tps://www.aliyun.com/product/cas?source=5176.11533457&userCode=kv73ipbs&type=copy
https://www.aliyun.com/product/cas?source=5176.11533457&userCode=kv73ipbs&type=copy
https://www.aliyun.com/product/cas?source=5176.11533457&userCode=kv73ipbs&type=copyhttps://www.aliyun.com/product/cas?source=5176.11533457&userCode=kv73ipbs&type=copy
編譯安裝
版本為squid-3.5.27
系統為Centos6.5
依賴環境
yum install -y perl gcc*autoconf automake make sudo wget libxml2-devel libcap-devel libtool-ltdl-devel
解壓
[root@uu ~]# mkdir /application [root@uu ~]# cd /application/ [root@uu application]# rz [root@uu application]# tar zxvf squid-3.5.27.tar.gz
關於軟連接
編譯軟件時指定版本號(/appiication/app1.1.1),訪問時希望去掉版本號(/application/app,),可以設置軟鏈接到編譯的路徑。 所有程序都訪問軟鏈接文件(/application/app,),當軟件升級高版本后,只需刪除鏈接文件重建到高版本路徑的軟鏈接接口(/application/app,)。
做軟連接
[root@uu application]# ln -s squid-3.5.27 squid
編譯
./configure --prefix=/application/squid --disable-loadable-modules --enable-gnuregex --enable-icmp --enable-linux-netfilter --enable-err-language="zh-cn" --enable-default-err-language="zh-cn" --enable-kill-parent-hack --enable-cache-digests --enable-dlmalloc--enable-poll --enable-async-io=240 --enable-arp-acl--mandir=/usr/share/man/ --with-large-files --with-fd=20480 --with-large-files --enable-arp-acl
注釋
--enable-arp-acl
通過IP地址來識別用戶很不可靠,比IP地址更好的是網卡的MAC物理地址。要在Squid中使用MAC地址識別,
配置文件中加入:
acl advance arp 00:01:02:1f:2c:3e 00:01:02:3c:1a:8b ...
驗證
echo $?
PS
Squid本身會被安裝到/application/sbin下
Squid的cache目錄默認為/application/squid/cache
Squid的log目錄默認為/application/squid/logs
squid的配置文件目錄默認為/application/etc/squid
編譯安裝的注釋
l --enable-async-io=80 這個主要是設置async模式來運行squid,我的理解是設置用線程來運行squid,如果服務器配置很不錯,有1G以上內存,cpu使用SMP的方式的話可以考慮設成160或者更高。如果服務器比較糟糕就根據實際情況設了。另外此項還另cache文件支持aufs。80這個值是根據160的配置情況自己確定的。 l --enable-epoll LINUX2.6 內核中提高I/O性能的新方法。 l --enable-poll 應啟用Poll()函數而不是select()函數,通常而言poll(輪詢)比 select要好,但configure(腳本程序)已知Poll在某些平台下失效, 若你認為你比configure編譯配置腳本程序要聰明的話,可以用這個選項啟用Poll。總之就是用這個可以提升性能就是啦。沒有看得很明白,但是我自己感覺是不是epoll更先進一點。反正我用epoll取代了poll。 epoll是Linux內核為處理大批量句柄而作了改進的poll,是Linux下多路復用IO接口select/poll的增強版本,它能顯著減少程序在大量並發連接中只有少量活躍的情況下的系統CPU利用率。 l --disable-internal-dns Squid代理服務器在程序內部實現DNS解析,不會檢查/etc/hosts文件,直接根據/etc/resolv.conf中的DNS服務器。我的實踐:1、配置參數中dns_children 必須要依賴於disable-internal-dns。2、默認是檢查/etc/hosts文件的。默認值是hosts_file /etc/hosts。如果要不檢查,必須顯示指定hosts_file none。 l --with_filedescriptors=20480 增加並發是同時打開文件的文件描述符數量,默認是1024,一般不夠。會在cache_log中形成WARNING: your cache is running out of the filedescriptors!的警告信息。另外我的實踐:必須在配置文件中顯示指定max_filedescriptors 20480,前后兩個值並不一定要相等,前面是編譯時設定的最大值,后面配置文件中的值不大於該值即可。 l --enable-kill-parent-hack 關掉suqid的時候,要不要連同父進程一起關掉,這個當然要啦。當然要,就要吧。以前發生過關閉SQUID不正常,無法刪除pid文件什么的,可能是和這個選項有關。(2.7也支持本選項) l --enable-underscore 在3.0里不再需要也不再支持這個安裝選項(2.7也不支持了)。在配置文件中有allow_underscore 這個選項。默認是允許域名中支持下划線了。 l --enable-err-language="zh-cn" --enable-default-err-language="zh-cn" 原來是--enable-err-language="Simplify_Chinese" --enable-default-err-language="Simplify_Chinese"
安裝
注意
squid 3.1.5以后版本,默認編譯時,會出現如下錯誤,可以禁用eCAP(--disable-loadable-modules)
> ../libltdl/libltdl/lt_error.h:35:31: error: libltdl/lt_system.h: No such file or directory > make[3]: *** [LoadableModule.o] Error 1 > make[3]: Leaving directory `/application/src/squid/squid-3.1.6/src’ > make[2]: *** [all-recursive] Error 1 > make[2]: Leaving directory `/application/src/squid/squid-3.1.6/src’ > make[1]: *** [all] Error 2 > make[1]: Leaving directory `/application/src/squid/squid-3.1.6/src’ > make: *** [all-recursive] Error 1
或者:
In file included from LoadableModule.cc:18: ../libltdl/ltdl.h:106: 錯誤:‘LT_DLSYM_CONST’沒有命名一個類型 LoadableModule.cc: In constructor ‘LoadableModule::LoadableModule(const String&)’: LoadableModule.cc:33: 錯誤:‘lt__PROGRAM__LTX_preloaded_symbols’在此作用域中尚未聲明 make[3]: *** [LoadableModule.o] 錯誤 1 make[3]: Leaving directory `/application/squid-3.5.27/src' make[2]: *** [all-recursive] 錯誤 1 make[2]: Leaving directory `/application/squid-3.5.27/src' make[1]: *** [all] 錯誤 2 make[1]: Leaving directory `/application/squid-3.5.27/src' make: *** [all-recursive] 錯誤 1 如果你用的是centos系統的最小化安裝,可能沒有安裝c語言編譯器,需要手動安裝,如安裝過程中出現以下錯誤: -bash: make: command not found 這是因為沒有安裝編譯器,用以下命令安裝:yum install gcc* gcc-*。安裝后,再次make就可以了
make
[root@uu squid-3.5.27]##make sed " s%@DEFAULT_ERROR_DIR@%%g; s%@DEFAULT_MIME_TABLE@%%g; s%@""PACKAGE_STRING""@%Squid Web Proxy 3.5.27%g; s%@SYSCONFDIR@%/application/squid/etc%g; " < ./cachemgr.cgi.8.in > cachemgr.cgi.8 make[2]: Leaving directory `/application/squid-3.5.27/tools' make[1]: Leaving directory `/application/squid-3.5.27/tools' Making all in test-suite make[1]: Entering directory `/application/squid-3.5.27/test-suite' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/application/squid-3.5.27/test-suite' make[1]: Entering directory `/application/squid-3.5.27' make[1]: Nothing to be done for `all-am'. make[1]: Leaving directory `/application/squid-3.5.27' [root@uu squid-3.5.27]# echo $? 0
make install
[root@uu squid-3.5.27]# make install make[3]: Leaving directory `/application/squid-3.5.27/tools' make[2]: Leaving directory `/application/squid-3.5.27/tools' make[1]: Leaving directory `/application/squid-3.5.27/tools' Making install in test-suite make[1]: Entering directory `/application/squid-3.5.27/test-suite' make[2]: Entering directory `/application/squid-3.5.27/test-suite' make[2]: Nothing to be done for `install-exec-am'. make[2]: Nothing to be done for `install-data-am'. make[2]: Leaving directory `/application/squid-3.5.27/test-suite' make[1]: Leaving directory `/application/squid-3.5.27/test-suite' make[1]: Entering directory `/application/squid-3.5.27' make[2]: Entering directory `/application/squid-3.5.27' make[2]: Nothing to be done for `install-exec-am'. make[2]: Nothing to be done for `install-data-am'. make[2]: Leaving directory `/application/squid-3.5.27' make[1]: Leaving directory `/application/squid-3.5.27' [root@uu squid-3.5.27]# echo $? 0
到此為止,squid3.5.5已經安裝到/application/squid目錄下了,運行
配置文件
>/application/squid/etc/squid.conf
vim /application/squid/etc/squid.conf [root@uu etc]# cat squid.conf http_port 3128 cache_mem 64 MB maximum_object_size 400 MB minimum_object_size 0 KB maximum_object_size_in_memory 4096 KB cache_dir aufs /application/squid/var/cache/squid 1024 16 256 cache_mem 128 MB cache_log /application/squid/var/logs/cache.log #logfile_rotate 60 #cache_swap_high 95 #cache_swap_low 90 request_entities off #ident_timeout 10 seconds #設置squid等待用戶認證請求的時間。缺省值為10秒。[–enable-ident-lookups] cache_effective_user nobody cache_effective_group nobody httpd_suppress_version_string on #acl manager proto cache_object #acl localhost src 127.0.0.1/32 ::1 #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT acl http proto HTTP acl good_domain dstdomain yyt.etcsd.com http_access allow manager localhost http_access allow http good_domain http_access deny http !good_domain http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all coredump_dir /application/squid/var/cache/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 visible_hostname pstation cache_mgr 15666661331@163.com
錯誤提示
去掉manager和127.0.0.1的行 UPGRADE: ACL 'manager' is now a built-in ACL. Remove it from your config file. 2018/01/19 13:04:31| Processing: acl localhost src 127.0.0.1/32 ::1 2018/01/19 13:04:31| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1' 2018/01/19 13:04:31| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost' 2018/01/19 13:04:31| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1' 2018/01/19 13:04:31| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost' 2018/01/19 13:04:31| WARNING: (B) '::1' is a subnetwork of (A) '::1' 2018/01/19 13:04:31| WARNING: because of this '::1' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '::1' from the ACL named 'localhost' 2018/01/19 13:04:31| WARNING: (B) '::1' is a subnetwork of (A) '::1' 2018/01/19 13:04:31| WARNING: because of this '::1' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '::1' from the ACL named 'localhost' 2018/01/19 13:04:31| Processing: acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 2018/01/19 13:04:31| WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) '127.0.0.0/8' 2018/01/19 13:04:31| WARNING: because of this '127.0.0.0/8' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '127.0.0.0/8' from the ACL named 'to_localhost' 2018/01/19 13:04:31| WARNING: (B) '0.0.0.0' is a subnetwork of (A) '0.0.0.0' 2018/01/19 13:04:31| WARNING: because of this '0.0.0.0' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '0.0.0.0' from the ACL named 'to_localhost' 2018/01/19 13:04:31| WARNING: (B) '0.0.0.0' is a subnetwork of (A) '0.0.0.0' 2018/01/19 13:04:31| WARNING: because of this '0.0.0.0' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '0.0.0.0' from the ACL named 'to_localhost' 2018/01/19 13:04:31| WARNING: (B) '::1' is a subnetwork of (A) '::1' 2018/01/19 13:04:31| WARNING: because of this '::1' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '::1' from the ACL named 'to_localhost' 2018/01/19 13:04:31| WARNING: (B) '::1' is a subnetwork of (A) '::1' 2018/01/19 13:04:31| WARNING: because of this '::1' is ignored to keep splay tree searching predictable 2018/01/19 13:04:31| WARNING: You should probably remove '::1' from the ACL named 'to_localhost'
啟動
/application/squid/sbin/squid -z /application/squid/sbin/squid -k parse 測試配置文件 /application/squid/sbin/squid -k reconfigure 重新配置文件 /application/squid/sbin/squid -k shutdown 關閉squid /application/squid/sbin/squid -s 開啟squid 后台 /application/squid/sbin/squid -N -d1 前台開啟squid /application/squid/sbin/squid -k interrupt 關閉squid(更高crr優先級,直接關閉squid) /application/squid/sbin/squid -k kill 關閉squid(最高優先級,直接殺死squid進程) netstat -ntpl 檢測squid端口是否已經啟動: [root@uu ~]# netstat -tunpl | grep :3128 不重起,只裝入新的配置文件: [root@rh73 ~]# /etc/rc.d/init.d/squid reload
問題處理
安裝好了以后,系統中新建了一個用戶squid
cat /etc/passwd|grep squid
cat /etc/group|grep 65534
如果沒有的話,手動添加
添加用戶
[root@uu application]# useradd squid -s /sbin/nologin -M
問題處理
1、root@uu etc]# /application/squid/sbin/squid -k parse 報錯的話: WARNING: Cannot write log file: /application/squid/var/logs/cache.log /application/squid/var/logs/cache.log: Permission denied messages will be sent to 'stderr' 2、[root@uu etc]# /application/squid/sbin/squid -z 初始化配置 2018/01/19 14:11:45 kid1| Current Directory is /application/squid/etc 2018/01/19 14:11:45 kid1| Creating missing swap directories FATAL: Failed to make swap directory /var/spool/squid: (13) Permission denied 解決: chown -R nobody /application/squid/var/cache/ chown -R nobody /application/squid/var/logs/ 一般出現的問題是squid對安裝緩存的目錄權限不夠則開啟適當的權限即可, 然后查看是否可以啟動,最后停留在一行不動 則表示啟動成功用Ctrl+c終止 如果顯示正常啟動的正確信息 則現在可以啟動Squid了 ###下面這條是目錄搞錯了,配置文件參數應當是:coredump_dir /application/squid/var/cache/squid 2018/01/19 14:11:48 kid1| cannot change current directory to /var/spool/squid: (2) No such file or directory
優化-----標記符
[root@uu etc]# pwd /application/squid/etc 加入開機啟動 [root@uu etc]# echo "/application/squid/sbin/squid start " >>/etc/rc.local
定期清理swap.state內無效數據
squid -k rotate -f /path/to/squid/conf_file vi /etc/crontab 0 0 * * * root squid -k rotate -f /application/squid/etc/squid.conf 當squid應用運行了一段時間之后,cache_dir對應的swap.state文件就會變得越來越大,里面的無效接口數據越來越多,這可能影響squid的響應時間,因此需要使用squid清理swap.state里面的無效數據,減少swap.state的大小。
環境變量
添加PATH環境變量(臨時),可用:
[root@uu]#
export PATH="/application/squid/sbin:$PATH"
export PATH="/application/squid/bin:$PATH"
永久添加環境變量(影響所有用戶)
在文檔最后,添加(兩種方法)
1、# vim /etc/profile export PATH="/application/squid/sbin:$PATH" 保存,退出, 2、echo export PATH="/application/squid/sbin:$PATH" >> /etc/profile echo export PATH="/application/squid/bin:$PATH" >> /etc/profile 然后運行: #source /etc/profile 不報錯則成功。 [root@uu etc]# source /etc/profile [root@uu etc]# echo $PATH /application/squid/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
試試吧
killall squid
squid -k parse
squid -z
squid start
netstat -tunpl | grep :3128
配置認證
默認時,Squid本身不帶任何認證程序,但是可以通過外部認證程序來實現用戶認證。一般有以下的認證程序:LDAP認證、SMB認證、基於mysql的認證、基於sock5的密碼認證和基於Radius的認證。下面介紹常用的ncsa實現的認證,ncsa是Squid源代碼包自帶的認證程序,但是需要使用到apache的htpasswd來生成密碼文件。或者使用 apt-get/yum install http-tools的方式安裝此工具
NCSA方式。
加入認證配置
auth_param basic program /application/squid/helpers/basic_auth/NCSA/basic_ncsa_auth /opt/squid/etc/passwd auth_param basic realm hello auth_param basic credentialsttl 2 hours auth_param basic casesensitive on auth_param basic children 5 acl alloweduser proxy_auth REQUIRE http_access allow alloweduser #一定要放在所有http_access前面,否則不生效
完整版配置(注意順序)
[root@uu etc]# cat squid.conf http_port 3128 cache_mem 64 MB maximum_object_size 400 MB minimum_object_size 0 KB maximum_object_size_in_memory 4096 KB cache_dir aufs /application/squid/var/cache/squid 1024 16 256 cache_mem 128 MB cache_log /application/squid/var/logs/cache.log #logfile_rotate 60 #cache_swap_high 95 #cache_swap_low 90 vary_ignore_expire on collapsed_forwarding on request_entities off ident_timeout 10 seconds #設置squid等待用戶認證請求的時間。缺省值為10秒。[–enable-ident-lookups] cache_effective_user nobody cache_effective_group nobody httpd_suppress_version_string on #acl manager proto cache_object #acl localhost src 127.0.0.1/32 ::1 #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 #acl localnet src 10.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT acl http proto HTTP acl good_domain dstdomain yyt.etcsd.com auth_param basic program /application/squid/helpers/basic_auth/NCSA/basic_ncsa_auth /opt/squid/etc/passwd auth_param basic realm hello auth_param basic credentialsttl 2 hours auth_param basic casesensitive on auth_param basic children 5 acl alloweduser proxy_auth REQUIRE acl authorizedip src "/application/squid/authorizedip.txt" #http_access allow manager localhost http_access allow http good_domain http_access deny http !good_domain http_access allow alloweduser http_access allow authorizedip http_access deny !Safe_ports http_access deny CONNECT !SSL_ports #http_access allow all http_access deny all coredump_dir /application/squid/var/cache/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 visible_hostname pstation cache_mgr 15666661331@163.com ########################################################
注釋
auth_param basic program /usr/lib/squid/ncsa_auth /opt/squid/etc/passwd #定義了認證方式為basic,認證程序的路徑和認證程度需要讀取的帳戶文件 auth_param basic children 5 #此選項定義了認證程序的進程為5個 auth_param basic credentialsttl 2 hours #定義了認證程序的時間為2小時,如果2小時過后用戶還需要使用squid,則必須重新輸入帳戶和密碼 auth_param basic realm Please input account #定義了用戶的登錄時顯示的領域內容,類似於Apache的用戶認證 auth_param basic casesensitive off #指定是否區分用戶名大小寫,on為區分,off為不區分。 acl auth_user proxy_auth REQUIRED # 強制要求用戶驗證 http_access allow auth_user #普通用戶需要認證才能訪問internet,允許經過認證的用戶訪問。 #名稱和相對位置不對會報錯 #2018/01/20 22:24:01| /application/squid/etc/squid.conf:34 unrecognized: 'authenticate_program' #2018/01/20 22:24:01| Processing: authenticate_program realm hello #2018/01/20 22:24:01| /application/squid/etc/squid.conf:35 unrecognized: 'authenticate_program' #2018/01/20 22:24:01| Processing: acl alloweduser proxy_auth REQUIRED #2018/01/20 22:24:01| Can't use proxy auth because no authentication schemes are fully configured. #FATAL: ERROR: Invalid ACL: acl alloweduser proxy_auth REQUIRED
創建密碼文件
htpasswd是Apache的密碼生成器,沒有 Apache的話需要先安裝,yum install httpd -y即可。 [root@uu opt]# mkdir /opt/squid/etc -p [root@uu opt]# cd /opt/squid/etc [root@uu etc]# touch passwd [root@uu etc]# htpasswd -bc /opt/squid/etc/passwd test test Adding password for user test