Squid反向代理加速緩存+負載均衡實驗架構

實驗環境：
公司有兩臺web服務器，運行同一套網站，讀取同一臺mysql數據庫。
兩臺web服務器的主機名如下：
test1.com 192.168.1.119
test2.com 192.168.1.120
squid服務器ip：192.168.1.123

DNS: 192.168.9.254

實驗思路：DNS將www.fb.com解析給squid服務器，squid輪詢web主機返回其中一臺作應答，並提供緩衝加速的服務！

注意：在次試驗中，針對https的部分有點問題，需要負載均衡設備做一些設置！另外，兩臺web服務器部分網站目錄的同步問題，已解決可以才從NFS掛載目錄的方式來實現！

一、基礎配置

A、更新

1、更換更新源(服務器位於國內做此操作)

sed -i "s/mirror.centos.org/centos/mirrors.centos.91.com/g" /etc/yum.repos.d/CentOS-Base.repo

sed -i "s/^mirrorlist/#mirrorlist/g" /etc/yum.repos.d/CentOS-Base.repo

sed -i "s/^#baseurl/baseurl/g" /etc/yum.repos.d/CentOS-Base.repo

2、更新

yum clean all

yum -y update

[sepatator]

B、優化

1、增加以下內容到/etc/sysctl.conf末尾

kernel.core_uses_pid = 1

net.ipv4.ip_forward = 1

net.ipv4.conf.lo.arp_ignore = 1

net.ipv4.conf.lo.arp_announce = 2

net.ipv4.conf.all.arp_ignore = 1

net.ipv4.conf.all.arp_announce = 2

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_fin_timeout = 30

net.ipv4.tcp_keepalive_time = 300

net.ipv4.tcp_window_scaling = 0

net.ipv4.tcp_sack = 0

net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_syncookies = 1

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.icmp_ignore_bogus_error_responses = 1

net.ipv4.conf.all.log_martians = 1

net.ipv4.tcp_max_syn_backlog = 4096

net.ipv4.tcp_max_tw_buckets = 1440000

net.ipv4.ip_local_port_range = 1024 65536

net.core.rmem_max = 16777216

net.core.wmem_max = 16777216

net.ipv4.tcp_rmem = 4096 87380 16777216

net.ipv4.tcp_wmem = 4096 65536 16777216

net.ipv4.tcp_keepalive_intvl = 15

net.ipv4.tcp_retries2 = 5

fs.file-max = 655360

net.core.somaxconn = 4096

執行：

sysctl -p

使之生效

2、加大可允許打開的文件句柄數

echo "* soft nofile 65536" >>/etc/security/limits.conf

echo "* hard nofile 65536" >>/etc/security/limits.conf

3、時間校對

yum -y install ntp

service ntpd restart

service ntpd stop

echo "#time update" >> /etc/crontab

echo "0 23 * * * root /usr/sbin/ntpdate time.windows.com" >> /etc/crontab

C、硬盤分區掛載

查看硬盤

fdisk -l

根據實際物理機器是否硬raid及硬盤數量做不同的raid及分區情況

因爲這裏是做cache，不建議使用軟raid

二、squid的編譯安裝配置

1、squid的安裝

安裝gcc等工具包

yum install gcc gcc+ gcc-c++ gcc-g77 autoconf automake ncurses-devel flex openssl-devel mod_ssl make

cd /home/soft

tar zxvf squid-3.1.16.tar.gz

cd squid-3.1.16

./configure --prefix=/usr/local/squid --enable-gnuregex --enable-dlmalloc --with-pthreads --enable-ssl --enable-stacktrace --enable-removal-policies=heap,lru --enable-delay-pools --enable-kill-parent-hack --enable-snmp --enable-icmp --enable-err-language=simplify_Chinese --enable-default-err-languages=Simplify_Chinese --enable-cahce-digests --disable-ident-lookups --with-filedescriptors=65536 --enable-underscore --enable-large-cache-files --with-large-files --enable-storeio=aufs,diskd,ufs --enable-linux-netfilter --enable-async-io=160 --enable-cachemgr

make

make install

cd /usr/local/squid

2、生成證書並申請新證書

openssl genrsa -des3 -out *.squid.key 1024

openssl req -new -key *.squid.key -out *.squid.csrc

這是需要生成正式證書使用的，如果只是需要未認證的證書，可使用以下命令生成：

openssl req -utf8 -new -key *.squid.key -out *.squid.csr

這裏生成的證書不要使用密碼，貌似squid不能使用密碼，我第一次使用了密碼能正常啓動，但會提示未認證，讓我搞了好久的時間。

3、squid配置

mkdir /data/cache1

mkdir /data/cache2

mkdir /data/cachelog

chown squid /data/cache*

把服務商提供的證書放到/data/key/目錄下，包括中級根證書，證書，公鑰三個文件。

修改squid.conf文件內容：

------------------------------------------------------------------------------

#

# Recommended minimum configuration:

#

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

# acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

# acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

acl localnet src 192.168.9.0/24 # RFC1918 possible internal network

# acl localnet src fc00::/7 # RFC 4193 local private network range

# acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

 

acl CONNECT method CONNECT

#

# Recommended minimum Access Permission configuration:

#

# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

# http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost

# And finally deny all other access to this proxy

http_access deny all

# Squid normally listens to port 3128

# http_port 3128

# Uncomment and adjust the following to add a disk cache directory.

# cache_dir ufs /usr/local/squid/var/cache 100 16 256

# Leave coredumps in the first cache dir

coredump_dir /usr/local/squid/var/cache

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 0 20% 4320

##---------------------------------------

# host and cache port setting

##----------------------------------------

# 主機名（3.0加入配置），無此項無法啓動

visible_hostname squid

cache_mgr [email protected]

# 設置運行squid用戶，一般不能以root運行

cache_effective_user squid

cache_effective_group squid

cachemgr_passwd password all

client_persistent_connections off

server_persistent_connections on

half_closed_clients off

# 設定squid爲accel加速模式,vhost必須要加.否則將無法將主機頭轉發至後端服務器,

# 訪問時就會出現無法找到主機頭的錯誤

http_port 80 accel vhost vport

# 添加443端口之後可能導致IE瀏覽器無法正常訪問https頁面，未測試

http_port 443 accel vhost vport

# https_port 443 cert=/data/squid.csr key=/data/squid.key defaultsite=www.fb.com

# https_port 443 cert=/usr/local/squid/data/cert.pem /usr/local/squid/data/key.pem

##----------------------------------------

# cache directory setting

##----------------------------------------

# 緩存目錄8192M，其中一級目錄16個，二級256個（每個一級下16個二級）

cache_dir ufs /usr/local/squid/data/cache 8192 16 256

max_open_disk_fds 0

##-----------------------------------------

# cache storage setting

##-----------------------------------------

# 大於此容量的對象將不會被保存在磁盤上,默認大小是4M,如果squid服務器用於緩衝flash等大型文件,

# 建議將此值變大.否則過大的文件在下次重>啓後將需要重新獲取

maximum_object_size_in_memory 4 MB

minimum_object_size 0 KB

maximum_object_size 4 MB

# 緩存內容大小控制，當cache目錄被佔用到95%時，內容將被清空20%

cache_swap_high 95

cache_swap_low 80

# 替換機制(lru叫做“最近不常用的單元”unit一般就是常說object， 也就是當cache

# 中的內容比如內存或硬盤達到上限時就需要進行數據的換進和換出工作)

memory_replacement_policy lru

cache_replacement_policy lru

##------------------------------------------

# cache time out setting

##------------------------------------------

forward_timeout 20 seconds

connect_timeout 15 seconds

read_timeout 3 minutes

request_timeout 1 minutes

persistent_request_timeout 15 seconds

client_lifetime 15 minutes

shutdown_lifetime 5 seconds

negative_ttl 10 seconds

##---------------------------------------------

# cache log setting

##---------------------------------------------

emulate_httpd_log on

logformat squid %ts.%tu %tr %>a %Ss/%>Hs %<st %rm %ru %un %Sh/%<A %mt

access_log /usr/local/squid/data/logs/access_log.log common

cache_log /usr/local/squid/data/logs/cache.log

cache_store_log /usr/local/squid/data/logs/store.log

cache_swap_log /usr/local/squid/data/logs/cache_swap.log

mime_table /usr/local/squid/etc/mime.conf

# 錯誤信息目錄

error_directory /usr/local/squid/share/errors/en-us/

pid_filename /usr/local/squid/data/squid.pid

# 不記錄store.log

# cache_store_log none

##--------------------------------------------

# vhost setting

##--------------------------------------------

# 定義不同的父節點,將節點設爲no-query以及originserver說明這些節點是實際服務器

cache_peer test1.com parent 80 0 no-query no-digest originserver name=test1 round-robin

cache_peer test2.com parent 80 0 no-query no-digest originserver name=test2 round-robin

# 設定不同域名轉發到不同的cache_peer上,如果沒有這項.不同域名的域名可能被分發到同一臺服務器上.

cache_peer_domain test1 www.fb.com

cache_peer_domain test2 www.fb.com

# 允許客戶端所有請求（這裏可以設置攔截url，格式如下面兩行緩存設置）

http_access allow all

# 設置不緩存url類型（空格隔開

acl QUERY urlpath_regex .php .jsp .asp .pl .cgi

cache deny QUERY

---------------------------------------------------------------------

hosts_file /etc/hosts

4、啓動

/usr/local/squid/sbin/squid -z 生成緩存目錄

/usr/local/squid/sbin/squid -s

netstat -na |grep 443

netstat -na |grep 80

看端口監聽是否啓動了

如果OK，那麼squid配置完畢，這裏不做squid配置的一些講解，因爲我本人也不是非常熟悉！

三、雙機高可用

一些關於squid調試的命令:

1，初始化你在 squid.conf 裏配置的 cache 目錄

#squid/sbin/squid -z

如果有錯誤提示，請檢查你的 cache目錄的權限。

2，對你的squid.conf 排錯，即驗證 squid.conf 的 語法和配置。

#squid/sbin/squid -k parse

如果squid.conf 有語法或配置錯誤，這裏會返回提示你，如果沒有返回，恭喜，可以嘗試啓動squid。

3，在前臺啓動squid，並輸出啓動過程。

#/usr/local/squid/sbin/squid -N -d1

如果有到 ready to server reques，恭喜，啓動成功。

然後 ctrl + c，停止squid，並以後臺運行的方式啓動它。

4，啓動squid在後臺運行。

#squid/sbin/squid -s

這時候可以 ps -A 來查看系統進程，可以看到倆個 squid 進程。

5，停止 squid

#squid/sbin/squid -k shutdown

這個不用解釋吧。

6，重引導修改過的 squid.conf

#squid/sbin/squid -k reconfigure

當你發現你的配置有不盡你意的時候，可以隨時修改squid.conf，然後別忘記對你的 squid.conf排錯，

然後再執行此指令，即可讓squid重新按照你的 squid.conf 來運行。

7，把squid添加到系統啓動項

編輯 /etc/rc.d/rc.local

添加如下行： /usr/local/squid/sbin/squid -s

再來點其他的。

1，修改cache 緩存目錄的權限。

#chown -R squid:squid /home/cache

我的cache緩存目錄是 /home/cache,squid執行用戶和用戶組是 squid，squid。

2，修改squid 日誌目錄的權限

#chown -R squid:squid /usr/local/squid/data/logs

這一步並不是適合每一個使用squid的用戶.意爲讓squid有權限在該目錄進行寫操作 。

例如生成 access.log cache.log store.log

3，查看你的日誌文檔。

#more /usr/local/squid/var/logs/access.log | grep TCP_MEM_HIT

該指令可以看到在squid運行過程中，有那些文件被squid緩存到內存中，並返回給訪問用戶。

#more /usr/local/squid/var/logs/access.log | grep TCP_HIT

該指令可以看到在squid運行過程中，有那些文件被squid緩存到cache目錄中，並返回給訪問用戶。

#more /usr/local/squid/var/logs/access.log | grep TCP_MISS

該指令可以看到在squid運行過程中，有那些文件沒有被squid緩存，而是現重原始服務器獲取並返回給訪問用戶。

關掉不必要的服務

echo 'alias vi="vim" alias grep="grep --color"' >> /etc/profile

echo -e "* soft nofile 65536* hard nofile 65536" > /etc/security/limits.conf

chkconfig --level 0123456 NetworkManager off

chkconfig --level 0123456 NetworkManagerDispatcher off

chkconfig --level 0123456 anacron off

chkconfig --level 0123456 atd off

chkconfig --level 0123456 auditd off

chkconfig --level 0123456 autofs off

chkconfig --level 0123456 avahi-daemon off

chkconfig --level 0123456 avahi-dnsconfd off

chkconfig --level 0123456 bluetooth off

chkconfig --level 0123456 capi off

chkconfig --level 0123456 centcore off

chkconfig --level 0123456 centstorage off

chkconfig --level 0123456 conman off

chkconfig --level 0123456 cups off

chkconfig --level 0123456 dc_client off

chkconfig --level 0123456 dc_server off

chkconfig --level 0123456 dhcdbd off

chkconfig --level 0123456 dovecot off

chkconfig --level 0123456 dund off

chkconfig --level 0123456 firstboot off

chkconfig --level 0123456 gpm off

chkconfig --level 0123456 hidd off

chkconfig --level 0123456 hplip off

chkconfig --level 0123456 httpd off

chkconfig --level 0123456 innd off

chkconfig --level 0123456 ip6tables off

chkconfig --level 0123456 ipmi off

chkconfig --level 0123456 irda off

chkconfig --level 0123456 irqbalance off

chkconfig --level 0123456 isdn off

chkconfig --level 0123456 kdump off

chkconfig --level 0123456 kudzu off

chkconfig --level 0123456 ldap off

chkconfig --level 0123456 lisa off

chkconfig --level 0123456 mdmonitor off

chkconfig --level 0123456 mdmpd off

chkconfig --level 0123456 microcode_ctl off

chkconfig --level 0123456 multipathd off

chkconfig --level 0123456 nagios off

chkconfig --level 0123456 named off

chkconfig --level 0123456 netconsole off

chkconfig --level 0123456 netfs off

chkconfig --level 0123456 netplugd off

chkconfig --level 0123456 nfs off

chkconfig --level 0123456 nfslock off

chkconfig --level 0123456 nscd off

chkconfig --level 0123456 ntpd off

chkconfig --level 0123456 oddjobd off

chkconfig --level 0123456 pand off

chkconfig --level 0123456 pcscd off

chkconfig --level 0123456 portmap off

chkconfig --level 0123456 postgresql off

chkconfig --level 0123456 psacct off

chkconfig --level 0123456 rdisc off

chkconfig --level 0123456 readahead_later off

chkconfig --level 0123456 restorecond off

chkconfig --level 0123456 rpcgssd off

chkconfig --level 0123456 rpcidmapd off

chkconfig --level 0123456 rpcsvcgssd off

chkconfig --level 0123456 rwhod off

chkconfig --level 0123456 saslauthd off

chkconfig --level 0123456 setroubleshoot off

chkconfig --level 0123456 smb off

chkconfig --level 0123456 snmpd off

chkconfig --level 0123456 snmptrapd off

chkconfig --level 0123456 spamassassin off

chkconfig --level 0123456 sysstat off

chkconfig --level 0123456 tux off

chkconfig --level 0123456 vncserver off

chkconfig --level 0123456 vsftpd off

chkconfig --level 0123456 wdaemon off

chkconfig --level 0123456 winbind off

chkconfig --level 0123456 wpa_supplicant off

chkconfig --level 0123456 xfs off

chkconfig --level 0123456 xinetd off

chkconfig --level 0123456 ypbind off

chkconfig --level 0123456 yum-updatesd off

chkconfig --level 0123456 acpid off

chkconfig --level 0123456 iptables off

service NetworkManager stop

service NetworkManagerDispatcher stop

service anacron stop

service atd stop

service auditd stop

service autofs stop

service avahi-daemon stop

service avahi-dnsconfd stop

service bluetooth stop

service capi stop

service centcore stop

service centstorage stop

service conman stop

service cups stop

service dc_client stop

service dc_server stop

service dhcdbd stop

service dovecot stop

service dund stop

service firstboot stop

service gpm stop

service hidd stop

service hplip stop

service httpd stop

service innd stop

service ip6tables stop

service ipmi stop

service irda stop

service irqbalance stop

service isdn stop

service kdump stop

service kudzu stop

service ldap stop

service lisa stop

service mdmonitor stop

service mdmpd stop

service microcode_ctl stop

service multipathd stop

service nagios stop

service named stop

service netconsole stop

service netfs stop

service netplugd stop

service nfs stop

service nfslock stop

service nscd stop

service ntpd stop

service oddjobd stop

service pand stop

service pcscd stop

service portmap stop

service postgresql stop

service psacct stop

service rdisc stop

service readahead_later stop

service restorecond stop

service rpcgssd stop

service rpcidmapd stop

service rpcsvcgssd stop

service rwhod stop

service saslauthd stop

service setroubleshoot stop

service smb stop

service snmpd stop

service snmptrapd stop

service spamassassin stop

service sysstat stop

service tux stop

service vncserver stop

service vsftpd stop

service wdaemon stop

service winbind stop

service wpa_supplicant stop

service xfs stop

service xinetd stop

service ypbind stop

service yum-updatesd stop

service acpid stop

service nfslock stop

chkconfig nfslock off

service portmap stop

chkconfig portmap off

service iptables stop

chkconfig iptables off

service sendmail stop

chkconfig sendmail off

service cups stop

chkconfig cups off

chkconfig --list | grep :on