep squid &> /dev/null
if [ $? -eq 0 ]
then
echo "squid is running"
else
echo "正在启动 squid..."
$CMD
fi
;;
stop)
$CMD -k kill &> /dev/null
rm -rf $PID &> /dev/null
;;
status)
[ -f $PID ] &> /dev/null
if [ $? -eq 0 ]
then
netstat -natp | grep squid
else
echo "squid is not running"
fi
;;
restart)
$0 stop &> /dev/null
echo "正在关闭 squid..."
$0 start &> /dev/null
echo "正在启动 squid..."
;;
reload)
$CMD -k reconfigure
;;
check)
$CMD -k parse
;;
*)
echo "用法:$0{start|stop|status|reload|check|restart}"
;;
esac
#2345是默认自启动级别,如是-代表任何级别都不自启动;90是启动优先级,25是停止优先级,优先级范围是0-100,数字越大,优先级越低。
chmod +x /etc/init.d/squid
chkconfig --add squid
chkconfig --level 35 squid on
[root@localhost supervisor]# chmod +x /etc/init.d/squid
[root@localhost supervisor]# chkconfig --add squid
[root@localhost supervisor]# chkconfig --level 35 squid on
三.构建传统代理服务器
1.修改代理服务器配置文件
vim /etc/squid.conf
......
http_access allow all
http_access deny all
http_port 3128
cache_effective_user squid
cache_effective_group squid
--63行--插入
cache_mem 64 MB #指定缓存功能所使用的内存空间大小,便于保持访问较频繁的WEB对象,容量最好为4的倍数,单位为MB,一般设为物理内存的1/3
cache_swap_high 95 #cache目录使用量大于95%时,开始清理旧的cache
cache_swap_low 90 #cache目录清理到90%时停止
reply_body_max_size 100 MB #允许用户下载的最大文件大小,以字节为单位,当下载超过指定大小的 Web对象时,浏览器的报错页面中会出现“请求或访问太大”的提示默认设置0表示不进行限制
maximum_object_size 512000 KB #设置squid磁盘缓存最大文件,以KB为单位,超过的文件不保存到硬盘,而是直接转发给用户
maximum_object_size_in_memory 512 KB #设置squid内存缓存最大文件,超过的文件不保存到内存
minimum_object_size 0 KB 设置squid磁盘缓存最小文件
service squid restart
squid -k pares #查看当前配置是否生效
systemctl restart squid
netstat -lntp | grep squid
[root@localhost supervisor]# squid -k parse
2023/07/03 16:28:08| Startup: Initializing Authentication Schemes ...
2023/07/03 16:28:08| Startup: Initialized Authentication Scheme 'basic'
2023/07/03 16:28:08| Startup: Initialized Authentication Scheme 'digest'
2023/07/03 16:28:08| Startup: Initialized Authentication Scheme 'negotiate'
2023/07/03 16:28:08| Startup: Initialized Authentication Scheme 'ntlm'
2023/07/03 16:28:08| Startup: Initialized Authentication.
2023/07/03 16:28:08| Processing Configuration File: /etc/squid.conf (depth 0)
2023/07/03 16:28:08| Processing: acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
2023/07/03 16:28:08| Processing: acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
2023/07/03 16:28:08| Processing: acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
2023/07/03 16:28:08| Processing: acl localnet src fc00::/7 # RFC 4193 local private network range
2023/07/03 16:28:08| Processing: acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
2023/07/03 16:28:08| Processing: acl SSL_ports port 443
2023/07/03 16:28:08| Processing: acl Safe_ports port 80 # http
2023/07/03 16:28:08| Processing: acl Safe_ports port 21 # ftp
2023/07/03 16:28:08| Processing: acl Safe_ports port 443 # https
2023/07/03 16:28:08| Processing: acl Safe_ports port 70 # gopher
2023/07/03 16:28:08| Processing: acl Safe_ports port 210 # wais
2023/07/03 16:28:08| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2023/07/03 16:28:08| Processing: acl Safe_ports port 280 # http-mgmt
2023/07/03 16:28:08| Processing: acl Safe_ports port 488 # gss-http
2023/07/03 16:28:08| Processing: acl Safe_ports port 591 # filemaker
2023/07/03 16:28:08| Processing: acl Safe_ports port 777 # multiling http
2023/07/03 16:28:08| Processing: acl CONNECT method CONNECT
2023/07/03 16:28:08| Processing: http_access deny !Safe_ports
2023/07/03 16:28:08| Processing: http_access deny CONNECT !SSL_ports
2023/07/03 16:28:08| Processing: http_access allow localhost manager
2023/07/03 16:28:08| Processing: http_access deny manager
2023/07/03 16:28:08| Processing: http_access allow localnet
2023/07/03 16:28:08| Processing: http_access allow localhost
2023/07/03 16:28:08| Processing: http_access allow all
2023/07/03 16:28:08| Processing: http_access deny all
2023/07/03 16:28:08| Processing: http_port 3128
2023/07/03 16:28:08| Processing: cache_effective_user squid
2023/07/03 16:28:08| Processing: cache_effective_group squid
2023/07/03 16:28:08| Processing: cache_mem 1024 MB
2023/07/03 16:28:08| Processing: cache_swap_high 95
2023/07/03 16:28:08| Processing: cache_swap_low 90
2023/07/03 16:28:08| Processing: maximum_object_size 512000 KB
2023/07/03 16:28:08| Processing: maximum_object_size_in_memory 512 KB
2023/07/03 16:28:08| Processing: minimum_object_size 0 KB
2023/07/03 16:28:08| Processing: coredump_dir /usr/local/squid/var/cache/squid
2023/07/03 16:28:08| Processing: coredump_dir /usr/local/squid/var/cache/squid
2023/07/03 16:28:08| Processing: refresh_pattern ^ftp: 1440 20% 10080
2023/07/03 16:28:08| Processing: refresh_pattern ^gopher: 1440 0% 1440
2023/07/03 16:28:08| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2023/07/03 16:28:08| Processing: refresh_pattern . 0 20% 4320
[root@localhost supervisor]# systemctl restart squid
[root@localhost supervisor]# netstat -lntp | grep squid
tcp6 0 0 :::3128 :::* LISTEN 55342/(squid-1)
2.生产环境中还需要修改防火墙规则
iptables -nL
iptables -nL -t
iptables -t filter -A INPUT -p tcp --dport 3128 -j ACCEPT
[root@localhost supervisor]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost supervisor]# iptables -nL -t
iptables v1.4.21: option "-t" requires an argument
Try `iptables -h' or 'iptables --help' for more information.
[root@localhost supervisor]# iptables -t filter -A INPUT -p tcp --dport 3128 -j ACCEPT
3.客户机的代理配置
- 打开浏览器,工具–>Internet选项–>连接–>局域网设置–>开启代理服务器(地址:Squid服务器IP地址,端口:3128)
- 客户端配置
[root@localhost ~]# systemctl disable --now firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@localhost ~]# setenforce 0
[root@localhost ~]# cd /etc/yum.repos.d/
[root@localhost yum.repos.d]# ls
local.repo repo.bak
[root@localhost yum.repos.d]#vim /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1
[root@localhost yum.repos.d]# yum install -y nginx
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
nginx-stable
......
已安装:
nginx.x86_64 1:1.24.0-1.el7.ngx
完毕!
[root@localhost yum.repos.d]# vim /etc/nginx/nginx.conf
[root@localhost yum.repos.d]# cd /usr/share/nginx/html/
[root@localhost html]# ls
50x.html index.html
[root@localhost html]# echo '<h1>You can do it!!!</h1>' >test.html
[root@localhost html]# ls
50x.html index.html test.html
[root@localhost html]# cd /var/log
[root@localhost log]# cd nginx/
[root@localhost nginx]# ls
access.log error.log
[root@localhost nginx]# systemctl enable --now nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
[root@localhost nginx]# vim access.log
192.168.247.120 - - [03/Jul/2023:19:20:12 +0800] "GET /test.html HTTP/1.1" 200 26 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063" "-"
192.168.247.120 - - [03/Jul/2023:19:20:13 +0800] "GET /favicon.ico HTTP/1.1" 404 555 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063" "-"
192.168.247.134 - - [03/Jul/2023:19:39:46 +0800] "GET /test.html HTTP/1.1" 200 26 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063" "192.168.247.120"
192.168.247.134 - - [03/Jul/2023:19:39:46 +0800] "GET /favicon.ico HTTP/1.1" 404 555 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063" "192.168.247.120"
4.查看 Squid 访问日志的新增记录中的缓存命中情况
tail -f /usr/local/squid/var/logs/access.log
TCP_MEM_HIT/200
[root@localhost supervisor]# tail -f /usr/local/squid/var/logs/access.log
1688387765.170 1647 192.168.247.120 TCP_REFRESH_MODIFIED/200 850 GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D - HIER_DIRECT/152.195.38.76 application/ocsp-response
1688387765.390 2136 192.168.247.120 TCP_TUNNEL/200 8012 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/20.195.112.105 -
1688387813.298 131929 192.168.247.120 TCP_TUNNEL/200 73136 CONNECT oneclient.sfx.ms:443 - HIER_DIRECT/23.205.37.39 -
1688388670.980 907668 192.168.247.120 TCP_TUNNEL/200 16388 CONNECT iecvlist.microsoft.com:443 - HIER_DIRECT/117.18.232.200 -
1688389566.621 1145 192.168.247.120 TCP_TUNNEL/200 7542 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/20.195.114.44 -
1688389627.238 789 192.168.247.120 TCP_MISS/304 438 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab? - HIER_DIRECT/221.227.232.190 application/vnd.ms-cab-compressed
1688389627.280 35 192.168.247.120 TCP_MISS/304 440 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab? - HIER_DIRECT/221.227.232.190 application/vnd.ms-cab-compressed
1688390199.138 19429 192.168.247.120 TCP_TUNNEL/200 39 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/20.198.188.157 -
1688390218.573 19432 192.168.247.120 TCP_TUNNEL/200 39 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/20.198.188.157 -
1688390218.670 95 192.168.247.120 TCP_TUNNEL/200 39 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/20.198.188.157 -
5.查看 Web 访问日志的新增记录
tail -f /var/log/httpd/access_log
- 在浏览器输入Web服务器IP地址访问,查看Web服务器访问日志,显示的是由代理服务器替客户机在访问。
四.构建透明代理服务器
1.安装前准备
Squid服务器:双网卡,内网ens33:192.168.80.10 外网ens36:12.0.0.1
Web 服务器:12.0.0.12
客户机:192.168.80.100
2.Squid服务器配置
vim /etc/squid.conf
......
http_access allow all
http_access deny all
--60行--修改添加提供内网服务的IP地址,和支持透明代理选项 transparent
http_port 192.168.80.10:3128 transparent
systemctl restart squid
3.开启路由转发,实现本机中不同网段的地址转发
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p
[root@localhost supervisor]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@localhost supervisor]# sysctl -p
net.ipv4.ip_forward = 1
4.修改防火墙规则
iptables -F
iptables -t nat -F
iptables -t nat -I PREROUTING -i ens33 -s 192.168.80.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128 #用于转发http协议
iptables -t nat -I PREROUTING -i ens33 -s 192.168.80.0/24 -p tcp --dport 443 -j REDIRECT --to 3128 #用于转发https协议
iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
[root@localhost supervisor]# iptables -F
[root@localhost supervisor]# iptables -t nat -F
[root@localhost supervisor]# iptables -t nat -I PREROUTING -i ens33 -s 192.168.247.0/24 -p tcp --dport 247 -j REDIRECT --to-ports 3128
[root@localhost supervisor]# iptables -t nat -I PREROUTING -i ens33 -s 192.168.247.0/24 -p tcp --dport 443 -j REDIRECT --to 3128
[root@localhost supervisor]# iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
5.Web服务器配置
yum install -y httpd
systemctl start httpd
[root@localhost ~]# yum install -y httpd
已加载插件:fastestmirror, langpacks
.......
作为依赖被安装:
httpd-tools.x86_64 0:2.4.6-95.el7.centos mailcap.noarch 0:2.1.41-2.el7
完毕!
[root@localhost ~]# systemctl start httpd
6.关闭客户机的浏览器之前设置的代理服务器的功能后访问 http://12.0.0.12
7.查看 Squid 访问日志的新增记录
tail -f /usr/local/squid/var/logs/access.log
1631073624.552 0 192.168.80.200 TCP_MEM_HIT/200 449 GET http://12.0.0.12/ - HIER_NONE/- text/html
[root@localhost ~]# tail -f /usr/local/squid/var/logs/access.log
1688387813.298 131929 192.168.247.120 TCP_TUNNEL/200 73136 CONNECT oneclient.sfx.ms:443 - HIER_DIRECT/23.205.37.39 -
1688388670.980 907668 192.168.247.120 TCP_TUNNEL/200 16388 CONNECT iecvlist.microsoft.com:443 - HIER_DIRECT/117.18.232.200 -
1688389566.621 1145 192.168.247.120 TCP_TUNNEL/200 7542 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/20.195.114.44 -
1688389627.238 789 192.168.247.120 TCP_MISS/304 438 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab? - HIER_DIRECT/221.227.232.190 application/vnd.ms-cab-compressed
1688389627.280 35 192.168.247.120 TCP_MISS/304 440 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab? - HIER_DIRECT/221.227.232.190 application/vnd.ms-cab-compressed
1688390199.138 19429 192.168.247.120 TCP_TUNNEL/200 39 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/20.198.188.157 -
1688390218.573 19432 192.168.247.120 TCP_TUNNEL/200 39 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/20.198.188.157 -
1688390218.670 95 192.168.247.120 TCP_TUNNEL/200 39 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/20.198.188.157 -
1688392343.609 815 192.168.247.120 TCP_MISS/304 304 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? - HIER_DIRECT/209.197.3.8 -
1688392380.608 110138 192.168.247.120 TCP_TUNNEL/200 19836 CONNECT iecvlist.microsoft.com:443 - HIER_DIRECT/117.18.232.200 -
8.查看 Web 访问日志的新增记录,显示的是由代理服务器的外网口代替客户机在访问
tail -f /var/log/httpd/access_log
[root@localhost ~]# tail -f /var/log/httpd/access_log
12.0.0.12 - - [03/Jul/2023:23:00:31 +0800] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
12.0.0.12 - - [03/Jul/2023:23:00:31 +0800] "GET /noindex/css/bootstrap.min.css HTTP/1.1" 200 19341 "http://12.0.0.12/" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
12.0.0.12 - - [03/Jul/2023:23:00:31 +0800] "GET /noindex/css/open-sans.css HTTP/1.1" 200 5081 "http://12.0.0.12/" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
12.0.0.12 - - [03/Jul/2023:23:00:31 +0800] "GET /images/apache_pb.gif HTTP/1.1" 200 2326 "http://12.0.0.12/" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
12.0.0.12 - - [03/Jul/2023:23:00:31 +0800] "GET /images/poweredby.png HTTP/1.1" 200 3956 "http://12.0.0.12/" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
12.0.0.12 - - [03/Jul/2023:23:00:31 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
12.0.0.12 - - [03/Jul/2023:23:00:31 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://12.0.0.12/noindex/css/open-sans.css" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
12.0.0.12 - - [03/Jul/2023:23:00:31 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://12.0.0.12/noindex/css/open-sans.css" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
12.0.0.12 - - [03/Jul/2023:23:00:31 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1" 404 240 "http://12.0.0.12/noindex/css/open-sans.css" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
12.0.0.12 - - [03/Jul/2023:23:00:31 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 238 "http://12.0.0.12/noindex/css/open-sans.css" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
12.0.0.12 - - [03/Jul/2023:23:04:00 +0800] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
12.0.0.12 - - [03/Jul/2023:23:04:00 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://12.0.0.12/noindex/css/open-sans.css" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
12.0.0.12 - - [03/Jul/2023:23:04:00 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://12.0.0.12/noindex/css/open-sans.css" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
12.0.0.12 - - [03/Jul/2023:23:04:00 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1" 404 240 "http://12.0.0.12/noindex/css/open-sans.css" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
12.0.0.12 - - [03/Jul/2023:23:04:00 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 238 "http://12.0.0.12/noindex/css/open-sans.css" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
五.ACL访问控制
1.在配置文件 squid.conf 中,ACL 访问控制通过以下两个步骤来实现
(1)使用 acl 配置项定义需要控制的条件;
(2)通过 http_access 配置项对已定义的列表做“允许”或“拒绝”访问的控制。
2.定义访问控制列表
acl 列表名称 列表类型 列表内容 …
3.Squid服务器配置
vim /etc/squid.conf
......
acl localhost src 192.168.80.10/32 #源地址为 192.168.80.10
acl MYLAN src 192.168.80.0/24 192.168.1.0/24 #客户机网段
acl destinationhost dst 192.168.80.13/32 #目标地址为 192.168.80.13
acl MC20 maxconn 20 #最大并发连接 20
acl PORT port 21 #目标端口 21
acl DMBLOCK dstdomain .qq.com #目标域,匹配域内所有站点
acl BURL url_regex -i ^rtsp:// ^emule:// #以 rtsp://、emule:// 开头的目标 URL地址,-i表示忽略大小写
acl PURL urlpath_regex -i \.mp3$ \.mp4$ \.rmvb$ #以 .mp3、.mp4、.rmvb 结尾的目标 URL 路径
acl WORKTIME time MTWHF 08:30-17:30 #时间为周一至周五 8:30~17:30,“MTWHF”为每个星期的英文首字母
4.启动对象列表管理
mkdir /etc/squid
vim /etc/squid/dest.list
192.168.247.80
12.0.0.12
vim /etc/squid.conf
......
acl destinationhost dst "/etc/squid/dest.list" #调用指定文件中的列表内容
......
http_access deny(或allow) destinationhost
systemctl restart squid
5.浏览器访问Web服务器 http://12.0.0.12 ,显示被访问被拒绝。
六.Squid 日志分析
1.安装图像处理软件包
yum install -y pcre-devel gd gd-devel
mkdir /usr/local/sarg
tar zxvf sarg-2.3.7.tar.gz -C /opt/
cd /opt/sarg-2.3.7
./configure --prefix=/usr/local/sarg \
--sysconfdir=/etc/sarg \ #配置文件目录,默认是/usr/local/etc
--enable-extraprotection #额外安全防护
[root@localhost network-scripts]# yum install -y pcre-devel gd gd-devel
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 6.7 kB 00:00:00
* base: mirrors.aliyun.com
* epel: mirrors.bfsu.edu.cn
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
作为依赖被升级:
expat.x86_64 0:2.1.0-15.el7_9 freetype.x86_64 0:2.8-14.el7_9.1 libXpm.x86_64 0:3.5.12-2.el7_9 libblkid.x86_64 0:2.23.2-65.el7_9.1
libjpeg-turbo.x86_64 0:1.2.90-8.el7 libmount.x86_64 0:2.23.2-65.el7_9.1 libpng.x86_64 2:1.5.13-8.el7 libsmartcols.x86_64 0:2.23.2-65.el7_9.1
libuuid.x86_64 0:2.23.2-65.el7_9.1 util-linux.x86_64 0:2.23.2-65.el7_9.1 zlib.x86_64 0:1.2.7-21.el7_9
完毕!
[root@localhost network-scripts]# mkdir /usr/local/sarg
[root@localhost network-scripts]# cd /opt
[root@localhost opt]# tar xf sarg-2.3.7.tar.gz
[root@localhost opt]# cd /opt/sarg-2.3.7
[root@localhost sarg-2.3.7]# ./configure --prefix=/usr/local/sarg --sysconfdir=/etc/sarg --enable-extraprotection
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for gcc... gcc
checking whether the C compiler works... yes
.......
2.修改配置文件
vim /etc/sarg/sarg.conf
--7行--取消注释
access_log /usr/local/squid/var/logs/access.log #指定访问日志文件
--25行--取消注释
title "Squid User Access Reports" #网页标题
--120行--取消注释,修改
output_dir /var/www/html/sarg #报告输出目录
--178行--取消注释
user_ip no #使用用户名显示
--184行--取消注释,修改
topuser_sort_field connect reverse #top排序中,指定连接次数采用降序排列,升序是normal
--190行--取消注释,修改
user_sort_field connect reverse #对于用户访问记录,连接次数按降序排序
--206行--取消注释,修改
exclude_hosts /usr/local/sarg/noreport #指定不计入排序的站点列表的文件
--257行--取消注释
overwrite_report no #同名同日期的日志是否覆盖
--289行--取消注释,修改
mail_utility mailq.postfix #发送邮件报告命令
--434行--取消注释,修改
charset UTF-8 #指定字符集UTF-8
--518行--取消注释
weekdays 0-6 #top排行的星期周期
--525行--取消注释
hours 0-23 #top排行的时间周期
--633行--取消注释
www_document_root /var/www/html #指定网页根目录
3.添加不计入站点文件,添加的域名将不被显示在排序中
touch /usr/local/sarg/noreport
ln -s /usr/local/sarg/bin/sarg /usr/local/bin/
sarg --help
[root@localhost sarg-2.3.7]# touch /usr/local/sarg/noreport
[root@localhost sarg-2.3.7]# ln -s /usr/local/sarg/bin/sarg /usr/local/bin/
4.验证
yum install httpd -y
systemctl start httpd
[root@localhost sarg-2.3.7]# yum install httpd -y
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* epel: mirrors.bfsu.edu.cn
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
作为依赖被安装:
httpd-tools.x86_64 0:2.4.6-99.el7.centos.1 mailcap.noarch 0:2.1.41-2.el7
完毕!
[root@localhost sarg-2.3.7]# systemctl start httpd
5.运行
sarg #启动一次记录
[root@localhost sarg-2.3.7]# sarg
SARG: 纪录在文件: 48, reading: 100.00%
SARG: 成功的生成报告在 /var/www/html/sarg/2023Jul03-2023Jul03
6.浏览器访问 http://192.168.247.134/sarg ,查看sarg报告网页
7.添加计划任务,执行每天生成报告
vim /usr/local/sarg/report.sh
#/bin/bash
#Get current date
TODAY=$(date +%d/%m/%Y)
#Get one week ago today
YESTERDAY=$(date -d "1 day ago" +%d/%m/%Y)
/usr/local/sarg/bin/sarg -l /usr/local/squid/var/logs/access.log -o /var/www/html/sarg -z -d $YESTERDAY-$TODAY &> /dev/null
find ./ -type d -a -name "$(env LANG=en_US.UTF-8 date -d "30 day ago" +%Y%b%d)-$(env LANG=en_US.UTF-8 date -d "29 day ago" +%Y%b%d)" | xargs rm -rf
exit 0
8.授权
chmod +x /usr/local/sarg/report.sh
9.设置周期
crontab -e
0 0 * * * /usr/local/sarg/report.sh
七.Squid 反向代理
1.工作机制
- 缓存网页对象,减少重复请求
- 将互联网请求轮训或按权重分配到内网Web服务器
- 代理用户请求,避免用户直接访问Web服务器,提高安全
2.修改配置文件
vim /etc/squid.conf
......
--60行--修改,插入
http_port 192.168.80.10:80 accel vhost vport
cache_peer 192.168.80.11 parent 80 0 no-query originserver round-robin max_conn=30 weight=1 name=web1
cache_peer 192.168.80.12 parent 80 0 no-query originserver round-robin max_conn=30 weight=1 name=web2
cache_peer_domain web1 web2 www.kgc.com
#表示对www.kgc.com的请求,squid向192.168.80.11和192.168.80.12的80端口发出请求
3.清空之前透明模式配置的 iptables 规则
iptables -F
iptables -t nat -F
systemctl stop httpd #防止 httpd 服务使用的 80 端口号和 squid 反向代理配置的监听端口冲突
systemctl restart squid
[root@localhost sarg-2.3.7]# iptables -F
[root@localhost sarg-2.3.7]# iptables -t nat -F
[root@localhost sarg-2.3.7]# systemctl stop httpd
[root@localhost sarg-2.3.7]# systemctl restart squid
4.后端节点服务器设置
yum install -y httpd
systemctl start httpd
[root@localhost sarg-2.3.7]# yum install httpd -y
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* epel: mirrors.bfsu.edu.cn
已安装:
httpd.x86_64 0:2.4.6-99.el7.centos.1
作为依赖被安装:
httpd-tools.x86_64 0:2.4.6-99.el7.centos.1 mailcap.noarch 0:2.1.41-2.el7
完毕!
[root@localhost sarg-2.3.7]# systemctl start httpd
5.节点1
echo "Welcome to the world of Black" >> /var/www/html/index.html
6.节点2
echo "Welcome to the world of Light" >> /var/www/html/index.html
7.客户机的域名映射配置
修改 C:\Windows\System32\drivers\etc\hosts 文件
192.168.80.10 www.kgc.com
8.浏览器不开启代理访问 http://www.kgc.com
9.查看缓存命中情况
tailf /usr/local/squid/var/logs/access.log
1631164427.547 0 192.168.247.200 TCP_MEM_HIT/200 381 GET http://www.kgc.com/ - HIER_NONE/- text/html
[root@localhost sarg-2.3.7]# tailf /usr/local/squid/var/logs/access.log
1688390199.138 19429 192.168.247.120 TCP_TUNNEL/200 39 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/20.198.188.157 -
1688390218.573 19432 192.168.247.120 TCP_TUNNEL/200 39 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/20.198.188.157 -
1688390218.670 95 192.168.247.120 TCP_TUNNEL/200 39 CONNECT c.urs.microsoft.com:443 - HIER_DIRECT/20.198.188.157 -
1688392343.609 815 192.168.247.120 TCP_MISS/304 304 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? - HIER_DIRECT/209.197.3.8 -
1688392380.608 110138 192.168.247.120 TCP_TUNNEL/200 19836 CONNECT iecvlist.microsoft.com:443 - HIER_DIRECT/117.18.232.200 -
1688398872.573 5 192.168.247.80 TCP_DENIED/403 4123 GET http://12.0.0.12/ - HIER_NONE/- text/html
1688398872.608 0 192.168.247.80 TCP_DENIED/403 4208 GET http://localhost.localdomain:3128/squid-internal-static/icons/SN.png - HIER_NONE/- text/html
1688398872.610 0 192.168.247.80 TCP_DENIED/403 4057 GET http://12.0.0.12/favicon.ico - HIER_NONE/- text/html
1688460912.786 12 192.168.247.120 TCP_MISS/200 384 GET http://www.kgc.com/ - ROUNDROBIN_PARENT/192.168.247.90 text/html
1688460912.879 3 192.168.247.120 TCP_MISS/404 482 GET http://www.kgc.com/favicon.ico - ROUNDROBIN_PARENT/192.168.247.80 text/html
302
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
