Shulou(Shulou.com)06/01 Report--

This article is about how to configure a Squid proxy server under Sun Solaris 9. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

one。 Squid's work is based on DNS services, so you need to configure your DNS services before you can squid

Installation and configuration work. Otherwise, squid will report an error and will not run!

Installation and configuration of 1.DNS services.

Bash-2.05# pkgadd-d. / bind-9.4.1pl1-sol9-sparc-local--- installation.

The named service is installed by default in the / usr/local/sbin directory.

a. Edit the main profile

Root@xiao.com # vi / etc/named.conf-write the following.

Options {

Directory "/ usr/local/sbin/var/named"

Forwarders {210.21.4.130; 202.96.128.86;};-in order to access the transponder of the external network.

}

/ a caching only name server config

/ /

Zone "." IN {

Type hint

File "named.ca"

}

Zone "xiao.com" IN {

Type master

File "xiao.com.zone";-indicates the document with forward interpretation. In this directory / usr/local/sbin/var/named/

Allow-update {none;}

}

Zone "0.168.192.in-addr.arpa" IN {

Type master

File "xiao.com.local";-indicates a document that is interpreted in reverse. In this directory / usr/local/sbin/var/named/

Allow-update {none;}

}

Zone "0.0.127.in-addr.arpa" IN {

Type master

File "localhost.local";-indicates a document that is interpreted in reverse. In this directory / usr/local/sbin/var/named/

Allow-update {none;}

}

B. configuration generation of rndc.key and rndc.conf files.

Root@xiao.com # / usr/local/sbin/rndc-confgen-use this command.

# Start of rndc.conf

Key "rndc-key" {

Algorithm hmac-md5

Secret "Sc1rFA4LnK9jNqnU0F7mDA=="

}

Options {

Default-key "rndc-key"

Default-server 127.0.0.1

Default-port 953

}

# End of rndc.conf-copy this section to / etc/rndc.conf and save it

# Use with the following in named.conf, adjusting the allow list as needed:

# key "rndc-key" {

# algorithm hmac-md5

# secret "Sc1rFA4LnK9jNqnU0F7mDA=="

#}

#

# controls {

# inet 127.0.0.1 port 953

# allow {127.0.0.1;} keys {"rndc-key";}

#};-copy this segment to / etc/rndc.key and save it

c. Edit the named.pid; forward and backward interpretation file.

Bash-2.05# mkdir / usr/local/sbin/run

Bash-2.05# touch / usr/local/sbin/run/named.pid-create a process file.

Bash-2.05# mkdir-p / usr/local/sbin/var/named

Root@xiao.com # vi / usr/local/sbin/var/named/named.ca-write the following. Domain name profile.

; This is file holds the information on root name servers needed to

; initialize cache of Internet domain name servers

(e.g. Reference this file in the "cache."

; configuration file of BIND domain name servers.

; This file is made available by InterNIC

; under anonymous FTP as

; file / domain/named.cache

; on server FTP.INTERNIC.NET

;-OR- RS.INTERNIC.NET

; last update: Jan 29, 2004

; related version of root zone: 2004012900

; formerly NS.INTERNIC.NET

. 3600000 IN NS A.ROOT-SERVERS.NET.

A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4

; formerly NS1.ISI.EDU

. 3600000 NS B.ROOT-SERVERS.NET.

B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201

; formerly C.PSI.NET

. 3600000 NS C.ROOT-SERVERS.NET.

C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12

; formerly TERP.UMD.EDU

. 3600000 NS D.ROOT-SERVERS.NET.

D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90

; formerly NS.NASA.GOV

. 3600000 NS E.ROOT-SERVERS.NET.

E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10

; formerly NS.ISC.ORG

. 3600000 NS F.ROOT-SERVERS.NET.

F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241

; formerly NS.NIC.DDN.MIL

. 3600000 NS G.ROOT-SERVERS.NET.

G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4

; formerly AOS.ARL.ARMY.MIL

. 3600000 NS H.ROOT-SERVERS.NET.

H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53

; formerly NIC.NORDU.NET

. 3600000 NS I.ROOT-SERVERS.NET.

I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17

; operated by VeriSign, Inc.

. 3600000 NS J.ROOT-SERVERS.NET.

J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30

; operated by RIPE NCC

. 3600000 NS K.ROOT-SERVERS.NET.

K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129

; operated by ICANN

. 3600000 NS L.ROOT-SERVERS.NET.

L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12

; operated by WIDE

. 3600000 NS M.ROOT-SERVERS.NET.

M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33

; End of File

Root@xiao.com # vi / usr/local/sbin/var/named/localhost.local-- domain name interpretation

$TTL 86400

@ IN SOA xxx.xiao.com. Root.xxx.xiao.com. (

1997022700; Serial

28800; Refresh

14400; Retry

3600000; Expire

86400); Minimum

IN NS xxx.xiao.com. -remember to add a dot at the end

Root@xiao.com # vi / usr/local/sbin/var/named/xiao.com.local-reverse interpretation of content

$TTL 86400

@ IN SOA ns.xiao.com. Root.xiao.com. (

1997022700; Serial

28800; Refresh

14400; Retry

3600000; Expire

86400); Minimum

IN NS ns.xiao.com.

213 IN PTR xxx.xiao.com. -remember to add a dot at the end

213 IN PTR mail.xiao.com. -remember to add a dot at the end

Bash-2.05 # vi / usr/local/sbin/var/named/xiao.com.zone-forward interpretation of content

$TTL 86400

@ IN SOA ns.xiao.com. Root.xiao.com. (

42; serial (d. Adams)

3H; refresh

15m; retry

1W; expiry

1D); minimum

IN NS xxx.xiao.com. -remember to add a dot at the end

Www IN A 192.168.0.213

Ns IN A 192.168.0.213

Ftp IN A 192.168.0.213

c. Running

Bash-2.05 # / usr/local/sbin/named runs these two commands.

Bash-2.05 # / usr/sbin/in.named

d. Test:

Bash-2.05 # / usr/local/bin/host 192.168.0.213-reverse interpretation is successful. In this way, the configuration of DNS is complete.

213.0.168.192.in-addr.arpa domain name pointer xxx.xiao.com.

Root@xiao.com # / usr/local/bin/nslookup-the following positive and negative explanations are successful.

> xxx.xiao.com-enter your domain name

Server: 192.168.0.213

Address: 192.168.0.213#53

Name: xxx.xiao.com-the result returned

Address: 192.168.0.213-returned result

> 192.168.0.213-enter the IP address of the host

Server: 192.168.0.213

Address: 192.168.0.213#53

213.0.168.192.in-addr.arpa name = xxx.xiao.com. -the result returned.

213.0.168.192.in-addr.arpa name = mail.xiao.com. -the result returned.

two。 Installation of squid.

1. Before installing, check whether the DNS service is up and running; enter the following command and see the following result indicating that the DNS service is normal.

Bash-2.05# netstat-anv | grep 53

127.0.0.1.53 Idle

192.168.0.213.53 Idle

*. * 0 00000000 00000000 49152 00000000 00000000 3375536 LISTEN

*. * 0 00000000 00000000 49152 00000000 00000000 3375536 IDLE

*. * 0 00000000 00000000 49152 00000000 00000000 3375536 LISTEN

*. * 0 00000000 00000000 49152 00000000 00000000 3375536 LISTEN

*. * 0 00000000 00000000 49152 00000000 00000000 3375536 LISTEN

two。 Installed software package. Download address: http://www.sunfreeware.com/indexsparc9.html

a. List of required software packages (including DNS software):

Bind-9.4.1pl1-sol9-sparc-local

Libgcc-3.3-sol9-sparc-local

Sasl-2.1.21-sol9-sparc-local

Db-4.2.52.NC-sol9-sparc-local

Libiconv-1.11-sol9-sparc-local

Squid-2.6.STABLE16-sol9-sparc-local

Expat-1.95.5-sol9-sparc-local

Openldap-2.3.35-sol9-sparc-local

Gcc-3.4.6-sol9-sparc-local

Openssl-0.9.8f-sol9-sparc-local

b. Install the above dependent packages one by one. Squid is installed in the / usr/local/squid directory by default.

Bash-2.05# pkgadd-d. / squid-2.6.STABLE16-sol9-sparc-local

The following packages are available:

1 SMCsquid squid

(sparc) 2.6.STABLE16

Select package (s) you wish to process (or 'all' to process

All packages). (default: all) [?, Q]: all

Bash-2.05# cd / usr/local/squid/-install squid, the files under the directory.

Bash-2.05# ls

Bin doc etc libexec sbin share var

c. Set up the running environment for squid and add squid users and its groups.-squid runs as squid itself.

Bash-2.05# useradd squid

Bash-2.05# groupadd squid

d. In order for squid to work, you need to manually add and change its configuration files. (it doesn't have to be generated manually.

If you decide according to the prompt and error message of running the script when you run squid for the first time)

And add them to the squid group and be owned by squid. The permissions for the file are set to 644.

Bash_2.05# mkdir / usr/local/squid/var/cache

Bash-2.05# touch / usr/local/squid/var/logs/squid.pid

Bash-2.05# touch / usr/local/squid/var/logs/access.log

Bash-2.05# touch / usr/local/squid/var/logs/store.log

Bash-2.05# touch / usr/local/squid/var/logs/cache.log

Bash-2.05# chown squid:squid / usr/local/squid/var/logs/*

Bash-2.05# chomd 644 var/logs/*

Bash-2.05# ls-l var/logs/

Total 116

-rw-r--r-- 1 squid squid 0 Nov 20 14:26 access.log

-rw-r--r-- 1 squid squid 58062 Nov 21 15:39 cache.log

-rw-r--r-- 1 root squid 4 Nov 21 15:39 squid.pid

-rw-r--r-- 1 squid squid 0 Nov 20 15:11 store.log

Edit the configuration file:

Bash-2.05# vi / usr/local/squid/etc/squid.conf

Line 936: uncomment and insert (IP and port of this host, default is 3128)

Http_port 192.168.0.213:3128

Remove comments at line 632 (write the network segment you are allowed to access) and 633

And pay special attention to whether line 636 has this declaration-- the allowed conditions are written before it (all characters are case-sensitive):

631 # be allowed

632 acl our_networks src 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24

633 http_access allow our_networks

six hundred and thirty four

635 # And finally deny all other access to this proxy

636 http_access deny all

On line 2969, change its default user (no default setting) and remove the comment:

# supplementary group list from the from groups membership of

2966 # cache_effective_user.

2967 #

2968 # Default:

2969 cache_effective_user squid-(here set to squid, this is more important, otherwise it will not start. Reported an error that could not be written to cache, cache.log)

On line 2981, change its default group (no default) and remove the comment:

2977 # If Squid is not started as root the user starting Squid must be member of the specified

2978 # group.

2979 #

2980 # Default:

2981 cache_effective_group squid-(here set to squid)

On line 2997, change its error report sending hostname (not set by default) and remove the comment:

2993 # get errors about IP-forwarding you must set them to have individual

2994 # names with this setting.

2995 #

2996 # Default:

2997 visible_hostname 192.168.0.213-(IP address specified here)

e. Run squid.

(1.) Check that the DNS service should be enabled properly before running:

Bash-2.05# netstat-avn | grep 53

127.0.0.1.53 Idle

192.168.0.213.53 Idle

*. * 0 00000000 00000000 49152 00000000 00000000 3375536 LISTEN

*. * 0 00000000 00000000 49152 00000000 00000000 3375536 IDLE

*. * 0 00000000 00000000 49152 00000000 00000000 3375536 LISTEN

(2.) Create the cache_swap directory file before running squid for the first time.

Bash-2.05# / usr/local/squid/sbin/squid-z-run this command and return the following result, indicating that the cache has been established successfully.

15:39:16 on 2007-11-21 | Starting Squid Cache version 2.6.STABLE16 for sparc-sun-solaris2.9...

15:39:16 on 2007-11-21 | Process ID 363

15:39:16 on 2007-11-21 | With 32768 file descriptors available

15:39:16 on 2007-11-21 | Using poll for the IO loop

15:39:16 on 2007-11-21 | Performing DNS Tests...

15:39:16 on 2007-11-21 | Successful DNS name lookup tests...

15:39:16 on 2007-11-21 | DNS Socket created at 0.0.0.0, port 32815, FD 5

15:39:16 on 2007-11-21 | Adding nameserver 192.168.0.213 from / etc/resolv.conf

15:39:16 on 2007-11-21 | Unlinkd pipe opened on FD 10

15:39:16 on 2007-11-21 | Swap maxSize 102400 KB, estimated 7876 objects

15:39:16 on 2007-11-21 | Target number of buckets: 393

15:39:16 on 2007-11-21 | Using 8192 Store buckets

15:39:16 on 2007-11-21 | Max Mem size: 8192 KB

15:39:16 on 2007-11-21 | Max Swap size: 102400 KB

15:39:16 on 2007-11-21 | Rebuilding storage in / usr/local/squid/var/cache (DIRTY)

15:39:16 on 2007-11-21 | Using Least Load store dir selection

15:39:16 on 2007-11-21 | Set Current Directory to / usr/local/squid/var/cache

15:39:16 on 2007-11-21 | Loaded Icons.

15:39:16 on 2007-11-21 | Accepting proxy HTTP connections at 192.168.0.213, port 3128, FD 12

Bash-2.05# / usr/local/squid/sbin/squid-start the service with this command

16:21:49 on 2007-11-21 | Squid is already running! Process ID 363

Bash-2.05# netstat-avn | grep 3128-indicates that squid has been used normally.

192.168.0.213.3128

(3) Edit the script that the squid service starts automatically.

Bash-2.05# vi / etc/rc3.d/S50squid

#! / sbin/sh

#

#

# ident "@ (#) squid"

Case "$1" in

Start)

[- f / usr/local/squid/etc/squid.conf] | | exit 0

/ usr/local/squid/sbin/squid

Stop)

Pkill squid

*)

Echo "Usage: $0 {start | stop}"

Exit 1

Esac

Exit 0

Bash-2.05# ls-l / etc/rc3.d/S50squid-- this file is set to 744, sys group, owner is root:

-rwxr--r-- 1 root sys 301 Nov 21 10:59 / etc/rc3.d/S50squid

Bash-2.05# chgrp sys / etc/rc3.d/S50squid

Bash-2.05# chown root / etc/rc3.d/S50squid

Bash-2.05# chmod 744 / etc/rc3.d/S50squid

3. Test:

Set up:

Windows client: browser-tools-Internet options-connection-LAN settings-proxy server-

Enter: IP 192.168.0.213; Port: 3128; OK, exit; then enter the network address you want to access at the IE address.

Linux or Unix user: bash-2.05# route add default gateway 192.168.0.213

Or bash-2.05# vi / etc/defaultrouter join the proxy server address: 192.168.0.213

If you think the access speed of squid is slow, you can set line 1601, and cache_mem changes the default 8MB to 32MB or greater.

Depends on the condition of the machine. I am the default here (note: the original configuration file for the default item has a # number, after the change, remember to remove the comment, if there is no change, do not remove the comment, remember!)

Bash-2.05# pwd

/ usr/local/squid

Bash-2.05# tail-30 var/logs/access.log-View the access log file and leave a record of the user's access.

1195638014.409 66 192.168.0.131 TCP_MISS/304 249 http://bbs.chinaunix.net/icon/- DIRECT/60.28.166.83-

1195638014.411 64 192.168.0.131 TCP_MISS http://bbs.chinaunix.net/icon/DIRECT/60.28.166.83-

1195638014.418 69 192.168.0.131 TCP_MISS/ http://bbs.chinaunix.net/icon/book- DIRECT/60.28.166.83-

1195638014.430 77 192.168.0.131 TCP_MISS/304 249 http://bbs.chinaunix.net/icon/-DIRECT/60.28.166.83-

1195638014.449 170 192.168.0.131 TCP_MISS/ http://www.chinaunix.net/top100_-DIRECT/60.28.166.84-

1195638014.467 163192.168.0.131 TCP_MISS/ http://www.chinaunix.net/job_banner160-DIRECT/60.28.166.84-

1195638014.478 170 192.168.0.131 TCP_MISS http://www.chinaunix.net/download- DIRECT/60.28.166.84

4. End。

There are 4500 lines of configuration files about squid and there are many advanced configuration applications. The function is very powerful. Such as acl access control list; cache_mem

It can also be configured as a firewall, monitor user access, monitor your corporate network, and so on

Here is the configuration file with the comments filtered here (but not the default, annotated section)

Bash-2.05# cat etc/squid.conf | grep-v "#" | grep ""

Acl all src 0.0.0.0/0.0.0.0

Acl manager proto cache_object

Acl localhost src 127.0.0.1/255.255.255.255

Acl to_localhost dst 127.0.0.0/8

Acl SSL_ports port 443

Acl CONNECT method CONNECT

Http_access allow manager localhost

Http_access deny manager

Http_access deny! Safe_ports

Http_access deny CONNECT! SSL_ports

Acl our_networks src 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24

Http_access allow our_networks

Http_access deny all

Icp_access allow all

Http_port 192.168.0.213:3128

Hierarchy_stoplist cgi-bin?

Acl QUERY urlpath_regex cgi-bin\?

Cache deny QUERY

Access_log / usr/local/squid/var/logs/access.log squid

Refresh_pattern ^ ftp: 1440 20% 10080

Refresh_pattern ^ gopher: 1440 1440

Refresh_pattern. 0 20% 4320

Acl apache rep_header Server ^ Apache

Broken_vary_encoding allow apache

Cache_effective_user squid

Cache_effective_group squid

Visible_hostname 192.168.0.213

Coredump_dir / usr/local/squid/var/cache

5. A little experience.

This configuration is completed with reference to the configuration under RHEL4. It is necessary to solve the problem step by step according to the running error message, which needs to be explained.

It is worth noting that cache_effective_user and cache_effective_group must be specified correctly; here are both squid

There is also the data of cache_mem, which defaults to 8MB. In order to speed up the access speed, this is set to be as large as possible, 128MB with 256MB, generally.

It's half the memory of your machine.

Thank you for reading! This is the end of this article on "how to configure Squid proxy server under Sun Solaris 9". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it out for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.