學習Centos 6也有一陣子了,對基本的命令和shell都有個的瞭解,於是乎開始搭建一個squid代理環境在我的虛擬化環境中。
Squid代理:Squid是一個緩存和過濾網頁內容的代理服務器。Squid代理被使用於不同的組織和ISP爲了減少帶寬和增加響應時間。
Squid代理服務將緩存請求網頁內容和重複利用給進一步請求相同的內容。
通過上面的圖示可以知道,當用戶第一次請求Google內容時需要代理服務器去從ISP請求,然後ISP迴應給代理server,緊接着server迴應給用戶,用戶2若也需訪問Google,就不需要再次從ISP去請求,而是直接從代理server中去獲得,這樣就節省了大量的網絡帶寬和響應時間。
安裝Squid代理和依賴使用如下命令
yum install squid -y
默認的squid配置文件位於"/etc/squid/squid.conf"將包含推薦的最小化的配置且squid緩存特徵將工作不做任何修改。推薦最小化配置類似於如下截圖
[root@Daniel ~]# cat /etc/squid/squid.conf # # Recommended minimum configuration: # visible_hostname Daniel acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT #ACL blocksites acl blocksites dstdomain "/etc/squid/blockedsites.squid" #ACL blockkeywords acl blockkeywords url_regex -i "/etc/squid/blckkeywords.squid" # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost # http_access deny manager #Deny access to blocksites ACL http_access deny blocksites #Deny access to blockkeywords ACL http_access deny blockkeywords # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
2.啓動squid服務
service squid start
使用如下命令讓squid在開機時自動啓動
chkconfig --levels 235 squid on
3.設置瀏覽器訪問代理,端口爲3128
IE : Tools Internet options Connections LAN settings Choose “Use a proxy server for your LAN” Type your Proxy server ip (192.168.1.11 ) and port no 3128
Firefox : Options / Preferences Advanced Network Settings Choose “Manual proxy configuration ” Type your Proxy server ip (192.168.1.11 ) and port no 3128
4.在代理服務器上瀏覽一些站點並檢查訪問日誌文件
cat /var/log/squid/accesss.log
排錯環節
如果你不能瀏覽使用代理設置,禁用防火牆和selinux服務在你的squid proxy中。
service iptables stop
chkconfig iptables off
禁用Selinux /etc/selinux/config
SELINUX=enforcing
替換爲
SELINUX=disabled
重啓服務器
配置squid 代理作爲web過濾
你可以限制用戶訪問特定的網站或使用關鍵字的ACL
限制訪問指定的網站
比如說,我們可以block facebook.com 和gmail.com
創建一個位於此目錄的文件/etc/squid/blocksites.squid
[root@Daniel ~]# cat /etc/squid/blockedsites.squid
#blcoked sites
打開/etc/squid/squid.conf並創建一個新的acl"blocksites"acl類型爲"dstdomain"在acl部分
acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT #ACL blocksites acl blocksites dstdomain "/etc/squid/blockedsites.squid"
增加一下行“http_access deny blocksites”到http_section拒絕訪問acl"blocksites”
#Deny access to blocksites ACL
http_access deny blocksites
重啓squid服務
service squid restart
4.訪問qq.com如下所示
拒絕日誌如下
[root@Daniel ~]# tail -f /var/log/squid/access.log 1453708617.351 55 10.66.7.56 TCP_DENIED/403 3889 GET http://www.qq.com/ - NONE/- text/html 1453708664.335 5724 10.66.7.56 TCP_MISS/304 346 GET http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl - DIRECT/23.49.31.148 application/pkix-crl 1453708673.249 8899 10.66.7.56 TCP_MISS/304 325 GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl - DIRECT/23.75.23.163 application/pkix-crl 1453708678.022 4760 10.66.7.56 TCP_MISS/304 331 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab? - DIRECT/125.56.199.8 application/octet-stream 1453708678.150 75 10.66.7.56 TCP_MISS/304 324 GET http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl - DIRECT/23.75.23.163 application/pkix-crl 1453708747.852 119973 10.66.7.56 TCP_MISS/200 7997 CONNECT iecvlist.microsoft.com:443 - DIRECT/68.232.45.200 - 1453708747.852 119973 10.66.7.56 TCP_MISS/200 22530 CONNECT iecvlist.microsoft.com:443 - DIRECT/68.232.45.200 - 1453708747.853 119921 10.66.7.56 TCP_MISS/200 8146 CONNECT r20swj13mr.microsoft.com:443 - DIRECT/68.232.45.200 -
除了對網站做限制,squid還可以針對關鍵字,特定的IP地址或完全訪問指定的IP等等。
squid功能非常強大,對於企業內部做上網代理等非常有效果。