Shulou(Shulou.com)06/03 Report--

Table of contents:

1 Overview of Squid Agent principle

2 basic types of agents

3 Squid service script

4 build proxy server (traditional proxy, transparent proxy)

5 Summary

An overview of the principle of Squid agent

1) the working mechanism of agents

1. What is Squid?

Squid is a high-performance proxy cache server, and Squid supports FTP, gopher, HTTPS and HTTP protocols. Unlike normal proxy caching software, Squid uses a separate, non-modular, Imax O-driven process to handle all client requests.

2 the working principle of cache

Squid is a proxy service software working in the application layer. Squid mainly provides the functions of cache acceleration and application layer filtering control. Here is a list: when the client requests a web page through a proxy, then the proxy server will check if it has the page you requested, and send it directly to the client. If not, the proxy server will send the request to web. When the web page is obtained, it will save the data to the cache and send it to the client.

The following figure shows the caching process of the proxy service:

2) the cache description of the HTTP proxy:

The cache acceleration object of the HTTP proxy is mainly aimed at static Web elements such as text, images, and so on. After using the caching mechanism, the client accesses the same Web element and can get what you want directly from the proxy server's cache. The advantage of this is to reduce the process of requesting Web and improve the access speed of the client.

In addition, the Web access request accessed by the client is actually completed by the proxy server, so that the real IP of the user can be hidden and protected to a certain extent. The proxy server also has the opportunity to filter and control the target of access, the address of the client, and the time period of access.

The basic types and application directions of agents:

1) traditional agents:

That is, ordinary proxy services, such as the browser we use, QQ chat tools, etc., need to manually set the address and port of the proxy server in order to use the proxy service.

The following figure shows the browser settings proxy server address diagram:

The above figure shows that each software or browser sets the location of the proxy server is different, as long as you find the option, almost in it, set the address and port of the proxy server.

2) Application direction

Traditional proxy: mostly used in Internet environment, QQ programs, download tools, etc., can avoid the concurrent connection of the server.

Transparent proxy: mostly used in LAN environments, such as enabling proxies in Linux gateways, LAN hosts can access faster without additional settings.

Traditional proxy server deployment

Pre-deployment instructions:

1 deployment environment is: CenOS 7.4

2 deployment mode: compiled by hand, version is Squid 3.4.6

3 provide source code package download address: Squid cache source code package, please click the password: 63xn

The traditional proxy server topology diagram is as follows:

Start deployment:

1) compile and install Squid, which is now compiled manually. Before that, we need to download the source code package, decompress it, install the compilation environment, specify the installation path and functional modules, etc.

[root@localhost ~] # tar zxvf squid-3.4.6.tar.gz-C / opt/-(unzip to / opt directory)

[root@localhost ~] # yum install gcc gcc-c++ make-y-(install compilation environment)

[root@localhost ~] # cd / opt/squid-3.4.6/

[root@localhost squid-3.4.6] #. / configure-- prefix=/usr/local/squid\

-- sysconfdir=/etc\

-- enable-arp-acl\

-- enable-linux-netfilter\

-- enable-linux-tpoxy\

-- enable-async-io=100\

-enable-err-language= "Simplify_Chinese"\

-- enable-underscore\

-- enable-poll\

-- enable-gnuregex

2) explain the above modules:

1 specify the installation path

2 put the configuration file on / etc separately

3 can be set in the rule to be managed directly through the client MAC to prevent the client from using IP spoofing

4 use kernel filtering

5 support transparent mode

6 Asynchronous Icano to improve storage performance

7 display language of error messages

8 allow underscores in URL

9 use POLL () mode to improve performance

10 use GNU regular expressions

[root@localhost squid-3.4.6] # make & & make install-(production, compilation and installation, the waiting time here is a little longer, please wait patiently)

3) after installation, we need to optimize Squid now to make it more in line with our daily operation habits in the future.

[root@localhost squid-3.4.6] # ln-s / usr/local/squid/sbin/ / usr/local/sbin-- (create a soft connection)

[root@localhost squid-3.4.6] # useradd-M-s / sbin/nologin squid- (create an administrative user)

[root@localhost squid-3.4.6] # chown-R squid.squid / usr/local/squid/var/

4) modify the main configuration file with a figure and a text description:

[root@localhost squid-3.4.6] # vim / etc/squid.conf-(the main configuration file is specified to be placed under / etc at compile time)

Modify the following:

Http_access allow all-(to be added, which means to run everyone to access http, which is equivalent to an ACL access control list)

Cache_effective_user squid-(add specified program user)

Cache_effective_group squid-(add the specified account basic group)

The following figure shows the addition of the configuration file:

Check the configuration file syntax to see if there are any errors:

[root@localhost squid-3.4.6] # squid- k parse-(check syntax, error problem is almost a configuration file problem)

Write Squid startup script

[root@localhost squid-3.4.6] # vim / etc/init.d/squid

The content is as follows:

#! / bin/bash

# chkconfig: 2345 90 25

PID= "/ usr/local/squid/var/run/squid.pid"

CONF= "/ etc/squid.conf"

CMD= "/ usr/local/squid/sbin/squid"

Case "$1" in

Start)

Netstat-antp | grep squid & > / dev/null

If [$?-eq 0]

Then

Echo "squid is running"

Else

Echo "starting squid...."

$CMD

Fi

Stop)

$CMD-k kill & > / dev/nulll

Rm-rf $PID & > / dev/null

Status)

[- f $PID] & > / dev/null

If [$?-eq 0]

Then

Netstat-antp | grep squid

Else

Echo "squid is not running"

Fi

Restart)

$0 stop & > / dev/null

Echo "shutting down squid..."

$0 start & > / dev/null

Echo "starting squid..."

Reload)

$CMD-k reconfigure

Check)

$CMD-k parse

*)

Echo "usage: $0 {start | stop | status | reload | check | restart}"

Esac

Optimize squid and startup script

[root@localhost squid-3.4.6] # chmod + x / etc/init.d/squid-(give script execution permission)

[root@localhost squid-3.4.6] # chkconfig-- add squid- (join system services)

[root@localhost squid-3.4.6] # chkconfig-- level 35 squid on-(set Boot self-boot)

At this point, the basic configuration of the Squid service is complete. Next, we need to do the traditional agent model first.

[root@localhost squid-3.4.6] # vim / etc/squid.conf-(modify configuration file)

The content is added as follows:

Cache_mem 64 MB-(# specify the amount of memory used by the cache function in order to maintain frequently accessed web objects, preferably a multiple of 4 in MB, it is recommended to set it to 1x4 of physical memory)

Reply_body_max_size 10 MB-(the maximum file size allowed to be downloaded by users is in bytes. Default is 0, which means no limit.

)

Maximum_object_size 4096 KB-(maximum object size allowed to be saved to the cache space, in KB. Files exceeding the size limit will not be cached but forwarded directly to the user)

The following figure shows the modified configuration file:

Prepare before startup:

[root@localhost squid-3.4.6] # squid- k parse-(check the configuration file syntax again)

[root@localhost squid-3.4.6] # squid- z-(initialize cache directory)

[root@localhost squid-3.4.6] # iptables-F-(clear the firewall rules so that we can fill in the policy later)

[root@localhost squid-3.4.6] # iptables-t nat-F

[root@localhost squid-3.4.6] # iptables-I INPUT-p tcp-- dport 3128-j ACCEPT-- (add firewall policy: allow tcp protocol port 3128 to pass)'

[root@localhost squid-3.4.6] # setenforce 0-(turn off enhancements)

[root@localhost squid-3.4.6] # service squid start-(start the service)

Starting squid...

[root@localhost squid-3.4.6] # netstat-antp | grep 3128-(check startup port)

Tcp6 0 0: 3128: * LISTEN 36813 / (squid-1)

Verify the traditional proxy server:

Methods: set up the Apache website server, set up the proxy server with the windows client IE browser, visit the Apache website server, then check the Apache log file and see who visited the Apache. If it is a proxy server, it means that we have successfully deployed.

1) set up an Apache server on another server:

[root@localhost ~] # yum install httpd-y-- (note that Apache is installed on other servers)

[root@localhost ~] # systemctl stop firewalld.service

[root@localhost ~] # setenforce 0

[root@localhost ~] # systemctl start httpd.service

2) set the address and port of the Squid proxy server to the IE browser on the client

It is shown here in a graph:

Start accessing the apache website server:

The above figure shows that the access was successful, but we need to know who accessed it, so now we need to look at the log file of apache.

The following figure shows the log file of Apache:

The figure above shows that the traditional proxy server has been deployed successfully.

Transparent proxy deployment:

The service function provided by transparent proxy is the same as that of traditional proxy, but its "transparent" implementation depends on default route and firewall redirection strategy.

On the Linux gateway, the architecture squid provides proxy services for clients to access the Internet.

On all LAN clients, you only need to set the IP address and default gateway, and you don't need to specify the address and port of the proxy server manually.

According to the above theory, we should add a new network card to the Squid proxy server. The topology diagram of the transparent proxy is as follows:

Start deployment:

[root@localhost ~] # vim / etc/squid.conf-(modify configuration file)

The modifications are as follows:

Http_port 192.168.100.1 transparent 3128 transparent-(modify the listening address because the internal network needs to access the public network, so the listener is the private network transparent: it means transparent mode)

The configuration file has not been modified much, and then you need to set the redirection policy for iptables:

[root@localhost] # iptables-t nat-I PREROUTING-I ens33-s 192.168.100.0 tcp 24-p tcp-- dport 80-j REDIRECT-- to 3128

[root@localhost] # iptables-t nat-I PREROUTING-I ens33-s 192.168.100.0 tcp 24-p tcp-- dport 443-j REDIRECT-- to 3128

Enable route forwarding:

[root@localhost ~] # echo "1" > / proc/sys/net/ipv4/ip_forward

Restart the squid proxy server

[root@localhost ~] # service squid restart

Shutting down squid...

Starting squid...

Transparent mode verification:

Note: there is no need to manually set the proxy server in transparent mode, as shown in the following figure:

The following figure shows the apache log analysis to see which host accesses the web

Conclusion: as shown in the figure above, there is no need to set up the proxy server manually, but the web server is accessed by the proxy server.

If you want to use the proxy server (such as elinks web browser, wget download tool) in the command line interface of the Linux client, you must specify the address, port and other information of the proxy server through the environment variable.

[root@localhost ~] # vim / etc/profile-(add the following to the environment variable)

Add the following:

HTTP_PROXY=http:192.168.100.50:3128-(specify a proxy for using the HTTP protocol)

HTTPS_PROXY=http:192.168.100.50:3128-(specify a proxy for using the HTTPS protocol)

FTP_PROXY=http:192.168.100.50:3128-(specify a proxy for using the FTP protocol)

NO_RPOXY=192.168.20.,192.168.30. -(do not use proxies for two LAN segments)

Export HTTP_PROXY HTTPS_PROXY FRP_PROXY NO_PROXY**

[root@localhost ~] # source / etc/profile

Summary:

1 you know, we are visiting the web server. If the Squid cache proxy server has accessed data, the proxy server will give feedback directly. If not, squid will go to the web server to ask for the data and return it to the client.

(2) the basic types of agents are traditional agents and transparent agents. The biggest difference is that you need to set the address and port of the proxy server manually.

(3) possibility of troubleshooting: when accessing, the firewall of the web server is not turned off; if the firewall policy is written incorrectly, whether to restart the service after modifying the configuration file, and check whether the port service is started.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.