Shulou(Shulou.com)06/01 Report--

This article mainly explains "the process analysis of Squid proxy server configuration in Linux system". The content of this article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "the process analysis of Squid proxy server configuration in Linux system".

What is squid?

Squid is a software that caches internet data. It receives download requests from users and automatically processes the downloaded data. In other words, when a user seems to download a home page, it sends an application to Squid, asking Squid to download it for it, then Squid connects to the applied website and requests the home page, and then sends the home page to the user while keeping a backup. When other users apply for the same page, Squid immediately sends the saved backup to the user, which makes the user feel quite fast. Currently, Squid can act as a proxy for HTTP, FTP, GOPHER, SSL and WAIS protocols.

The benefits of using squid: fast response, reduce network congestion, enhance access control, and improve security. Access control can be implemented for specific websites, users, networks, and data types.

There are three proxy modes in squid: normal proxy mode, transparent proxy mode and reverse proxy mode.

1. General agent mode

A standard proxy buffering service is used to cache static web pages (e.g. html files, image files, etc.) to a host on the local network (i.e. proxy server). When the cached page is accessed for the second time, the browser will obtain the request data directly from the local proxy server instead of requesting data from the original web site. This saves valuable network bandwidth and improves access speed. However, to achieve this, the IP address and port number of the proxy server must be clearly specified on the browser of each internal host. When the client is on the Internet, every time the request is sent to the proxy server for processing, and the proxy server determines whether to connect to the remote web server to obtain data according to the request. If there is a target file in the local buffer, you can transfer the file directly to the user. If not, retrieve the file first, save a buffer locally, and then send the file to the client browser.

two。 Transparent proxy mode

The transparent proxy buffering service has exactly the same function as the standard proxy server. However, the proxy operation is transparent to the client's browser (that is, there is no need to specify the IP and port of the proxy server). The transparent proxy server blocks network traffic and filters out HTTP (port 80) traffic accessing the outside. If the request of the client is buffered locally, the buffered data is sent directly to the user, and if there is no buffering locally, the request is sent to the remote web server. The rest of the operation is exactly the same as the standard proxy server. For Linux operating systems, transparent proxies are implemented using Iptables or Ipchains. Transparent proxies are particularly useful for ISP (Internet server providers) because no settings are required for browsers.

3. Reverse proxy mode

Reverse proxy is a completely different proxy service from the first two kinds of agents. Use it to reduce the load on the original WEB server, also known as the HTTP accelerator. The reverse proxy server undertakes the request for the static page of the original WEB server, which reduces the load of the actual WEB server by adding a high-speed WEB buffer server (i.e., WEB reverse proxy server) between the busy WEB server and the Internet. Web server acceleration (reverse proxy) provides acceleration function for Web server. It acts as a proxy Cache, but not for browser users, but for one or more specific Web servers. Simply place the Reverse Proxy Cache device on the front end of one or more Web servers. When an Internet user accesses a WEB server, the IP address resolved by the DNS server is the IP address of the Reverse Proxy Server rather than the IP address of the original Web server, and the Reverse Proxy Server device acts as the Web server, and the browser can connect with it without having to connect directly to the Web server. As a result, a large amount of Web service workload is offloaded to the reverse proxy service. It can not only prevent the security hidden trouble caused by the direct communication between the extranet host and the web server, but also reduce the burden of the web server to a great extent and improve the access speed.

The following is the squid reverse proxy experiment

There are 2 servers, 1 HTTP Server 10.1.1.200, port 80, and 2 virtual machine hosts www.testone.com www.testtwo.com to provide services

The other Squid Server is a reverse proxy server, 10.1.6.200

Client ip:10.1.6.173

Test: client access to HTTP Server. HTTP Server through Squid Server. Here you need to modify / etc/hosts on the client to add two lines of 10.1.6.200 www.testone.com

10.1.6.200 www.testtwo.com (in order to enable the client to resolve the two domain names corresponding to the ip of the 10.1.6.200 squid reverse proxy server, the listening port is 3128 by default)

Squid Server modify / etc/hosts, add two lines 10.1.1.200 www.testone.com

10.1.1.200 www.testtwo.com

Install squid

The code is as follows:

Root@10.1.6.200:~# apt-get install squid

Configure squid

The code is as follows:

Root@10.1.6.200:~# vim / etc/squid/squid.conf

Http_port 3128 # http_port tells squid on which port to listen for http requests. Default is 3128.

Http_port 10.1.6.200 vhost 80 vhost # here vhost supports virtual hosts

Cache_dir aufs / opt/squid/cache 20016256 # cache directory settings, syntax:

The code is as follows:

# define acl (access control list). Syntax: acl

Acl all src all

Acl localhost src 127.0.0.1/32

Acl to_localhost dst 127.0.0.0/8

Acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

Acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

Acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

The code is as follows:

Acl Safe_ports port 80

Acl purge method PURGE

Acl CONNECT method CONNECT

Acl manager proto cache_object

The code is as follows:

# define access control rules using the acl defined earlier

Http_access allow manager localhost

Http_access deny manager

Http_access allow purge localhost

Http_access deny purge

Http_access deny! Safe_ports

Http_access allow all

The code is as follows:

Cache_mem 200 MB # if the physical memory is large, try to set it larger

Maximum_object_size 20 MB # maximum cache block

Maximum_object_size_in_memory 5 MB # configuration related to storing data in memory

The code is as follows:

# Virtual machine host proxy configuration, such as accessing www.testone.com from the client, Squid sends a request to port 80 of www.testone.com.

Cache_peer www.testone.com parent 80 0 no-query originserver name=one

Cache_peer www.testtwo.com parent 80 0 no-query originserver name=two

Cache_peer_domain one www.testone.com

Cache_peer_domain two www.testtwo.com

The code is as follows:

# set squid users and user groups

Cache_effective_user proxy

Cache_effective_group proxy

The code is as follows:

# the following is about log files

Access_log / var/log/squid/access.log squid

Cache_log / var/log/squid/cache.log

Cache_store_log none

The code is as follows:

Mime_table / usr/share/squid/mime.conf

Pid_filename / var/log/squid/squid.pid

The code is as follows:

Coredump_dir / var/spool/squid

Set cache directory permissions to proxy, otherwise startup will prompt you to have no permissions

The code is as follows:

Root@10.1.6.200:opt# chown-R proxy:proxy squid/

Root@10.1.6.200:opt# ll

Total 8

Drwxr-xr-x 3 proxy proxy 4096 2013-02-21 22:42 squid

Before starting the squid service, check that the configuration file is correct: (if you do not see the output, the configuration file is valid)

Root@10.1.6.200:opt# squid-k parse

Initialize the cache directory, that is, establish the storage format of the cache directory (before running squid for the first time, or add a new cache_dir, you must initialize the cache directory), cache directory initialization may take some time, depending on the size and number of cache directories, to observe the detailed process can add the-X option.

The code is as follows:

Root@10.1.6.200:squid# squid-z

20:31:10 on 2013-02-22 | Creating Swap Directories

Start the squid service

The code is as follows:

Root@10.1.6.200:squid# / etc/init.d/squid start

Starting Squid HTTP proxy: squid.

Root@10.1.6.200:squid# netstat-tunlp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

Tcp 0 0 0.0.0. 0 39360 0.0.0. 0. 0. 0.

Tcp 0 0 127.0.0.1 833 0.0.0.0 * LISTEN 1929/famd

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 01. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 15. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0

Tcp 00 10.1.6.200 squid 80 0.0.0.0 LISTEN 2491 / (squid)

Tcp 00 0.0.0.0 22000 0.0.0.0 *

Tcp 0 0 0.0.0.0 squid 3128 0.0.0.0 squid * LISTEN 2491 /

Tcp 0 0 127.0.0.1 25 0.0.0. 0 LISTEN 1890/exim4

Udp 0 0 0.0.0.0 58152 0.0.0.0 * 2491 / (squid)

Udp 0 0 0.0.0. 0 3130 0. 0. 0. 0. 0. 0. 0. 14. 0. 01 / (squid)

Udp 0 0 0.0.0 0 711 0.0.0 0 15 * 1383/rpc.statd

Udp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 01. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 15. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0

Udp 0 0 0.0.0.0 59518 0.0.0.015 * 1383/rpc.statd

The process of configuring virtual hosts for HTTP Server 10.1.1.200 is not explained in detail here. Www.testone.com,www.testtwo.com virtual hosts have been configured separately.

If you look at the HTTP Server log, you will find that the data is requested by Squid Server ip.

The code is as follows:

Root@10.1.1.200:apache2# tail-f www.testone.com_access.log

10.1.6.200-[22/Feb/2013:20:47:17 + 0800] "GET / HTTP/1.0" 304-"" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; QQDownload 734; .net 4.0C; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) "

The code is as follows:

Root@10.1.1.200:apache2# tail-f www.testtwo.com_access.log

10.1.6.200-[22/Feb/2013:20:49:07 + 0800] "GET / HTTP/1.0" 304-"" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; QQDownload 734; .net 4.0C; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) "

The following is the whole process of access principle:

1. When the client enters: www.testone.com through local / etc/hosts resolution in the browser, the ip corresponding to the domain name www.testone.com is 10.1.6.200 (Squid reverse proxy server), so the client sends a request to the Squid reverse proxy server at port 3128 by default. Note: entering www.testone.com and http://10.1.6.200 on the client is different, if the request is made through ip Can not achieve the Squid server to the internal network multiple server proxy, need to use domain name method. When configuring Squid, there are two options, cache_peer and cache_peer_domain, which let Squid have the ability to know that the request of www.testone.com ultimately wants to access port 80 of HTTP server 10.1.1.200, thus realizing the functional requirement of Squid to act as a proxy for multiple internal servers.

The 2.Squid server receives a request from the client. It looks like www.testone.com. From the configuration, it knows port 80 of the request HTTP server 10.1.1.200.

The 3.HTTP server provides service monitoring port 80, receives the request from Squid, and sends the corresponding data to the Squid server according to the request.

After receiving the data sent by the HTTP server from port 80, 4.Squid will cache the data locally and send the data from its own 3128 to the client 10.1.6.173.

Thank you for your reading, the above is the content of "process analysis of Squid proxy server configuration in Linux system". After the study of this article, I believe you have a deeper understanding of the process analysis of Squid proxy server configuration in Linux system, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.