一,安装不表。
二,配置文件 :
squid.conf
# should be allowed
acl localnet src 39.107.112.1 # RFC1918 possible internal network
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 3128 # 3128
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Deny requests to certain unsafe ports
#http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
#http_access allow localhost manager
http_access deny to_localhost
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
http_access deny all
nonhierarchical_direct off
http_port 3128
http_port 80 intercept
cache_mem 1024 MB
cache_dir ufs /var/spool/squid 4096 16 256
cache_effective_user squid
cache_effective_group squid
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
visible_hostname 192.168.1.10
cache_mgr adb@abc.com
cache_peer 39.107.112.1 parent 80 0 no-query originserver name=a
cache_peer_domain a www.tlinux.com
cache_peer_access a allow all
三,问题
访问被拒绝。
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
可能的原因很多:
1,DNS问题,无法解析,配置 /etc/resolv.conf即可。
2,查看日志 /var/log/access.log 以及 /var/log/cache.log
如果cache.log中有以下报错:WARNING: Forwarding loop detected for : 主要看这两句:
Via: 1.1 192.168.1.10 (squid/3.5.20)
X-Forwarded-For: 192.168.1.102
以及access.log中能看到本机ip的请求,那么说明陷入了请求的循环中。
解决 :
未验证的方案:
转发循环典型的发生在2个cache互相把对方当做父cache的情況。假如你遇到这个问题,可以使用cache_peer_access指令阻止这类循环。例如,一个cache的IP地址是192.168.1.1,下面的行让squid不产生循环转发:
acl FromNeighbor src 192.168.1.1
cache_peer_access the.neighbor.name deny FromNeighbor
转发循环在HTTP拦截里也能发生,特別是当拦截设备位于squid和原始服务器之間的路径上时。
Squid通过检查Via头部里的主机名,来检测转发循环。假如2个协作cache有相同的主机名,实际上就会得到假转发循环。在该情形下,unique_hostname指令很有用。注意,假如Via头部被过滤掉了(例如使用headers_access指令),squid就不能检测到转发循环的发生。
已验证的方案:
从via的变化看出,这个请求被重新定向到他自己本身,squid通过via和X-Forwarded-For字段的squid的数量或者ip数量判断是否重复了,若是重复了就会出现" Forwarding loop detected for", 而且在apache日志中完全看不到squid的请求日志。要解决这个问题 只需要在squid.conf里加"nonhierarchical_direct off"即可。
关于nonhierarchical_direct 的说明是:
- # TAG: nonhierarchical_direct
- # By default, Squid will send any non-hierarchical requests
- # (matching hierarchy_stoplist or not cacheable request type) direct
- # to origin servers.
- # If you set this to off, Squid will prefer to send these
- # requests to parents.
squid在处理带参请求和不带参请求是有区别的