Squid4.15编译安装
由于rpm安装的缓存服务器Squid存在在安全漏洞,现选取4.x最新稳定版进行编译安装。Squid支持普通代理、透明代理、反向代理多种模式。在优教系统中Squid作为反向代理模式,作为缓存服务器进行使用。
1.1 反向代理和正向代理区别
正向代理代理的对象是客户端(传统代理),反向代理代理的对象是服务端
正向代理中,客户端对于服务端是透明的(不知道服务端真实IP);反向代理中,服务端对于客户端是透明的(不知道真实服务器的IP,知道的可能是代理服务器的)
1.2 Squid反向代理原理
Squid反向代理服务器位于本地Web服务器和Internet之间,客户端请求访问Web服务器时,DNS将访问的域名解析为Squid反向代理服务器的IP地址,客户端将访问Squid代理服务器。
如果Squid反向代理服务器缓存了该请求的资源,则将该请求的资源返回给客户端,否则反向代理服务器将向后台的Web服务器请求资源,然后将应答资源返回给客户端,同时也将该资源在本地缓存一份,供下一个请求使用。
1.3 Squid安装环境建议
操作系统:CentOS Linux release 7.6.x (Core)
Cache软件Squid版本:squid-4.15
分区要求:opt分区独立磁盘足够大,建议>2T
内存要求:建议至少16G
CPU要求:建议4核
1.4 Squid编译安装
1)yum安装依赖包
yum install -y epel-release
yum install -y gcc gcc-c++ gcc-gnat libgcc libgcc.i686 glibc-devel bison flex texinfo Development Tools
2)用以下命令编译配置:
./configure --prefix=/usr/local/squid --sysconfdir=/etc/squid --enable-arp-acl --enable-linux-netfilter --enable-linux-tproxy --enable-async-io=100 --enable-err-language="Simplify_Chinese" --enable-poll --enable-gnuregex --with-openssl --enable-icmp --enable-auth-bearer
配置成功会看到有Makefile 文件
3)编译安装:
make
make install
4)其它配置:
#添加软链接:
ln -s /usr/local/squid/sbin/* /usr/local/sbin/
#添加新用户:
useradd -M -s /sbin/nologin squid
#配置权限:
chown -R squid:squid /usr/local/squid/var/
#创建squid缓存目录
mkdir /opt/squid/cache -p
mkdir /var/log/squid -p
chown -R squid:squid /opt/squid/cache
chown -R squid:squid /var/log/squid
#squid加入开机启动
grep -q "/usr/local/squid/sbin/squid" /etc/rc.local
if [ $? -eq 0 ];then
echo "开机启动已添加"
else
echo "/usr/local/squid/sbin/squid -s" >> /etc/rc.local
echo "squid加入开机启动"
fi
#初始化squid:
squid -z
1.5 配置squid
配置squid.conf
vi /etc/squid/squid.conf
开启缓存目录位置:
详细配置如下:
# # Recommended minimum configuration: #
# Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed #acl all src all
acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl Safe_ports port 3130 # sibling port acl CONNECT method CONNECT
#squidclient acl managercache src 127.0.0.1 acl Purge method PURGE #http_access allow managercache Purge http_access allow managercache http_access deny Purge
#squid cachemgr.cgi acl manager proto cache_object http_access allow manager #
# # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager #http_access allow all
# We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost
# # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS #
# And finally deny all other access to this proxy ##http_access deny all
# Squid normally listens to port 3128 http_port 80 accel vport vhost
#设定squid为accel加速模式,vhost必须要加.否则将无法将主机头转发至后端服务器,访问时就会出现无法找到主机头的错误
# Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
# Leave coredumps in the first cache dir coredump_dir /usr/local/squid/var/cache/squid
#################新增内容开始start################################### #refresh_pattern [-i] regexp min(以分钟为单位) percent max [options] #强制缓存内容,违反http协议 refresh_pattern -i \.(cab|zip|exe|ms[i|p]|avc|mp4|doc|docx|ppt|pptx|png|jpeg|jpg|pdf|mp3) 4320 0% 43200 override-expire override-lastmod reload-into-ims ignore-no-store ignore-private #强制缓存内容 # squid的日志存放路径 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log #记录缓存日志 cache_store_log /var/log/squid/store.log #store日志 #cache_dir scheme directory size(空间大小M) L1(一级目录 文件夹数) L2(二级目录文件夹数) [options]((read-only max-size最大文件大小M)) cache_dir ufs /opt/squid/cache 10000 128 256 #cache缓存路径 ##################新增内容开始start################################### cache_mem 99 MB #缓存大小设置 cache_swap_low 90 #缓存从最小占用90时开始逐渐清除旧缓存 cache_swap_high 95 #缓存从最大占用95时,立刻清除旧缓存 maximum_object_size 1008192 KB #最大缓存对象大小 minimum_object_size 0 KB #最小缓存对象大小 maximum_object_size_in_memory 409600 KB #缓存对象最大在内存中的大小 memory_replacement_policy lru #缓存算法 ##################################################### cache_mgr admin@test.com #管理员邮箱 cache_effective_user squid #程序用户 cache_effective_group squid #程序组 #visible_hostname www.yangwenbo.com #squid主机名
###################################################### #将icp通讯端口设置为3130,squid之间缓存同步查询数据时用的。 icp_port 3130 # # hostname type port port options # # -------------------- -------- ----- ----- ----------- # cache_peer parent.foo.net parent 3128 3130 default cache_peer 192.168.1.111 parent 80 3130 no-query no-digest max-conn=3000 originserver name=c_01
acl our_sites_01 dstdomain c.test.com http_access allow our_sites_01 cache_peer_access c_01 allow our_sites_01 cache_peer_access c_01 deny all
#集群模式下连接本地的与另一台Squid工作在sibling模式,实现数据的调取(用于squid集群环境)
cache_peer 192.168.1.1 sibling 80 3130 name=cache1 cache_peer 192.168.1.2 sibling 80 3130 name=cache2
#反向代理的Web源站的域名,因为是域名所以squid本地必须做hosts映射 hosts_file /etc/hosts #域名映射文件位置 request_header_max_size 128 KB #请求头部的最大大小 ipcache_size 1024 ipcache_low 90 ipcache_high 95 ####################新增内容结束stop##################
# # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
|
4.启动和关闭squid
1)启动:
squid
2)后台启动:
squid -s
3)使新修正的参数有效
squid -k reconfigure
4)检测是否启动成功:
netstat -anpt|grep squid
5)关闭服务:
squid -k shutdown 或者 kill -9 15465
6)重启服务:
squid -k restart
7)测试配置:
squid -k parse
8)设置自启动:
vim /etc/rc.loacl
增加以下内容:
/usr/local/squid/sbin/squid -s
本文参考https://www.cnblogs.com/dennyLee2025/p/13360310.html以及其他网络文章整合而成,感谢众多网友的付出