寻求高手来帮助,请发email到[email]brandon.zhou@gmail.com[/email] 不胜感激!
 
 
我在公司部署了一台 squid 反向透明代理,出了一点问题。
 
【配置】
单网卡/ NAT (一个内网IP和公网IP绑定)/Squid Cache: Version 2.6.STABLE20/Linux firewall off/http_port 80 accel vhost vport (反向透明代理配置)
 
服务器放在公司内网,即在防火墙下面。
 
 
<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

【症状】

 
反向代理测试

 

1. 从公司内部反向代理 OK

 
2. 从 internet 上测试

        a. 没有经过防火墙从 internet ,如使用公网 IP 直接连接 squid 服务器在防火墙映射的公网地址,路径: client -> internet -> 防火墙 -> squid OK

        b. 通过防火墙 路径 client -> 防火墙 ->internet -> 防火墙 -> squid, OK
 
 

 

 

【个人分析】

可是大部分用户都是企业用户,或者在防火墙后面,所以这个问题很头痛。我想从公司内部测试没有问题,说明问题不在代理服务器本身,而在包通过几次防火墙装换后出了问题。本人对包转换这层理解不是很深刻,希望你能从网络层帮助解释。

 

 

【环境参数】

1.网卡
单网卡,一个公司内网的 IP

内网 IP 和公网 IP 在防火墙上做了映射 cisco pix

 
2. Squid version configuration

[root@proxy sbin]# ./squid -v

Squid Cache: Version 2.6.STABLE20

configure options:  '--prefix=/Data/apps/squid20' '--enable-useragent-log' '--enable-referer-log' '--disable-internal-dns' '--enable-follow-x-forwarded-for' '--enable-storeio=aufs,ufs' '--with-maxfd=65536' '--with-pthreads' '--enable-dlmalloc' '--enable-poll' '--enable-stacktraces' '--enable-removal-policies=heap,lru' '--enable-delay-pools'

 

3. Squid.conf

[root@proxy etc]# cat squid.conf | sed '/ *#/d; /^ *$/d'
http_port 80 accel vhost vport
cache_peer 127.0.0.1 parent 8080 0 no-query originserver name=web1
acl sites_server_1 dstdomain web1.test.com
cache_peer_access web4 allow sites_server_1
cache_peer  172.18.8.124 parent 8888 0  no-query originserver name=web2
acl sites_server_2 dstdomain web2.test.com
cache_peer_access web2 allow sites_server_2
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
collapsed_forwarding .
cache_mem 512 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 80 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
cache_replacement_policy lru
memory_replacement_policy lru
cache_dir ufs /Data/apps/squid20/cache 1024 16 256
access_log /Data/apps/squid20/var/logs/access.log
cache_log /Data/apps/squid20/var/logs/cache.log
emulate_httpd_log .
dns_children 80
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern .        0    20%    4320
quick_abort_min 0 KB
quick_abort_max 0 KB
forward_timeout 20 seconds
connect_timeout 15 seconds
read_timeout 3 minutes
request_timeout 1 minutes
persistent_request_timeout 15 seconds
client_lifetime 15 minutes
half_closed_clients off
shutdown_lifetime 5 seconds
cache_mgr [email]brandon.zhou@gmail.com[/email]
cache_effective_user squid20
cache_effective_group squid20
visible_hostname proxy.800best.com
logfile_rotate 0
 tcp_recv_bufsize 65535 bytes
coredump_dir /Data/apps/squid20/cache
client_persistent_connections off
server_persistent_connections .
vary_ignore_expire .
strip_query_terms .
cachemgr_passwd 123456 all
acl OverConnLimit maxconn 20
http_access deny OverConnLimit
acl all src <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />0.0.0.0/0.0.0.0
acl internet src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl server src 172.18.15.105/255.255.255.255
acl LAN src 172.18.0.0/16
acl Srvdm   dstdomain  .800best.com     .800best.net    .800logistics.cn
acl to_localhost dst 127.0.0.0/8
acl purgehost src   127.0.0.0/8
acl purgemethod method PURGE    
acl SSL_ports port 443 563
acl CONNECT method CONNECT      
http_access allow all
http_access allow manager localhost
http_access allow manager server
http_access deny manager all
http_access allow purgemethod purgehost
http_access deny !Safe_ports
http_access deny CONNECT all
http_access allow localhost
http_access allow LAN
http_access allow internet
http_reply_access allow all
http_access deny all
icp_port 0
  

 
4. Linux上 防火墙 关闭