Shulou(Shulou.com)06/02 Report--

1. Working principle and function:

Squid is the most popular high-performance proxy service software in Linux system, which is usually used as the pre-caching service of Web website, which can replace users to request page data from the website server and cache it.

To put it simply, the Squid service program will request the required data such as pages, pictures and so on from the source server of the website according to the received user request, and store the data returned by the server on the server running the Squid service program.

When a user requests the same data again, the local data of the storage server can be delivered directly to the user, which not only reduces the waiting time of the user, but also alleviates the load pressure of the website server.

Squid service program has the characteristics of simple configuration, high efficiency and rich functions. It can support data caching of HTTP, FTP, SSL and other protocols.

Content filtering and rights management functions can be performed based on access control lists (ACL) and access rights lists (ARL), and users can be prohibited from accessing threatened or inappropriate website resources based on a variety of conditions

Therefore, it can protect the security of the intranet, enhance the network experience of users, and help save network bandwidth.

Cache proxy service not only consumes more CPU computing performance, memory, hard disk and other hardware resources of the server, but also needs larger network bandwidth to ensure the efficiency of data transmission, which will cause greater network bandwidth overhead.

Therefore, many domestic IDC or CDN service providers will place cache proxy node servers in second-and third-tier cities to reduce operating costs.

Working mode:

When Squid service program provides caching proxy service for users, it can be divided into forward proxy mode and reverse proxy mode.

Forward proxy mode means that users obtain website pages and other resources through Squid service programs, and restrict users' access to the website based on the function of access control list (ACL), which is divided into standard proxy mode and transparent proxy mode.

The standard forward proxy mode is to cache the website data locally to improve the efficiency when the data resources are accessed again, but users must fill in the IP address and port number of the proxy server in the browser and other software when surfing the Internet, otherwise the proxy server will not be used by default.

The function of transparent forward proxy mode is basically the same as that of standard forward proxy mode, except that users do not need to manually proxy the IP address and port number of the service, so this kind of proxy service is relatively transparent to users.

Reverse proxy mode refers to allowing multiple node hosts to reverse cache website data, so as to speed up user access. Because generally speaking, websites generally load a large number of static resources such as text, pictures, etc.

And they are relatively stable data information, when users initiate requests for access to these static resources in the website page, we can use the reverse proxy pattern provided by the Squid service program to respond.

Moreover, if the static resources to be accessed by the user happen to be available in the reverse proxy server, the cached static resources are sent directly to the user, which can not only speed up the user's website visit speed, but also reduce the load pressure on the website server to a certain extent.

To sum up, the forward agent mode is generally used in the enterprise local area network, which allows enterprise users to access Internet resources through Squid services, which can not only reduce the cost of public network bandwidth to a certain extent, but also regulate the content of the website visited by users. once the content of the website visited by the intranet users matches the prohibition rules, the website will be automatically blocked.

The reverse proxy mode generally provides caching services for large and medium-sized websites. it stores the static resources in the website in multiple node computer rooms in China, and when a user initiates a request to access the static resources, it can allocate nodes to users nearby and transmit resources, so it has been widely used in large and medium-sized websites.

2, configure the Squid service program

2-1, prepare two virtual machines, one as a Squid server and the other as a Squid client (both windows and linux are available). The network of the two virtual machines must be set to host-only mode (Hostonly), then shut down the Squid server, add a new network card and set it to bridge mode to access the external network.

If there is no physical network, use NAT mode, share the WiFi on the host, open the properties in the local WLAN, there is a share next to the connection, check Internet connection sharing, click the home network connection, select which virtual network card you want to access the Internet through, and click on it.

We need to deploy the Squid service program on this virtual machine, and then let another virtual machine that can only access the intranet (that is, the Squid client) surf the Internet through the Squid server, so that the Squid client can also access the external website.

2-2. After the network mode is configured, check whether the external network can be accessed.

Ping www.baidu.com ping the IP address of Baidu. If there is a feedback packet, the network is unblocked.

2-3 Maginyum-y install squid install Squid service package

Complete appears! The words were installed successfully.

Systemctl restart squid restart service

Systemctl enable squid is set to boot

The configuration files of the 2-4 etc Squid service program are also placed in a directory named after the service name in the / Squid directory.

Commonly used configuration parameters and functions of Squid service programs

Port number on which http_port 3128 is listening

The size of the cache_mem 64MB memory buffer

Cache_dir ufs / var/spool/squid 2000 16256 hard disk buffer size

Cache_effective_user squid sets a valid user for the cache

Cache_effective_group squid sets valid user groups for the cache

Dns_nameservers [IP address] is generally not set, but uses the default DNS address of the server.

Save path of cache_access_log / var/log/squid/access.log access log file

Save path of cache_log / var/log/squid/cache.log cache log file

Visible_hostname RHEL7 sets the name of the Squid server

3, forward agent

3-1, standard forward agent

After the Squid service package is installed and started correctly, the standard forward agent mode service can be provided to the user by default, without the need to modify the configuration file or do other operations separately.

Open any browser on Windows10, find the tool, click "Internet options", find the "connection" tab, click "LAN Settings", check the auto-reduction configuration, and fill in the IP address and port number from the proxy service.

Click OK when the settings are complete, reopen the new web page, and successfully visit www.baidu.com.

If the access fails, check the syslinux security subsystem to see if there is a listening port number.

Semanage port-l | grep squid_port_t to view the port number of the squid program

3-2 ACL access control

The ACL of the Squid service program is composed of multiple policy rules, which can allow or restrict access requests according to the specified policy rules, and the matching order of the policy rules is the same as that of the firewall policy rules; once the match is formed, the corresponding operation is performed immediately and the matching process is completed.

In order to prevent all traffic from being banned or released by ACL, which can not achieve the desired access control effect, operators usually write deny all or allow all statements at the bottom of the ACL to avoid security risks.

In experiment 1, only the client of 192.168.13.129 is allowed to use the proxy service provided by the Squid proxy service on the server, and all other host proxy requests are prohibited.

Let's modify its main configuration file

Vim / etc/squid/squid.conf

Acl client src 192.168.13.129 add content on a new line around 25 lines

Http_access allow client only allows client access

Http_access deny all forbids all

Modify the IP of the client to 192.168.13.130 (as long as it is not 129, we need to give an error prompt, that is, the experiment is successful). You can see that the web page access failure is a success.

Lab 2: prohibit all clients from accessing websites with the linux keyword in their URLs

Vim / etc/squid/squid.conf

Acl deny_keyword url_regex-I linux adds content in about 30 lines

Http_access deny deny_keyword denied access contains keywords

Access to www.linuxprobe.com is similar to a website with linux, with keywords denied.

Lab 3, prohibit all clients from accessing a specific website

Acl deny_url url_regex http://www.linuxcool.com adds content at about 33 lines

Http_access deny deny_url rejects the website

Visit http://www.linuxcool.com to see if content can appear, and report an error as a success.

In experiment 4, employees are prohibited from downloading files with specific suffixes on the corporate network.

Acl badfile urlpath_regex-I .rar $.avi $add content on line 35

Http_access deny badfile denies access

Find a random address to download a file with a rar suffix to see if it can be downloaded.

4, transparent forward agent

In transparent proxy mode, users do not need to configure proxy server address and port number in the browser or other software, but the DHCP server assigns the network configuration information to the client host, so that the user will automatically use the proxy service as soon as the user opens the browser.

The word "transparent" refers to allowing users to use the proxy service without being aware of it. The advantage is that on the one hand, there is no need for the user to configure the information of the proxy server manually, thus lowering the threshold for the use of the proxy service; on the other hand, it can also more secretly monitor the online behavior of employees.

Since users can use the proxy service without too much configuration of the system, the operators must configure the network configuration information and data forwarding function in advance.

With the previously configured network parameters, the data is forwarded using SNAT technology, and the client host is asked to deliver the data to the Squid proxy server, which then forwards it to the external network.

To put it simply, it is to let the Squid server act as a middleman to realize the data transmission between the intranet client host and the external network.

The current host is not configured with SNAT function and cannot access the external network.

In order to enable the client host in the internal network to access the external network, the client host must first be able to obtain the data of the DNS address resolution service, so as to find the IP address of the corresponding website in the Internet.

The following implements the data forwarding function of port 53 of the DNS address resolution service through the iptables command, and allows the Squid server to forward IPv4 packets.

The purpose of the sysctl-p command is to make the forwarding parameters take effect immediately:

Iptables-F clears the current firewall policy table

Iptables-t nat-A POSTROUTING-p udp-- dport 53-o eno33554952-j MASQUERADE

Vim / usr/lib/sysctl.d/00-system.conf modifies the port forwarding profile

Net.ipv4.ip_forward = 1 add content on another line

Sysctl-p makes the configuration file effective

Now go back to the client host and ping a public network address again. At this time, it can be found that although the website cannot be connected, the domain name resolution data of the public network DNS service can be obtained at this time.

Compared with configuring DNS and SNAT technology forwarding, the configuration process of Squid server transparent proxy mode is very simple, just add the word transparent (meaning "transparent") after the server port number in the main configuration file.

Then delete the pound sign (#) comment on line 62 and set the cache save path. After saving the master configuration file and exiting, use the squid-k parse command to check the master configuration file for errors

And initialize the transparent proxy technology of the Squid service program using the squid-z command

Vim / etc/squid/squid.conf

Httpport 3128 transparent

Cache dir ufs / var/spool/squid 100 16 256

Squid-k parse checks the main configuration file for errors

Squid-z initialization transparent proxy Technology

Now you can complete the SNAT data forwarding function. The principle is simple: use iptables firewall management commands to forward requests from all client hosts to port 80 of the website to port 3128 local to the Squid server.

The specific configuration parameters of SNAT data forwarding function are as follows.

Iptables-t nat-A PREROUTING-p tcp-m tcp-- dport 80-j REDIRECT-- to-ports 3218

Iptables-t nat-A POSTROUTING-s 192.168.10 to 24-o eno33554952-j SNAT-- to your bridge network card IP address

Service iptables save saves firewall policy

Using the client to refresh the browser, you can access the

5, reverse proxy

Website pages are composed of static resources and dynamic resources, in which static resources include website architecture CSS files, a large number of pictures, videos and other data, which are more stable than dynamic resources and generally do not change frequently.

However, with the upgrading of station technology, coupled with the continuous improvement of people's aesthetic ability, these static resources occupy more and more website space.

If we can extract these static resources from the pages of the website, and then deploy the cache nodes of static resources all over the country, it can not only improve the speed of users to visit the site, but also reduce the load of the site source server because of the existence of these cache nodes.

Reverse proxy is an important mode of Squid service program, its principle is to send part of the user requests originally initiated to the source server of the website to the cache node of the Squid server to deal with.

However, the disadvantages of this technology are also obvious. if someone with bad intentions reverse proxies their domain name and server to a well-known website, in theory, when a user accesses this domain name, they will also see the same content as that well-known website (this is how some fraudulent websites win the trust of users).

Therefore, the reverse proxy function is prohibited by default in many websites. Sites with CDN (content delivery Network) services can also avoid such theft.

If the protection function of the site is enabled, there will be a web page error (Internal Server Error).

Using the Squid service program to configure the reverse proxy service is very simple. First find the IP address of the source server of a website, then edit the main configuration file of the Squid service program, and change the port number 3128 to the address and port number of the source server of the site. At this time, the forward resolution service will be suspended (it cannot be used in conjunction with the reverse proxy service).

Then write the IP address information of the source server of the website that requires reverse proxy in the form of the following parameters, save and exit, and restart the Squid service program.

Vim/etc/squid/squid.conf

Http port your bridge network card IP address: 80 vhost

Cache _ peer your bridge network card IP address IP parent 800 originserver

Systemctl restart squid

Systemctl enable squid

Visit the web page successfully.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.