Shulou(Shulou.com)06/02 Report--

Squid proxy server

The Squid proxy server works in the application layer, which mainly provides cache acceleration, application layer filtering control and other functions.

How the Squid agent works:

When a client requests a web page through a proxy, the designated proxy server will first check its own cache, and if there is any data in the cache, it will feedback directly to the client. If not, the proxy server will send an access request to the internet, and then when the web page is returned, it will be cached and then fed back to the client.

Basic types of Squid agents:

Traditional agent: the common agent way, the client needs to specify the agent address and working port manually.

Transparent proxy: the client does not need to specify the proxy address and working port, but through the default route, the firewall policy redirects web access to the proxy server for processing

Set up a squid proxy server:

V compile and install squid

# tar xzvf squid-3.4.6.tar.gz

# cd squid-3.4.6

# / configure-- prefix=/usr/local/squid-- sysconfdir=/usr/local/squid/etc-- enable-arp-acl-- enable-linux-netfilter-- enable-linux-tproxy-- enable-async-io=100-- enable-err-language= "Simplify_Chinese"-- enable-underscore-- enable-poll-- enable-gnregex

Note:

-- prefix: specify the installation path

-- sysconfdir: specify the configuration file path

-- enable-arp-acl: can be set in the rule to be managed directly through the client MAC to prevent the client from using IP to cheat

-- enable-linux-netfilter: you can use iptables's kernel filtering

-- enable-linux-tproxy: supports transparent mode

-- enable-async-io: asynchronous Istroke O to improve storage performance and specify cache space size

-- enable-err-language: the language in which error messages are displayed

-- enable-underscore: allow underscores in URL

-- enable-poll: use Poll mode to improve performance

-- enable-gnregex: use GNU regular expressions

# make & & make install

V create a command link file to make the command easy to call

# ln-s / usr/local/squid/sbin/* / usr/local/sbin/

V create users and groups and grant permissions to the installation directory

# useradd-M-s / sbin/nologin squid

# chown-R squid.squid / usr/local/squid/var

# vim / usr/local/squid/etc/squid.conf

Visible_hostname ren

Coredump_dir / usr/local/squid/var/cache/squid

Cache_dir cache_effective_user squid

Cache_effective_group squid ufs / usr/local/squid/var/cache/squid 100 16 256

Cache_effective_user squid

Cache_effective_group squid

Cache mem 512MB

Http_port 1.1.1.0/24:3128 transparent

Note:

Visible_hostname: give a hostname

Coredump_dir: indicates the location of the cached file

Cache_effective_group squid ufs: specify the size of the cache file

Cache_effective_user: specifies the user running the squid program cache

Cache_effective_group squid: specifies the group that runs the squid program cache

Cache mem: values available in physical memory

Http_port 1.1.1.0 Universe 24 http_port 3128 transparent: set this IP address range to support transparent proxies

V initialize the squid agent

# squid-k parse

# squid-z

V start the squid agent

# squid

Proxy implementation:

Traditional proxy: enter the address port of the proxy in the client's browser

Transparent proxy: modify the configuration file to support transparent proxy, and then redirect the rules to the proxy server through the iptables firewall. Action: REDIRECT

Example: # iptables-t nat-A PREROUTING-I eth2-s 1.1.1.0 to 24-p tcp-- dport 80-j REDIRECT-- to 3128

# iptables-t nat-A PREROUTING-I eth2-s 1.1.1.0 take 24-p tcp-- dport 443-j REDIRECT-- to 3128

# unset HTTP_PROXY HTTPS_PROXY

ACL access control

We can define our own access control list through squid. Format: acl list name, list type, list content.

Commonly used types in access control lists

List type

List content

Meaning

Src

192.168.1.1

192.168.1.0/24

192.168.1.1-192.168.1.10

Filter based on source IP address, network segment, IP address range

Dst

1.1.1.1

1.1.1.0/24

Www.a.com

Filter based on destination IP address, network segment, and hostname

Port

80 443 8080 21 20

Filter based on target port

Dstdomain

.qq.com

Filtering based on target domain

Time

MTWHF 8:30-17:30

Based on the week, M for Monday, T for Tuesday, W for Wednesday, H for Thursday, F for Friday

Maxconm

twenty

Number of concurrent connections per client

Url_regex

Url_regex-I ^ a bank /

The URL address of the target resource.-I means case is ignored.

Urlpath_regex

Urlpath_regex-I\ .mp3 $

The entire URL path of the target resource.-I means case is ignored.

Example: # vim / etc/squid.conf

Acl xiao url_regex-I ^ http://

Http_access deny MYLAN xiao denies access to any URL that begins with http://.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.