squid代理服務分為兩種方式: 一、正向代理(用在企業的辦公環境中,員工上網需要通過Squid代理來上網) 客戶端發送請求到代理服務器,代理服務器去向真正的服務器請求結果,並將結果返回給客戶端
二、反向代理(常用於網站靜態項(圖片、html、流媒體、js、css等)的緩存服務器) 客戶端發送請求,代理服務器從緩存中找結果返回,或向服務器請求到結果后緩存一份以供下次使用,並把結果返回客戶端。
其中:它有兩種傳輸模式:
1.同步模式:(如:squid)用戶發起請求,請求立即被轉到后端的服務器,於是在瀏覽器和后端服務器之間就建立了一個連接,在請求完成前這個連接是一直存在的。 2.異步模式:(如:nginx)用戶發起的請求會發送到nginx,nginx接收到所有的數據后在轉發到后端的服務器,后端服務器處理完成后把數據返回給nginx,nginx在返回給用戶。
一、正向代理
[root@localhost ~]# yum install -y squid [root@localhost ~]# squid -v //查看squid版本 Squid Cache: Version 3.1.10 [root@localhost ~]# rm -f /etc/squid/squid.conf //不使用默認配置 [root@localhost ~]# vim /etc/squid/squid.conf //加入 http_port 3128 acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 8080 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access allow all cache_dir aufs /data/cache 1024 16 256 cache_mem 128 MB hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern \.(jpg|png|gif|mp3|xml) 1440 50% 2880 ignore-reload refresh_pattern . 0 20% 4320 [root@localhost ~]# squid -kcheck //檢測一下是否有語法錯誤 1.提示信息: squid: ERROR: No running copy --> squid還未啟動,沒有關系,顯示成這樣說明配置文件沒有問題了。 2. 提示信息: WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'. --> [root@localhost ~]# vim /etc/squid/squid.conf //加入 visible_hostname aminglinux.com #可自定義 [root@localhost ~]# mkdir -p /data/cache //初始化緩存目錄 [root@localhost ~]# chown -R squid:squid /data/cache/ [root@localhost ~]# squid -z 2013/06/12 16:25:14| Creating Swap Directories 2013/06/12 16:25:14| /data/cache exists //初始化完成 [root@localhost ~]# /etc/init.d/squid start 正在啟動 squid:. [確定]
測試:
1. [root@localhost ~]# curl -xlocalhost:3128 http://www.baidu.com/ //看到了一大串,說明squid正向代理設置ok 2. [root@localhost ~]# curl -xlocalhost:3128 http://www.lishiming.net/static/image/common/logo.png -I HTTP/1.0 200 OK Server: nginx/1.0.0 Date: Sat, 08 Jun 2013 04:30:17 GMT Content-Type: image/png Content-Length: 7785 Last-Modified: Wed, 13 Jan 2010 03:33:47 GMT Accept-Ranges: bytes X-Cache: HIT from dx_cache216.5d6d.com X-Cache: MISS from localhost.localdomain X-Cache-Lookup: MISS from localhost.localdomain:3128 Via: 1.0 dx_cache216.5d6d.com:80 (squid), 1.0 localhost.localdomain (squid/3.1.10) Connection: keep-alive [root@localhost ~]# curl -xlocalhost:3128 http://www.lishiming.net/static/image/common/logo.png -I HTTP/1.0 200 OK Server: nginx/1.0.0 Content-Type: image/png Content-Length: 7785 Last-Modified: Wed, 13 Jan 2010 03:33:47 GMT Accept-Ranges: bytes Date: Sat, 08 Jun 2013 04:30:17 GMT X-Cache: HIT from dx_cache216.5d6d.com Age: 360898 Warning: 113 localhost.localdomain (squid/3.1.10) This cache hit is still fresh and more than 1 day old X-Cache: HIT from localhost.localdomain X-Cache-Lookup: HIT from localhost.localdomain:3128 Via: 1.0 dx_cache216.5d6d.com:80 (squid), 1.0 localhost.localdomain (squid/3.1.10) Connection: keep-alive 3. 配置白名單 ,表示機器只可以訪問白名單的網站 [root@localhost ~]# vim /etc/squid/squid.conf ... ... acl CONNECT method CONNECT #在此下面添加 acl http proto HTTP acl good_domain dstdomain .lishiming.net .aminglinux.com http_access allow http good_domain http_access deny http !good_domain [root@localhost ~]# /etc/init.d/squid restart [root@localhost ~]# curl -xlocalhost:3128 http://www.baidu.com/ -I HTTP/1.0 403 Forbidden Server: squid/3.1.23 Mime-Version: 1.0 Date: Fri, 15 Apr 2016 16:32:28 GMT Content-Type: text/html Content-Length: 3274 X-Squid-Error: ERR_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from localhost.localdomain X-Cache-Lookup: NONE from localhost.localdomain:3128 Via: 1.0 localhost.localdomain (squid/3.1.23) Connection: keep-alive 4. 配置黑名單,表示機器不可以訪問黑名單 acl http proto HTTP acl bad_domain dstdomain .sina.com .souhu.com http_access allow http !bad_domain http_access deny http bad_domain
situation:
在辦公室里,常常網絡管理人員需要將一些端口和網絡的進行封鎖,為保持安全,也為了讓員工們積極工作
這時,我們搭建正向代理服務器(選擇機房里其他能夠訪問外網的服務器)進行搭建
===============我是分割線。==============================
二、反向代理
[root@localhost ~]# vim /etc/squid/squid.conf http_port 3128 #改為http_port 80 accel vhost vport ... ... #文件最尾增加 cache_peer 123.125.119.147 parent 80 0 originserver name=a cache_peer 61.135.169.125 parent 80 0 originserver name=b cache_peer_domain a www.qq.com cache_peer_domain b www.baidu.com [root@localhost ~]# /etc/init.d/squid restart [root@localhost ~]# curl -xlocalhost:80 http://www.baidu.com/ -I [root@localhost ~]# curl -xlocalhost:80 http://www.qq.com/ -I [root@localhost ~]# curl -xlocalhost:80 http://www.sina.com/ -I #您會發現,baidu.com和qq.com都能正常訪問,然而sina.com訪問503了
===============我是分割線。==============================
三、squid使用選項
1 。
[root@localhost ~]# squid -h
Usage: squid [-cdhvzCFNRVYX] [-s | -l facility] [-f config-file] [-[au] port] [-k signal]
-a port Specify HTTP port number (default: 3128).
-d level Write debugging to stderr also.
-f file Use given config-file instead of
/etc/squid/squid.conf
-h Print help message.
-k reconfigure|rotate|shutdown|interrupt|kill|debug|check|parse
Parse configuration file, then send signal to
running copy (except -k parse) and exit.
-s | -l facility
Enable logging to syslog.
-u port Specify ICP port number (default: 3130), disable with 0.
-v Print version.
-z Create swap directories
-C Do not catch fatal signals.
-D OBSOLETE. Scheduled for removal.
-F Don't serve any requests until store is rebuilt.
-N No daemon mode.
-R Do not set REUSEADDR on port.
-S Double-check swap during rebuild.
-X Force full debugging.
-Y Only return UDP_HIT or UDP_MISS_NOFETCH during fast reload.
2.
[root@localhost ~]# squid -kche //==squid -kcheck
[root@localhost ~]# squid -krec //重加載