一、2种办法添加打开的文件数目限制
1、第一种方法
vi /etc/rc.local
在最后添加
#ulimit -HSn 65536
ulimit -n 65535
2、第二种方法
vi /etc/security/limits.conf
在文件最后添加
* soft nofile 65536
* hard nofile 65536
二、下载squid并编译安装
cd /usr/local/src/
wget http://www.squid-cache.org/Versions/v3/3.3/squid-3.3.2.tar.gz
tar zxvf squid-3.3.2.tar.gz
cd squid-3.3.2
./configure --prefix=/usr/local/squid --enable-gnuregex --enable-async-io=160 --enable-cahce-digests\
--enable-epoll --with-filedescriptors=65536 --enable-storeio="diskd,rock,ufs,aufs" \
--disable-internal-dns --enable-kill-parent-hack --disable-ident-lookups --enable-linux-netfilter --disable-snmp
make
make install
三、建立squid用户及相关目录
useradd -d /usr/local/squid/ -r -s /dev/null squid >/dev/null 2>&1
chown -R squid:squid /usr/local/squid
chmod -R 777 /usr/local/squid
mkdir /var/log/squid
chown -R squid:squid /var/log/squid/
chmod -R 777 /var/log/squid/
四、配置squid.conf文件
vi /usr/local/squid/etc/squid.conf
##########以下是我的squid.conf内容#################
acl inside src 172.21.41.0/24
acl ***_inside src 10.14.0.0/16
acl manager url_regex -i ^cache_object:// /squid-internal-mgr/
#acl localhost src 127.0.0.1
acl managerAdmin src 172.21.41.22
http_access allow manager localhost
http_access allow manager managerAdmin
http_access deny manager
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl QUERY urlpath_regex -i cgi-bin \? \.asp \.php \.jsp \.cgi
acl download urlpath_regex -i \.avi$ \.rmvb$ \.rm$ \.ra$ \.ram$ \.mpe$ \.smi$
cache deny QUERY
cache deny download
acl inside src 172.21.41.0/24
acl ***_inside src 10.15.0.0/16
acl manager url_regex -i ^cache_object:// /squid-internal-mgr/
#acl localhost src 127.0.0.1
acl managerAdmin src 172.21.41.22
http_access allow manager localhost
http_access allow manager managerAdmin
http_access deny manager
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl QUERY urlpath_regex -i cgi-bin \? \.asp \.php \.jsp \.cgi
acl download urlpath_regex -i \.avi$ \.rmvb$ \.rm$ \.ra$ \.ram$ \.mpe$ \.smi$
cache deny QUERY
cache deny download
#####squidGuard 我做squid黑名单的,如果没下面这一句也不要 ####################
redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
############################################################
http_access allow inside
http_access allow ***_inside
http_access allow localhost
#http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
# And finally deny all other access to this proxy
http_access deny all
max_filedescriptors 65535
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#range_offset_limit 0 KB
workers 4
http_port 172.21.41.8:3128 intercept
###下面这句我是为了可以直接设置到ie里面的代理而做的,主要是为了测试,如果是透明代理的话,这个可以不要的。
http_port 172.21.41.8:3129
#########################################
cache_mem 1000 MB
# Uncomment and adjust the following to add a disk cache directory.
cache_dir aufs /home/cache1 6000 16 256
cache_dir aufs /home/cache2 6000 16 256
cache_effective_user squid
cache_effective_group squid
cache_swap_low 85
cache_swap_high 95
maximum_object_size 4 MB
coredump_dir /var/log/squid/
debug_options ALL,1
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
#cache_store_log /var/log/squid/store.log
cache_store_log none
logfile_rotate 10
client_lifetime 15 minutes
read_timeout 3 minutes
half_closed_clients off
request_timeout 1 minutes
五、建立cache目录,并运行
mkdir /home/cache1
mkdir /home/cache2
chown -R squid:squid /home/cache1
chmod -R 777 /home/cache1
chown -R squid:squid /home/cache2
chmod -R 777 /home/cache2
/usr/local/squid/sbin/squid -z
/usr/local/squid/sbin/squid -D
六、查看运行状态
[root@squid etc]# ps -aux |grep squid
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
root 2178 0.0 0.0 1063800 1688 ? Ss 22:11 0:00 /usr/local/squid/sbin/squid
squid 2180 0.0 0.1 1098456 16752 ? S 22:11 0:00 (squid-coord-5)
squid 2185 0.0 0.1 1102476 19916 ? S 22:11 0:00 (squid-1)
squid 2191 0.0 0.0 22484 1168 ? S 22:11 0:00 (dnsserver)
squid 2194 0.0 0.0 22484 1176 ? S 22:11 0:00 (dnsserver)
squid 2242 0.0 0.1 1102476 17872 ? S 22:11 0:00 (squid-2)
squid 2243 0.0 0.0 22484 1172 ? S 22:11 0:00 (dnsserver)
squid 2247 0.0 0.1 1102476 19916 ? S 22:11 0:00 (squid-4)
squid 2250 0.0 0.0 22484 1172 ? S 22:11 0:00 (dnsserver)
squid 2262 0.0 0.1 1102476 17876 ? S 22:11 0:00 (squid-3)
squid 2263 0.0 0.0 22484 1172 ? S 22:11 0:00 (dnsserver)
root 2332 0.0 0.0 103240 900 pts/0 S+ 22:18 0:00 grep squid
一共4个线程
七、循环squid的日志
crontab -e
40 23 * * * /usr/local/sarg/bin/sarg
50 23 * * * /usr/local/squid/sbin/squid -k rotate
每天晚上23:40分转换sarg记录,23:50分开始循环squid的日志
由于转换要时间,所以我设置了10分钟的空余
备注:
ie设置中,172.21.41.8 3129,使用的是squid.conf中的 dns_children 32 startup=1 idle=1 设置,同时前提条件是编译的时候使用了--disable-internal-dns参数。
这个可以支持了多线程,如果bind没有实施多线程的时候,这个还是不错的。
本人设置的是透明代理,每个客户端通过dhcp获得的dns服务器,我配置的是把dns server 跟squid代理服务器设置在同一个服务器上的。bind配置的也是多线程,所以dns解析如果是透明代理,我的设置没有通过squid调用。
转载于:https://blog.51cto.com/smtlwt/1170410