Shulou(Shulou.com)06/01 Report--

This article is about the essence and difference between Squid traditional agent and transparent agent. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it with the editor.

1. Squid

(1) Squid is a high-performance proxy cache server. Squid supports FTP, gopher, HTTPS and HTTP protocols. Unlike normal proxy caching software, Squid uses a separate, non-modular, Imax O-driven process to handle all client requests.

(2) on what system does Squid run?

Squid runs on most Unix and OS/2 versions of systems, and Windows,AIX,Digital Unix,FreeBSD,HP-UX,Irix,Linux,NetBSD,Nextstep,SCO,Solaris is known to work

(3) download and obtain Squid:

Squid provides software libraries on many unix like systems. For example, you can use apt install squid to install on ubuntu, or you can download binary compiled software packages and download addresses directly from squid's official website.

Second, cache proxy

The working mechanism of the web agent is to cache web objects and reduce repeated requests.

1. When our client accesses the web page through the squid proxy, the designated proxy server will first check its own cache. If there is a page needed by our client in the cache, the squid server will directly return the page content in the cache to the client. If there is no page requested by the client in the cache, the squid proxy server will send an access request to internet and get the returned web page. Save the data of the web page to the cache and send it to the client.

2. Because the client's web access request is actually completed by the squid proxy server, the real IP address of the user is hidden, thus playing a certain role of protection.

On the other hand, squid can also filter and control the target to be accessed, the address of the client, and the time period of access.

(1) basic types of agents:

1. Traditional proxy: that is, ordinary proxy service, which requires our client to set the address and port of the proxy server in some programs such as browsers, chat tools, and so on, before we can use the proxy to access the network. this way is more troublesome, because the client also needs to specify the proxy server manually, so it is generally used in the Internet environment.

2. Transparent proxy: the function is the same as that of the traditional proxy, except that the client does not need to specify the address and port of the proxy server manually, but redirects web access through default route and firewall policy, which is actually still handled by the proxy server. The process of redirection is entirely carried out by the squid server, so the client does not even know that he is using the squid proxy service. Therefore, we call it transparent mode.

Transparent proxy is mostly used in LAN environment, for example, after enabling transparent proxy in Linux gateway, LAN hosts can enjoy better Internet speed without additional settings.

(2) benefits of using agents:

1. Improve the speed of web access

2. Hide the real IP address of the client

Manual compilation, installation and optimization of Squid

(1) decompress the package:

Tar zxvf squid-3.4.6.tar.gz-C / opt/

(2) install the compilation tool:

Yum install gcc gcc-c++ make-y

(3) compile:

. / configure-- prefix=/usr/local/squid\

-- sysconfdir=/etc\

-- enable-arp-acl\

-- enable-linux-netfilter\

-- enable-linux-tproxy\

-- enable-async-io=100\

-enable-err-language= "Simplify_Chinese"\

-- enable-underscore\

-- enable-poll\

-- enable-gnuregex

(4) installation

Install & & make install

(5) it is easy to manage and can create soft connections.

Ln-s / usr/local/squid/sbin/* / usr/local/sbin/

(6) create a user squid

Useradd-M-s / sbin/nologin squid

Chown-R squid.squid / usr/local/squid/var/

/ / authorization

(7) modify the configuration file

Vim / etc/squid.conf

Add the following code:

Http_access allow all

Cache_effective_user squid / / add specified program user

Cache_effective_group squid / / add a basic group of specified accounts

(8) check

Squid-k parse / / check the configuration file syntax

Squid-z / / initialize the cache directory

Squid / / start the service

Check the port to see if the service is enabled properly:

Squid

Netstat-ntap | grep 3128

(9) write a startup script:

1. Write the script directory: / etc/init.d/

Vim squid

#! / bin/bash

# chkconfig: 2345 90 25

PID= "/ usr/local/squid/var/run/squid.pid"

CONF= "/ etc/squid.conf"

CMD= "/ usr/local/squid/sbin/squid"

Case "$1" in

Start)

Netstat-natp | grep squid & > / dev/null

If [$?-eq 0]

Then

Echo "squid is running"

Else

Echo "starting squid...."

$CMD

Fi

Stop)

$CMD-k kill & > / dev/null

Rm-rf $PID & > / dev/null

Status)

[- f $PID] & > / dev/null

If [$?-eq 0]

Then

Netstat-natp | grep squid

Else

Echo "squid is not running"

Fi

Restart)

$0 stop & > / dev/null

Echo "shutting down squid..."

$0 start & > / dev/null

Echo "starting squid..."

Reload)

$CMD-k reconfigure

Check)

$CMD-k parse

*)

Echo "usage: $0 {start | stop | status | reload | check | restart}"

Esac

2. Add execution permissions

Chmod + x squid / / add execute permission

Chkconfig-- add squid / / easy for service to identify

Chkconfig-- level 35 squid on / / set boot self-boot

3. Turn off and enable the service

Service squid stop

Service squid start

Fourth, set up traditional agents

Web server

192.168.220.136

Proxy server

192.168.220.131

Client

192.168.220.129

Step 1: edit the configuration file / etc/squid.conf

Cache_mem 64 MB / / specifies the amount of memory space used by the caching function

Reply_body_max_size 10 MB / / maximum file size that users are allowed to download

Maximum_object_size 4096 KB / / maximum object size allowed to be saved to cache space

Step 2: make firewall rules

Iptables-F / / clear all rules to temporarily stop the firewall

Setenforce 0

Iptables-I INPUT-p tcp-- dport 3128-j ACCEPT / / allow destination port 3128 to forward

Step 3: the client browser sets up the proxy service

(1) Open the browser → tool → Internet option → connection → LAN Settings

(2) the browser accesses the IP address of the web server and refreshes it several times, because we have set up a proxy service, in fact, the request to visit the website is completed by the proxy server for us. In order to verify, you can check the log file of the web server to know whether the visited ip address is the client or the proxy server.

Check the log file in / etc/httpd/logs, access_log. The following is a partial screenshot:

You can see that it is the proxy server that visits the web page, not the client, which also serves the purpose of hiding the real IP address of the client.

Fifth, set up transparent proxy

Proxy server (virtual machine) configured with dual network cards: ens33 (internal network card) and ens36 (external network card)

Squid proxy server

Internal network: 192.168.100.1; public network: 12.0.0.1

Web server: 12.0.0.12

Client: 192.168.100.50

Step 1: the user's browser cancels the LAN setting

Step 2: configure the proxy server squid

(1) enable route forwarding:

Echo "1" > / proc/sys/net/ipv4/ip_forward

(2) Edit configuration file / etc/squid.conf

Modify the listening address:

Http_port 192.168.100.1:3128 transparent

(3) add policies:

Iptables-F

Iptables-t nat-F / / reset the firewall

Iptables-t nat-I PREROUTING-I ens33-s 192.168.100.0 tcp 24-p tcp-- dport 80-j REDIRECT-- to 3128

/ / Port redirect to 3128

Iptables-t nat-I PREROUTING-I ens33-s 192.168.100.0 to 24-p tcp-- dport 443-j REDIRECT-- to 3128

Iptables-I INPUT-p tcp-- dport 3128-j ACCEPT / / develop port 3128

(4) restart the service:

Service squid restart

Step 3: verify

1. Visit the web server website on the client browser

2. In the log file of the web server, check which IP address is visited:

/ etc/httpd/logs/access_log, here are some screenshots:

You can see that it is the ip address of the foreign network card of the squid proxy server.

The above is the essence and difference between Squid traditional agent and transparent agent. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.