Shulou(Shulou.com)06/01 Report--

1.1 purpose or background

Wande data department needs overseas relevant data, but due to GFW, Chinese mainland will encounter many problems in directly accessing overseas websites, so it needs to set up a proxy server in Hong Kong to solve these problems.

1.1 deploy Squid1.1.1 acquisition software

From squid's official site: http://www.squid-cache.org/

You can download either the source code package or the RPM package. This document describes the source code installation.

1.1.2 install the software

1. Copy the download file to

Hkproxy:/usr/local/src# dir

-rw-r--r-- 1 root root 4828446 July 1 22:14 squid-3.5.20.tar.gz

two。 Extract the installation package

Hkproxy:/usr/local/src # tar zxvf squid-3.5.20.tar.gz

3. Enter into the installation package

Hkproxy:/usr/local/src # cd squid-3.5.20/

Hkproxy:/usr/local/src/squid-3.5.20 #

4. Create the installation squid directory

Hkproxy:/usr/local # mkdir squid

5. Add squid user

# useradd squid-g squid-s / bin/false

Set the password at the same time

Create a group:

# groupadd squid

6. / configure installation

Hkproxy:/usr/local/src/squid-3.5.20 #. / configure--prefix=/usr/local/squid/-enable-ssl-enable-underscore-enable-icmp--enable-kill-parent-hack-enable-gnuregex--enable-default-err-language= "Simplify_Chinese"-with-large-files--with-default-user=squid-disable-loadable-modules

Note:-- the installation directory of prefix=/usr/local/squid/:Squid. Default is / usr/local/squid.

-- enable-ssl: allows Squid to terminate SSL/TLS connections, valid only for acceleration requests in proxy mode

-- enable-underscores: underscores are allowed in hostnames, but it is still important to consider that the DNS resolver may prohibit underscores in hostnames.

-- enable-icmp: use ICMP messages to determine the loop time (round-trip time), which is similar to the ping program

-- enable-kill-parent-hack: when you turn off squid, do you want to turn it off along with the parent process?

-- enable-gnuregex: use GNU regular expressions.

-- enable-default-err-language=lang: the default language for error messages, and English is the default.

-- with-large-files: large files are supported

-- with-default-user=squid: specifies the squid user

-- disable-loadable-modules: disables loading of dynamic related modules or pre-installed modules. Errors are reported when compiling GCC, so you need to disable this module.

For more modules, please refer to. / configure-help

Hkproxy:/usr/local/src/squid-3.5.20#. / configure-- help | more

`configure'configures Squid Web Proxy 3.5.20 to adapt to many kinds of systems.

Usage:. / configure [OPTION]... [VAR=VALUE]...

To assignenvironment variables (e.g., CC, CFLAGS...), specify them as

VAR=VALUE. See below for descriptions of some of theuseful variables.

Defaultsfor the options are specified in brackets.

Configuration:

-h,-- help display this help and exit

-- help=short display options specific to thispackage

-- help=recursive display the short help of all the includedpackages

-V-- version display version information and exit

-Q,-- quiet,-- silent do not print `checking...' Messages

-- cache-file=FILE cache test results in FILE [disabled]

-C,-- config-cache alias for `--cache-file=config.cache'

-n,-- no-create do not create output files

-- srcdir=DIR find the sources in DIR [configure diror `..']

Installationdirectories:

-- prefix=PREFIX install architecture-independent filesin PREFIX

[/ usr/local/squid]

-- exec-prefix=EPREFIX install architecture-dependent files inEPREFIX

[PREFIX]

Bydefault, `make install' will install all the files in

`/ usr/local/squid/bin',` / usr/local/squid/lib' etc. You canspecify

Aninstallation prefix other than `/ usr/local/squid' using`-- prefix'

Forinstance `--prefix=$HOME'.

For bettercontrol, use the options below.

Finetuning of the installation directories:

-- bindir=DIR user executables [EPREFIX/bin]

-- sbindir=DIR system admin executables [EPREFIX/sbin]

-- libexecdir=DIR program executables [EPREFIX/libexec]

-- sysconfdir=DIR read-only single-machine data [PREFIX/etc]

-- sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]

-- localstatedir=DIR modifiable single-machine data [PREFIX/var]

-- runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]

-- libdir=DIR object code libraries [EPREFIX/lib]

-- includedir=DIR C header files [PREFIX/include]

-- oldincludedir=DIR C header files for non-gcc [/ usr/include]

-- datarootdir=DIR read-only arch.-independent dataroot [PREFIX/share]

-- datadir=DIR read-only architecture-independentdata [DATAROOTDIR]

-- infodir=DIR info documentation [DATAROOTDIR/info]

-- localedir=DIR locale-dependent data [DATAROOTDIR/locale]

-- mandir=DIR man documentation [DATAROOTDIR/man]

-- docdir=DIR documentation root [DATAROOTDIR/doc/squid]

-- htmldir=DIR html documentation [DOCDIR]

-- dvidir=DIR dvi documentation [DOCDIR]

-- pdfdir=DIR pdf documentation [DOCDIR]

-- psdir=DIR ps documentation [DOCDIR]

7. If the configure installation reports an error, I encounter that the GCC compiler is not installed, so I need to install the plug-in.

Direct installation of yast tools for suse.

8. Make compilation

Hkproxy:/usr/local/src/squid-3.5.20 # make # about 4 minutes

9. Make install installation

Hkproxy:/usr/local/src/squid-3.5.20 # make install

10. Adjust the permissions of the installation directory.

Chown-R squid:squid / usr/local/squid/

11. Start

Hkproxy:/usr/local/squid/sbin #. / squid

twelve。 Check to see if the default listening port is enabled. The default is 3128. I changed it to 3129.

Hkproxy:/usr/local/squid/sbin# netstat-an | grep "3129"

Tcp 0 0: 3129: * LISTEN

Tcp 00 10.90.5.33:3129 10.200.1.12:2131 ESTABLISHED

1.1.3 configuring squid

Configuration file squid.conf for Squid

# acllocalnet src 10.0.0.0/8 # RFC1918possible internal network

# acllocalnet src 172.16.0.0/12 # RFC1918 possible internal network

# acllocalnet src 192.168.0.0/16 # RFC1918 possible internal network

# acllocalnet src fc00::/7 # RFC 4193local private network range

# acllocalnet src fe80::/10 # RFC 4291link-local (directly plugged) machines

# acllocalnet src 222.66.202.206/32

# acllocalnet src 58.247.3.26/32

Acllocalnet src 10.200.1.12/32

Acllocalnet src 10.100.4.3/32

Acllocalnet src 10.200.0.8/32

Acllocalnet src 10.200.6.228/32

Acllocalnet src 10.200.4.63/32

AclSSL_ports port 443

AclSafe_ports port 80 # http

AclSafe_ports port 21 # ftp

AclSafe_ports port 443 # https

AclSafe_ports port 70 # gopher

Acl Safe_portsport 210 # wais

AclSafe_ports port 1025-65535 # unregistered ports

AclSafe_ports port 280 # http-mgmt

AclSafe_ports port 488 # gss-http

AclSafe_ports port 591 # filemaker

AclSafe_ports port 777 # multilinghttp

Acl CONNECT method CONNECT

# Squidnormally listens to port 3128

Http_port 3129

After changing the squid.conf configuration file, reload it with the command

Hkproxy:/usr/local/squid/etc # / usr/local/squid/sbin/squid-k reconfigure

For other operations, please refer to help:

Hkproxy:/usr/local/squid/etc # / usr/local/squid/sbin/squid-k

Hkproxy:/usr/local/squid/etc# / usr/local/squid/sbin/squid-k

/ usr/local/squid/sbin/squid:option requires an argument--'K'

Usage:squid [- cdhvzCFNRVYX] [- n name] [- s |-l facility] [- f config-file] [- [au] port] [- k signal]

-a port Specify HTTP port number (default: 3128).

-d level Write debugging to stderr also.

-f file Use given config-file instead of

/ usr/local/squid/etc/squid.conf

-h Print help message.

-k reconfigure | rotate | shutdown | restart | interrupt | kill | debug | check | parse

Parse configuration file, thensend signal to

Running copy (except-k parse) and exit.

-n name Specify service name to use for service operations

Default is: squid.

-s |-l facility

Enable logging to syslog.

-u port Specify ICP port number (default: 3130), disable with 0.

-v Print version.

-z Create missing swap directories and then exit.

-C Do not catch fatal signals.

-D OBSOLETE. Scheduled for removal.

-F Don't serve any requests until store is rebuilt.

-N No daemon mode.

-R Do not set REUSEADDR on port.

-S Double-check swap duringrebuild.

-X Force full debugging.

1.1.1 client configuration Agent

Now you can browse google.

1.1.1 View the access record of the agent

Hkproxy:/usr/local/squid/var/logs # cat access.log | more

1468291506.630 183 10.100.4.3 TCP_TUNNEL/200 848 CONNECTwww.google.com:443-HIER_DIRECT/216.58.203.4-

1468291506.791 877 10.100.4.3 TCP_TUNNEL/200 1626 CONNECTad.afy11.net:443-HIER_DIRECT/74.117.199.102-

1468291506.798 20 10.100.4.3TCP_MISS/200 842 GET http://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCBkrTynxASad- HIER_DIRECT/216.58.199.14 application/ocsp-response

1468291506.824 828 10.100.4.3 TCP_TUNNEL/200 43033 CONNECTfw.adsafeprotected.com:443-HIER_DIRECT/52.196.221.84-

1468291506.831 88010.100.4.3 TCP_TUNNEL/200 43033 CONNECT fw.adsafeprotected.com:443-HIER_DIRECT/52.196.221.84-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.