Shulou(Shulou.com)06/02 Report--

Overview of caching agents:

As the proxy service software of the application layer, squid mainly provides the functions of cache acceleration and application layer filtering control.

The basic type of proxy: traditional proxy: that is, ordinary proxy service. First of all, the address and port of the proxy server must be manually set in the client's browser, chat tool, download software, and so on. Then you can use the proxy service to access the network. For web browsers, domain name resolution requests when visiting the site are also sent to the specified proxy server. Transparent proxy: provides the same functions and services as traditional proxies, the difference is that the client does not need to specify the address and port of the proxy server, but redirects Web access through default routing and firewall policy, which is still handled by the proxy server. The process of redirection is "transparent" to the client, and the user does not even know that he is using the proxy service, so it is called a "transparent proxy".

Lab environment table:

Installation and operation control

1. Compile and install Squid

When configuring the compilation options for Squid, set the installation directory to / usr/local/squid, and other specific options are determined according to your actual needs. You can refer to the instructions given by. / configure-- help before configuration.

Tar zxvf squid-3.4.6.tar.gz-C / opt/cd / opt/squid-3.4.6./configure-- prefix=/usr/local/squid\ # installation directory-- sysconfdir=/etc\ # modify the configuration file to another directory separately-- enable-arp-acl\ # is managed directly through the client MAC Prevent clients from using IP spoofing-enable-linux-netfilter\ # uses kernel filtering-enable-linux-tproxy\ # supports transparent mode-enable-async-io=100\ # Asynchronous Imax O to improve storage performance. -- enable-err-language= "Simplify_Chinese"\ # error message display language-enable-underscore\ # allows underlining in URL-enable-poll\ # uses poll () mode to improve performance. -- enable-gnuregex # uses the GNU regular expression make & & make install

After the installation is complete, create linked files, users, and groups.

Ln-s / usr/local/squid/sbin/* / usr/local/sbin/useradd-M-s / sbin/nologin squidchown-R squid.squid / usr/local/squid/var/

Configuration file for 2.squid

The configuration file for the squid service is located in / etc/squid.conf, and a full understanding of the role of the configuration line will help administrators to configure the proxy service flexibly according to the actual situation.

Vim / etc/squid.confhttp_port 3128 # is used to specify the address and port that the proxy service listens to (default port number is 3128) cache_effective_user squid # add specified program user cache_effective_group squid # add specified account basic group

3.squid operation control

(1) check whether the syntax of the configuration file is correct

Squid-k parse

(2) start and stop squid

The cache directory is initialized automatically when the squid service is started for the first time. In cases where no squid server script is available, you can also call the squid program directly to start the service, which requires initialization.

Squid-z / / initialize the cache directory squid / / start the service

(3) use squid service scripts

To make it easier to start, stop, and reload squid services, you can write squid service scripts and use chkconfig and service tools to manage them.

Cd / etc/init.d/vim squid squid hammer bingram squid is running else echo config: 2345 90 25PID = "/ usr/local/squid/var/run/squid.pid" CONF= "/ etc/squid.conf" CMD= "/ usr/local/squid/sbin/squid" case "$1" in start) netstat-natp | grep squid & > / dev/null if [$?-eq 0] then echo "squid is running" else echo is starting squid... "$CMD fi" ; stop) $CMD-k kill & > / dev/null rm-rf $PID & > / dev/null;; status) [- f $PID] & > / dev/null if [$?-eq 0] then netstat-natp | grep squid else echo "squid is not running" fi Restart) $0 stop & > / dev/null echo "shutting down squid..." $0 start & > / dev/null echo "starting squid...";; reload) $CMD-k reconfigure;; check) $CMD-k parse;; *) echo "usage: $0 {start | stop | status | reload | check | restart}"; esacchmod + x squidchkconfig-add squid # added as a system service chkconfig-level 35 squid on traditional agent

Configuration of 1.squid server

When configuring squid to implement a traditional proxy service, you need to be careful to add a http_access allowall access policy to allow any client to use the proxy service.

1) modify squid.conf configuration file

[root@localhost init.d] # vim / etc/squid.confhttp_access allow allhttp_access deny allhttp_port 3128cache_mem 64 MB # specifies the memory space used by the cache function to facilitate the maintenance of frequently accessed WEB objects. The capacity is preferably a multiple of 4, in MB. It is recommended to set 1/4reply_body_max_size 10 MB # as physical memory to the maximum file size that users are allowed to download. In bytes. The default setting of 0 means that maximum_object_size 4096 KB # does not limit the maximum object size allowed to be saved to the cache space. In KB, files exceeding the size limit will not be cached but will be forwarded directly to the user.

2) add an allow policy on the firewall:

[root@localhost init.d] # iptables-F [root@localhost init.d] # setenforce 0 [root@localhost init.d] # iptables-I INPUT-p tcp-- dport 3218-j ACCEPT [root@localhost init.d] # service squid reload # reload

two。 Proxy configuration of the client

Open the browser in the Windows system

Internet options-"connection -" LAN settings-ip:squid server address port: 3128

Enter the web server address in the address bar.

3. Verification of proxy server

Visit the target Web server website http://192.168.126.178/ in the client through a browser, and then observe the access logs of the squid proxy server and the Web server to verify that the proxy service is working.

1) View the new records of the squid access log

In the squid proxy server, by tracking the access log file of the squid service, you should be able to find the record of client 192.168.126.177 accessing the website server 192.168.126.178.

[root@localhost init.d] # tail / usr/local/squid/var/logs/access.log 1532758490.972 5 192.168.126.177 TCP_MISS/404 512 GET http://192.168.126.178/noindex/css/fonts/Light/OpenSans-Light.eot?-HIER_DIRECT/192.168.126.178 text/html1532758490.974 5 192.168.126.177 TCP_MISS/404 524 GET http://192.168.126.178/noindex/css / fonts/LightItalic/OpenSans-LightItalic.eot?-HIER_DIRECT/192.168.126.178 text/html

2) View the new records of the Web access log

In the Web server being accessed, by tracking the access log file of the httpd server, you should be able to find the access record on the proxy server 192.168.126.138. After indicating that the current client uses a proxy, the Web server does not know the real address of the client, but is actually accessed by the proxy server on its behalf.

[root@localhost ~] # cd / etc/httpd/logs/ [root@localhost logs] # lsaccess_log error_ log [root @ localhost logs] # cat access_log 192.168.126.138-[28/Jul/2018:14:14:50 + 0800] "GET / HTTP/1.1" 403 4897 "-" Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729 .net CLR 3.0.30729; Media Center PC 6.0; .net 4.0C; .net 4.0E) "/ / transparent proxy

1. Configure Squid to support transparent proxy

1) add dual network cards to the squid proxy server, namely the internal network address 192.168.100.1 and the external network address 12.0.0.1. The Web server address is changed to 12.0.0.12 public network address, and the client address is changed to 192.168.100.100 intranet address.

[root@localhost network-scripts] # ifconfig ens33: flags=4163 mtu 1500 # private network address inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255ens36: flags=4163 mtu 1500 # public network address inet 12.0.0.1 netmask 255.255.255.0 broadcast 12.0.0.255

2) modify the squid configuration file and add the transparent (transparent) option to the http_port configuration to support transparent proxies.

[root@localhost network-scripts] # vim / etc/squid.confhttp_port 192.168.100.1 etc/squid.confhttp_port 3128 transparent # provides services on only one of the IP addresses [root@localhost network-scripts] # service squid reload

two。 Set the redirection policy for iptables

The firewall redirects requests for access to ports 80,443 to port 3128

[root@localhost network-scripts] # iptables-F [root@localhost network-scripts] # iptables-F-t nat # clear firewall rules [root@localhost network-scripts] # iptables-t nat-I PREROUTING-I ens33-s 192.168.100.0 dport 24-p tcp-- dport 80-j REDIRECT-- to 3128 [root@localhost network-scripts] # iptables-t nat-I PREROUTING-I ens33-s 192.168.100.0 pm 24-p tcp-- dport 443-j REDIRECT -- to 3128 [root@localhost network-scripts] # iptables-I INPUT-p tcp-- dport 3218-j ACCEPT

3. Verify transparent proxy

Visit the target website http://12.0.0.12/ in the client 192.168.100.100 through a browser, and then observe the access logs of the squid proxy server and the Web server to verify that the transparent proxy works.

Access log of squid proxy server: [root@localhost network-scripts] # tail / usr/local/squid/var/logs/access.log 1532761302.140 3 192.168.100.100 TCP_MISS/404 512 GET http://12.0.0.12/noindex/css/fonts/Light/OpenSans-Light.eot?-ORIGINAL_DST/12.0.0.12 text/html1532761302.143 2 192.168.100.100 TCP_MISS/404 524 GET http:/ / 12.0.0.12/noindex/css/fonts/LightItalic/OpenSans-LightItalic.eot?-ORIGINAL_DST/12.0.0.12 text/html1532761302.146 2 192.168.100.100 TCP_MISS/404 516 GET http://12.0.0.12/noindex/css/fonts/Regular/OpenSans-Regular.eot?-ORIGINAL_DST/12.0.0.12 text/htmlWeb server access log: [root@localhost ~] # cd / var/ Log/httpd/ [root@localhost httpd] # vim access_log 12.0.0.1-[28/Jul/2018:15:06:43 + 0800] "GET / noindex/css/fonts/ExtraBold/OpenSans-ExtraBold.eot? HTTP/1.1 "404248" http://12.0.0.12/"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET 4.0C) Net 4.0E) "12.0.0.1-[28/Jul/2018:15:06:43 + 0800]" GET / noindex/css/fonts/ExtraBoldItalic/OpenSans-ExtraBoldItalic.eot? HTTP/1.1 "404 260" http://12.0.0.12/"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .net 4.0C; .net 4.0E)"

Agent successful

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.