Shulou(Shulou.com)06/02 Report--

Download and install suid

1. Hardware requirements for squid installation

Squid runs on all popular Unix systems, as well as on Microsoft Windows. Although squid's Windows support is constantly improving, it may be easier on Unix. If you have a favorite operating system, I suggest you use that one. Otherwise, if you are looking for a recommendation, I like FreeBSD very much.

The hardware requirements of squid are not high. Memory is the most important resource. Memory shortages can seriously affect performance. Disk space is another important factor. More disk space means more cache targets and higher hit rates. Fast disks and drives are also beneficial. If you are willing to spend money, SCSI disks perform better than ATA. Of course, fast CPU is also good, but it is not a key factor in improving performance.

Because squid uses a small amount of memory for each cached response, there is a link between disk space and memory requirements. The basic rule is that each G of disk space requires 32 megabytes of memory. In this way, the system with 512m memory can support 16G disk cache. Of course your situation will be different. Memory requirements depend on the following facts: cache target size, CPU architecture (32-bit or 64-bit), the number of users online at the same time, and the special features you use.

People often ask the question: "my network has X users, what kind of hardware do I need for squid?" Such questions are difficult to answer for many reasons. In particular, it is difficult to say how much traffic X users will generate. I tell people to build a system with enough disk space to store 3-7 days' web traffic data. For example, if your user consumes 1m of traffic for eight hours a day (only HTTP and FTP transmissions), that's about 3.5G per day. So, I can say that you need 10 to 25 gigabytes of disk space per megabyte of web transfer.

Download and install 2.2.squid

2.2.1.squid download address

Http://www.squid-cache.org/

2.2.3. Pre-installation preparation

1) File descriptor modification

The file descriptor is a simple integer that identifies each file and socket opened by the process. The first open file is 0, the second is 1, and so on. The Unix operating system usually imposes a limit on the number of files that each process can open. What's more, unix usually has a system-level limitation.

Because of the way squid works, the limitations of file descriptors can greatly affect performance. When squid uses up all the file descriptors, it cannot receive new connections from users. That is, running out of file descriptors results in a denial of service. Squid cannot receive new requests until some of the current requests are completed and the corresponding files and socket are closed. When squid finds a shortage of file descriptors, it issues a warning.

Before running. / configure, check that your system's file descriptor restrictions are appropriate to avoid some trouble. In most cases, 1024 file descriptors are sufficient. A very busy cache may need 4096 or more. When configuring file descriptor limits, I recommend setting twice the number of system-level limits per process.

You can usually find file descriptor limits for the system in your Unix shell. All C shell and similar shell have built-in limit commands. The updated Bourne shell and its similar shell have a command called ulimit. To discover the file descriptor limitations of your system.

Method 1:

Ulimit-SHn 20480

Method 2:

Vi / etc/security/limits.conf

*-nofile 20480

2) adjust the temporary port range

Temporary ports are local ports that the TCP/IP stack assigns to outgoing connections. In other words, when squid initiates a connection to another server, the kernel assigns a port number to the local socket. These local port numbers have specific scope restrictions. For example, on FreeBSD, the default temporary port range is 1024-5000.

The shortage of temporary port numbers can have a significant impact on performance for very busy proxy servers, such as hundreds of connections per second. This is because some TCP connections go into the TIME_WAIT state when they are closed. When the connection enters the TIME_WATI state, the temporary port number cannot be reused.

View the local port range:

# cat / proc/sys/net/ipv4/ip_local_port_range

# 32768 61000

Modify the temporary port range:

# echo "net.ipv4.ip_local_port_range = 4000 65000" > > / etc/sysctl.conf

# sysctl-p

2.3.4 installation

# tar-zxf squid-3.0.STABLE26.tar.gz

#. / configure-prefix=/usr/local/squid-enable-storeio=ufs,aufs-enable-icmp

# make

# make install

2.3.5. The results of the catalog indicate:

# tree-L 2 / usr/local/squid/

/ usr/local/squid/

├── bin

│ ├── RunAccel

│ ├── RunCache

│ └── squidclient

├── etc

│ ├── cachemgr.conf

│ ├── cachemgr.conf.default

│ ├── mime.conf

│ ├── mime.conf.default

│ ├── squid.conf

│ └── squid.conf.default

├── libexec

│ ├── cachemgr.cgi

│ ├── pinger

│ └── unlinkd

├── sbin

│ └── squid

├── share

│ ├── errors

│ ├── icons

│ ├── man

│ └── mib.txt

└── var

└── logs

Sbin

Programs in the sbin directory can only be started by root.

Sbin/squid

The main program of Squid

Bin

The bin directory contains programs that are available to all users

Bin/RunCache

RunCache is a shell script that you can use to start squid. If squid dies, the script automatically restarts it unless it detects frequent restarts. RunCache is a legacy of time, when Squid was not a background service process. In recent versions, RunCache is rarely used because Squid automatically restarts itself when you don't use the-N option.

Bin/RunAccel

RunAccel is almost identical to RunCache, except that it adds a command-line argument that tells squid where to listen for HTTP requests.

Bin/squidclient

Squidclient is a simple HTTP client program that you can use to test squid. It also has some special features to make administrative requests to running squid processes.

Libexec

The libexec directory traditionally contains helper programs. There are some commands that you can't start normally. However, these programs are usually started by other programs.

Libexec/unlinkd

Unlinkd is a helper program that deletes files from the cache directory. As you can see later, file deletion is a performance bottleneck. Squid improves some execution performance by performing delete operations in external processes.

Libexec/cachemgr.cgi

Cachemgr.cgi is the CGI interface of the Squid management function. In order to use it, you need to copy the program to your WEB server's cgi-bin directory. There is more description in Chapter 14.2.

Libexec/diskd (optional)

If you specify-- enable-storeio=diskd, you can see it.

Libexec/pinger (optional)

If you specify-- enable-icmp, you can see it.

Etc

The etc directory contains the configuration file for squid.

Etc/squid.conf

This is the main configuration file for squid. The initial file contains a large number of comments to explain what each option does. After you understand these configuration instructions, it is recommended that you delete these comments to make the configuration file smaller and easier to read. Note that if the file exists, the installation process will not overwrite the file.

Etc/squid.conf.default

This is the default configuration file copied from the source code directory. After upgrading your squid installation, you may find it useful to have a copy of the current default configuration file. New configuration instructions may be added, and some existing old instructions may be changed.

Etc/mime.conf

The mime.conf file tells squid what MIME type to use for data obtained from FTP and Gopher servers. The file is a table with an associated file name extended to the MIME type. Normally, you don't have to edit the file. However, you may need to add interfaces for special file types that are used in your organization.

Etc/mime.conf.default

This is the default mime.conf file copied from the source code directory.

Share

The share directory usually includes read-only data files for squid.

Share/mib.txt

This is the SNMP Management Information Foundation (MIB) file for squid. Squid itself does not use this file, however, your SNMP client software (such as snmpget and multiroute map (MRTG)) needs this file to understand that SNMP objects from squid are available.

Share/icons

The share/icons directory contains a large number of small icon files, and squid is used in FTP and Gopher directory enumerations. Normally, you don't have to worry about these files, but you can change them if you need to.

Share/errors

The share/errors directory contains the error message template that squid displays to the user. These files are copied from the source code directory when you install squid. You can edit them if you want. However, every time you run make install, the installation process always overrides them. So if you want to customize error messages, it is recommended that you put them in different directories.

Var

The var directory contains files that are not very important and change frequently. You don't have to back up these files normally.

Var/logs

The var/logs directory is the default location for different log files in squid. When you first install squid, it is empty. Once squid is running, you can see files named access.log,cache.log and store.log here.

2.3.6 squid.conf syntax

The configuration file of Squid is relatively standard. It is similar to many other unix programs. Each line begins with a configuration instruction, followed by a numeric value or keyword. When reading the configuration file, squid ignores blank lines and commented lines (starting with #). Here are some examples of configuration lines:

Cache_log / squid/var/cache.log

# define the localhost ACL

Acl Localhost src 127.0.0.1/32

Connect_timeout 2 minutes

Log_fqdn on

Some instructions take unique values. In these cases, repeatedly assigning different values to the instruction will overwrite the previous values. For example, here is a connection timeout value. The first line is invalid because the second line overwrites it:

Connect_timeout 2 minutes

Connect_timeout 1 hour

In addition, some instructions take list values. In these cases, each new value is valid. The extension mode directive works in this way:

Extension_methods UNGET

Extension_methods UNPUT

Extension_methods UNPOST

For these list-based instructions, you can usually assign multiple values on the same line:

Extension_methods UNGET UNPUT UNPOST

Many instructions have common types. For example, the connection timeout value is a time specification, followed by a time unit after the number. For example:

Connect_timeout 3 hours

Client_lifetime 4 days

Negative_ttl 27 minutes

Similarly, a large number of instructions point to the file size or memory limit. For example, you can write a size specification like this: decimal numbers are followed by bytes,KB,MB or GB. For example:

Minimum_object_size 12 bytes

Request_header_max_size 10 KB

Maximum_object_size 187 MB

Another type worth mentioning is the trigger, whose value is on or off. Many instructions use this type. For example:

Server_persistent_connections on

Strip_query_terms off

Prefer_direct on

Typically, configuration file instructions can appear in any order. However, if the value that one instruction points to is defined by another instruction, then the order is important. Access control lists are a good example. Acl must be defined before a http_access rule is used:

Acl Foo src 1.2.3.4

Http_access deny Foo

Many things in squid.conf files are case-sensitive, such as instruction names. You can't write http_port as HTTP_port.

The default squid.conf file contains a large number of comments for each instruction, as well as the default values for the instruction. For example:

# TAG: persistent_request_timeout

# How long to wait for the next HTTP request on a persistent

# connection after the previous request completes.

#

# Default:

# persistent_request_timeout 1 minute

After each installation of squid, the current default configuration file is stored in squid.conf.default in the $prefix/etc directory. Since the instructions change every time, you can refer to this document for the latest updates.

2.3.7 squid users

As you may know, unix processes and files have the properties of file and group owners. You must select a user and group for squid. This combination of users and groups must have read and write access to most squid-related files and directories.

I highly recommend creating users and groups named "squid". This prevents someone from using squid to read other files in the system. If more than one person has administrative rights to squid, you can add them to the squid group.

Unfortunately, running squid is not always that easy. In some cases, you must start squid with root, depending on your configuration. For example, only root can bind TCP sockets to privileged ports, such as 80. If you must start squid with root, you must set the cache_effective_user command. It tells squid which user to become after performing a task that requires special permissions. For example:

Cache_effective_user squid

The name you provide must be a valid user (in the / etc/passwd file). Please note that you need to use this instruction only if you start squid with root. Only root has the ability to change the user's identity at will. If you start squid with joe, it cannot be changed to squid users.

You may try to run squid with root instead of setting cache_effective_user. If you try, you will find that squid refuses to run. It's against the safety rules. If an external person has the ability to compromise or take advantage of squid, he can gain full access to the system. Despite our efforts to make squid safe and less bug, it is better to keep our focus.

If you do not set cache_effective_user, start squid,squid with root and use nobody as the default. No matter which user you choose, ID, please make sure it has read access to the following directory: $prefix/etc,$prefix/libexec,$prefix/share. The user ID must also have write access to log files and cache directories.

Squid also has a cache_effective_group instruction, but you may not have to set it. By default, squid uses the default group of cache_effective_user (read from the / etc/passwd file).

# / usr/sbin/useradd-s / sbin/nologin squid-M

The default user is nobody

# grep cache_effective_user / usr/local/squid/etc/squid.conf

# TAG: cache_effective_user

# cache_effective_user nobody

Modify users and groups

Cache_effective_user squid

Cache_effective_group squid

2.3.8 squid log path

You must make sure that the disk location of the log file is adequate. If squid accepts an error while logging, it exits and restarts. The main reason for this behavior should be brought to your attention. Squid wants to make sure that you don't lose any important log information, especially if your system is abused or used.

Squid has three main log files: cache.log,access.log,store.log.

Cache.log:

Contains stateful and debug messages. When you first start running squid, you should pay close attention to this file. If squid refuses to run, the reason may appear at the end of the cache.log file. Under normal conditions, the file does not become very large. Also note that if you run squid with the-s option, important cache.log messages can also be sent to your syslog process. By using the cache_log directive, you can change the path of the log file:

Access.log:

The access.log file contains a single line for each customer request made to squid. This is typically an HTTP access log, with an average of about 150bytes per line. In other words, after accepting 1 million customer requests, its volume is about 150m. Use the cache_access_log directive to change the path of the log file:

Cache_access_log / squid/logs/access.log

Store.log:

Store.log files are not very useful for most cache administrators. It contains a record of each target entering and leaving the cache. The average record size is typically 175-200 bytes. However, squid does not click on cache to create an interface in store.log, so it contains much fewer records than access.log. Please use the cache_store_log instruction to change its position

Cache_store_log / squid/logs/store.log

Access_log / usr/local/squid/var/logs/access.log squid

Cache_log / usr/local/squid/var/logs/cache.log

Cache_store_log / usr/local/squid/var/logs/store.log

2.3.9 squid cache path

Cache_dir: specifies the cache path of the disk

Cache_dir ufs / usr/local/squid/var/cache 100 16 256

100 specify directory size MB

16 number of first-level directories

256 number of secondary subdirectories

2.3.10 squid port

The http_port instruction tells squid on which port to listen for HTTP requests. The default port is 3128:

Http_port 3128

If squid is a reverse proxy, you should set this value to 80

You can use additional http_port lines to instruct squid to listen on multiple ports. This is often useful if you have to support customer groups (which are inconsistently configured). For example, a browser from one department sends a request to 3128, while another department uses port 80. Simply list two port numbers:

Http_port 3128

Http_port 8080

You can also use the http_port instruction to make squid listen on a specified interface address. When squid runs as a firewall, it has two network interfaces: one internal and one external. You may not want to accept http requests from outside. To make squid listen only on the inside interface, simply put the IP address before the port number:

Http_port 192.168.1.1:3128

For example, if the machine is running http and squid, you can specify the ip address: 192.168.1.1 ip 80

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.