Squid 正向代理

---

2015-01-20 by dongnan

环境描述

# 操作系统
head -n1 /etc/issue
CentOS release 6.6 (Final)

# 内核版本
uname -r
2.6.32-504.el6.x86_64

# 软件版本
squid-3.1.x

操作步骤

安装

yum install squid

配置

建立缓存目录

mkdir -p /data/cache

修改目录属主

chown -R squid.squid /data/cache/

配置文件

awk '! /^(#|$| )/' /etc/squid/squid.conf
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.100.0/24  # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
acl admin src 127.0.0.1 
acl purge method PURGE
http_access allow admin purge
http_access deny purge
http_access deny all
http_port 7412 transparent
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern -i \.(htm|html|shtml)$  30 50% 120 reload-into-ims
refresh_pattern -i \.(css|js|xml)$  1440 90% 10080 reload-into-ims
refresh_pattern -i \.(ico|jpg|gif|bmp|png)$  1440 90% 10080 ignore-reload
refresh_pattern -i \.(txt|doc|chm|ppt|pptx|pdf)$  1440 90% 10080 ignore-reload
refresh_pattern -i \.(swf|flv|mp3|wma|wmv|wav|mid|rm|mp4|mpeg|avi)$  10080 90% 43200 ignore-reload 
refresh_pattern -i \.(iso|zip|rar|tar|tgz|bz2|7z)$  10080 90% 43200 ignore-reload
refresh_pattern -i \.(rpm|deb|bin)$  10080 90% 43200 ignore-reload
refresh_pattern -i \.(cab|exe|msi)$  10080 90% 43200 ignore-reload
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
acl deny-dynamic-page urlpath_regex \.php$
acl deny-dynamic-page urlpath_regex \.asp$
acl deny-dynamic-page urlpath_regex \.aspx$
acl deny-dynamic-page urlpath_regex \.jsp$
acl deny-dynamic-page urlpath_regex \.do$
cache deny deny-dynamic-page
cache_mem 1300 MB
cache_swap_low 80
cache_swap_high 95
maximum_object_size 250 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 100 MB
cache_dir ufs /data/cache/ 8000 16 256
visible_hostname cache.htt.cloud
cache_mgr admin@htt.cloud
via off
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Server deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
reply_header_access Server deny all
reply_header_access X-Cache deny all
reply_header_access X-Cache-Lookup deny all
reply_header_access Warning deny all
reply_header_access Expires deny all
reply_header_access Cache-Control deny all
reply_header_access age deny all

参数含义请参考连接。

运行

初始化缓存目录

//在首次运行 squid,或者增加新的 cache 目录时,你必须使用 -z 参数，用于初始化 cache,或者交换目录选项。
squid -z

验证配置文件，假如你看不到输出,配置文件正常。

squid -k parse

调试Squid

squid -N -d1
//-N 阻止 squid 变成后台服务进程
//-d level 让 squid 将它的调试信息写到标准错误

启动squid

/etc/init.d/squid start

验证

默认使用 3128 端口。

lsof -i :3128
COMMAND   PID  USER   FD   TYPE DEVICE SIZE NODE NAME
squid   18750 squid   19u  IPv4  44519       TCP *:http (LISTEN)

透明代理

Squid 配合 iptables 使用可以配置成透明代理模式。

• 普通代理：需要在浏览器或者其它软件设置代理服务器信息；
• 透明代理：网关服务器使用iptables 将某端口(如80)直接重定向到squid上，浏览器或其它软件不需要设置。

iptables规则

# 将访问80端口重定向至squid
iptables -t nat -I PREROUTING -i eth1 -s 10.0.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080

## 将访问53端口重定向至bind (可选)
iptables -t nat -I PREROUTING -s 10.0.0.0/24 -p udp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -s 10.0.0.0/24 -p tcp --dport 53 -j REDIRECT --to-port 53

参考

squid 反向代理缓存服务器