Shulou(Shulou.com)06/03 Report--

Brief introduction to the deployment of squid on CentOS7 and the two modes (version 4.1) what is squid?

Squid is a kind of software used to buffer Internet data. It accepts requests from the object that people need to download and processes them appropriately. That is, if a person wants to download a web page, he asks Squid to get the page for him. Squid then connects to a remote server (such as http://squid.nlanr.net/) and makes a request to the page. Squid then explicitly aggregates the data to the client machine and makes a copy at the same time. The next time someone needs the same page, Squid can simply read it from disk so that the data is immediately transferred to the client. The current Squid can handle protocols such as HTTP,FTP,GOPHER,SSL and WAIS. But it can't handle things like POP,NNTP,RealAudio and other types of things.

Some concepts of Internet buffering

You may think of some questions: how useful is buffering? When should the object be or should not be buffered? For example, buffering credit card numbers is completely inappropriate, script files are executed on the remote server, sites are updated frequently (like www.cnn.com), or even sites do not allow buffering. Squid is good for handling all kinds of situations (of course, this requires the remote site to work in a standard form). Executable cgi-bin script files are not buffered, pages that return the correct header are buffered for a limited period of time, and you can specify special rules to determine what can or cannot be buffered, and for how long. When it comes to the usefulness of buffering, it depends on the capacity of the Internet, which varies. For small buffers (several revolutions of disk space), the return value is very high (up to 25%). This space buffers frequently visited sites, such as netscape,cnn and other sites in similar situations. If you double the buffered disk space, but you won't multiply your hit rate. This is because when you start buffering the rest of the network, these are usually large and rarely accessed. A very large high-speed buffer with about 20 rpm, the return value may still be less than 50%, unless you often change the length of time you keep the data (generally speaking, you should not allocate 20 rpm of disk space, because the page will soon become obsolete and should be deleted). When we say object here, we mean a saved web page or other similar downloadable page (ftp file or directory content is also called an object).

Download and obtain 3.Squid

Squid provides software libraries on many unix like systems. For example, you can use apt install squid to install on ubuntu, or you can download binary compiled software packages and download addresses directly from squid's website.

Basic types of agents traditional agents

That is, the ordinary proxy service, you must manually set the address and port of the proxy server in the client's browser, QQ chat tool, download software and other programs before you can use the proxy service to access the network. For web browsers, domain name resolution requests when visiting the site are also sent to the specified proxy server.

Transparent proxy

Provide the same functions and services as the traditional proxy, the difference is that the client does not need to specify the address and port of the proxy server, but redirects the web access through the default route and firewall policy, which is still handled by the proxy server. The process of redirection is "transparent" to the client, and the user does not even know that he is using the proxy service, so it is called a "transparent proxy".

Experimental preparation for installation and deployment (squid4.1 version based on CentOS7 deployment)

CentOS7 virtual machine, squid-4.1.tar.gz software package

Experimental deployment of decompressed source package

Tar zxvf squid-4.1.tar.gz-C / opt

Configure. / configure\-- prefix=/usr/local/squid\ # installation directory-- sysconfdir = / etc\ # modify the configuration file to another directory separately-- enable-arp-acl\ # can be set in the rule to be managed directly through the client MAC Prevent clients from using IP spoofing-enable-linux-netfilter\ # use kernel filtering-enable-linux-tproxy\ # support transparent mode-enable-async-io=100\ # Asynchronous IBO to improve storage performance Equivalent to-- enable-pthreads-- enable-storeio=ufs,aufs--enable-err-language= "Simplify_Chinese"\ # error message display language-- enable-underscore\ # allows underscores in URL-- enable-poll\ # uses Poll () mode to improve performance-- enable-gnuregex # compiles and installs using GUN regular expressions

Make & & make install

Create linked files, users, and groups

Ln-s / usr/local/squid/sbin/* / usr/local/sbin/

Useradd-M-s / sbin/nologin squid

Chown-R squid.squid / usr/local/squid/var/

Modify the squid configuration file vim / etc/squid.conf. Omit http_port 3128cache_effective_user squid # add specified program user cache_effective_group squid # add specified account basic group

Initialize cache directory, start service

Squid-z # initialize cache directory

Squid # start the service

Create a service startup script

Vim / etc/init.d/squid

#! / bin/bash#chkconfig: 2345 90 25PID = "/ usr/local/squid/var/run/squid.pid" CONF= "/ etc/squid.conf" CMD= "/ usr/local/squid/sbin/squid" case "$1" in start) netstat-natp | grep squid & > / dev/null if [$?-eq 0] then echo "squid is running" else echo "starting squid..." $CMD fi Stop) $CMD-k shutdown & > / dev/null # take a closer look at rm-rf $PID & > / dev/null;; status) [- f $PID] & > / dev/null if [$?-eq 0] then netstat-natp | grep squid else echo "squid is not running" fi Restart) $0 stop & > / dev/null echo "shutting down squid..." $0 start & > / dev/null echo "starting squid...";; reload) $CMD-k reconfigure;; check) $CMD-k parse;; *) echo "usage: $0 {start | stop | status | reload | check | restart}" Esacchmod + x / etc/init.d/squid # gives execute permission chkconfig-- add squid chkconfig-- level 35 squid on # join boot self-boot and boot in 3 and 5 modes

Test the service startup script

Construction of traditional proxy service host IP address main service CentOS7-1172.16.10.129http service CentOS7-2172.16.10.128squid service windows7172.16.10.131 client

Vim / etc/squid.conf

# And finally deny all other access to this proxyhttp_access allow all# addition allows any client to use the proxy service http_access deny all# Squid normally listens to port 3128http_port 3128cache_mem 64 MB # to specify the amount of memory used by the cache function to maintain frequently accessed WEB objects, preferably a multiple of 4, in MB It is recommended that 1/4reply_body_max_size 10 MB # be set to physical memory to allow users to download the maximum file size in bytes. The default setting of 0 means that there is no limit to maximum_object_size 4096 KB # the maximum object size allowed to be saved to the cache space, in KB, files that exceed the size limit will not be cached Instead, it is forwarded directly to the user cache_effective_user squid # add the specified program user cache_effective_group squid # add the specified account basic group # Uncomment and adjust the following to add a disk cache directory.#cache_dir ufs / usr/local/squid/var/cache/squid 16256 clear the previous firewall policy and SELinux, add the firewall policy and restart the service

Iptables-F # clear firewall policy

Setenforce 0 # shuts down SELinux

Iptables-I INPUT-p tcp-- dport 3128-j ACCEPT # allows tcp packets accessing port 3218 to pass through

Restart the server

Service squid restart

The web server turns off the firewall and turns on the service

Systemctl stop firewalld.service

Setenforce 0

Systemctl start httpd # enable web service

Client browser settings proxy

View the access log of the web server

Build a transparent mode

First of all, the proxy server needs to configure dual network cards.

Where ens33 is the intranet gateway 192.168.100.1

Ens36 is the public network gateway 12.0.0.1

Web Server 12.0.0.12

Client client 192.168.100.50

Set route forwarding, clear firewall policy echo "1" > / proc/sys/net/ipv4/ip_forward # enable route forwarding iptables-F # clear firewall policy iptables-t nat-F modify squid configuration file

# explain here, some people may ask if it should not be port 3128, but it is not, because I use the squid4.1 version, some things may be different from version 3.4.If you set port 3128, the squid service will not be enabled because port 3128 is occupied.

Restart the squid proxy service

Service squid stop

Service squid start

Netstat-ntap | grep squid

Tcp 00 192.168.100.1 squid-1 3129 0.0.0.0: LISTEN 57899

Tcp6 0 0:: 3128: LISTEN 57899 / (squid-1)

Here you can see that the port 3129 we set up has been started.

Access authentication

View the access log of the web server

In this way, the transparent proxy is complete.

# Note: the configurations of squid4.1 and squid3.4 versions are still a little different. I hope I can help you.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.