linux's docs

28.5.1: squid 安装


1. 配置文件

vim /etc/squid/squid.conf
*************************************************
#####################################################
# acl <自定义 acl 名称> <要控制的 acl 类型> <设定的內容>
#####################################################

# 定义acl对象manager为cache_object协议
acl manager proto cache_object
# 定义acl对象localhost和to_localhost为本机的ip
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# 定义localnet为局域网地址
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

# 定义端口号的acl对象
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#####################
# http_access访问控制
#####################
# cache_object协议只允许在本机访问
http_access allow manager localhost
http_access deny manager

# 拒绝链接Safe_ports之外的端口
http_access deny !Safe_ports

# 拒绝连接非SSL_ports的端口
http_access deny CONNECT !SSL_ports

# 拒绝连接本地服务器提供的服务
http_access deny to_localhost

#
# 推荐在此处增加自定义的访问控制
#

# 允许从本地连接
http_access allow localnet
http_access allow localhost

# 最后拒绝所有其他连接
http_access deny all

# 定义监听端口号
http_port 3128
# 定义缓存目录和缓存容量,100m、16个子目录、256个次级子目录
cache_dir ufs /data/cache 100 16 256
cache_mem 100 MB
# 将coredumps留在此目录中
coredump_dir /data/cache
# 定义缓存的存在时间
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
*************************************************

2. 创建缓存目录及分配相应权限

mkdir /data/cache
chown -R squid:squid /data/cache

3. 初始化缓存目录

squid -z
2016/12/21 07:57:19| WARNING cache_mem is larger than total disk cache space!
2016/12/21 07:57:19| Creating Swap Directories
2016/12/21 07:57:19| /data/cache exists
2016/12/21 07:57:19| Making directories in /data/cache/00
2016/12/21 07:57:19| Making directories in /data/cache/01
2016/12/21 07:57:19| Making directories in /data/cache/02
2016/12/21 07:57:19| Making directories in /data/cache/03
2016/12/21 07:57:19| Making directories in /data/cache/04
2016/12/21 07:57:19| Making directories in /data/cache/05
2016/12/21 07:57:19| Making directories in /data/cache/06
2016/12/21 07:57:19| Making directories in /data/cache/07
2016/12/21 07:57:19| Making directories in /data/cache/08
2016/12/21 07:57:19| Making directories in /data/cache/09
2016/12/21 07:57:19| Making directories in /data/cache/0A
2016/12/21 07:57:19| Making directories in /data/cache/0B
2016/12/21 07:57:19| Making directories in /data/cache/0C
2016/12/21 07:57:19| Making directories in /data/cache/0D
2016/12/21 07:57:19| Making directories in /data/cache/0E
2016/12/21 07:57:19| Making directories in /data/cache/0F

4. 启动服务

service squid start
Starting squid: .                                          [  OK  ]

5. 语法相关命令

# 检查配置文件语法,若服务未启动,会提示
squid -k check

# 重新加载配置文件
squid -k rec

6. 正向代理后的HIT效果

curl -xlocalhost:3128 -I http://www.baidu.com/img/bdlogo.png
HTTP/1.0 200 OK
Date: Tue, 27 Jan 2015 13:26:43 GMT
Server: Apache
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Set-Cookie: BAIDUID=F3D04DFA7E13C6FF014F5A941A69A7D6:FG=1; expires=Wed, 27-Jan-16 13:26:43 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Last-Modified: Fri, 01 Aug 2014 11:57:57 GMT
ETag: "14d3-4ff90199dfb40"
Accept-Ranges: bytes
Content-Length: 5331
Cache-Control: max-age=315360000
Expires: Fri, 24 Jan 2025 13:26:43 GMT
Content-Type: image/png
X-Cache: MISS from web03
X-Cache-Lookup: MISS from web03:3128
Via: 1.0 web03 (squid/3.1.10)
Connection: keep-alive

curl -xlocalhost:3128 -I http://www.baidu.com/img/bdlogo.png
HTTP/1.0 200 OK
Date: Tue, 27 Jan 2015 13:26:43 GMT
Server: Apache
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Last-Modified: Fri, 01 Aug 2014 11:57:57 GMT
ETag: "14d3-4ff90199dfb40"
Accept-Ranges: bytes
Content-Length: 5331
Cache-Control: max-age=315360000
Expires: Fri, 24 Jan 2025 13:26:43 GMT
Content-Type: image/png
Age: 31
X-Cache: HIT from web03
X-Cache-Lookup: HIT from web03:3128
Via: 1.0 web03 (squid/3.1.10)
Connection: keep-alive

7. 访问控制演示

# 限制域名,向配置文件中添加以下字段,推荐添加到上面标记的自定义控制区域
vi /etc/squid/squid.conf
*************************************************
acl http proto HTTP
acl good_domain dstdomain .xiao5tech.com

http_access allow http good_domain
http_access deny http !good_domain
*************************************************
squid -k check
squid -k rec

curl -xlocalhost:3128 -I www.baidu.com
HTTP/1.0 403 Forbidden
Server: squid/3.1.10
Mime-Version: 1.0
Date: Tue, 27 Jan 2015 13:40:34 GMT
Content-Type: text/html
Content-Length: 3235
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from web03
X-Cache-Lookup: NONE from web03:3128    #因为有限制,所以不能访问
Via: 1.0 web03 (squid/3.1.10)
Connection: keep-alive

curl -xlocalhost:3128 -I blog.xiao5tech.com   #因为这里访问的符合规则,则为200
HTTP/1.0 200 OK
Server: nginx/1.4.4
Date: Tue, 27 Jan 2015 13:42:52 GMT
Last-Modified: Wed, 24 Dec 2014 01:51:11 GMT
Content-Type: text/html
Content-Length: 62201
ETag: "549a1c0f-f2f9"
Accept-Ranges: bytes
X-Cache: MISS from web03
X-Cache-Lookup: MISS from web03:3128
Via: 1.0 web03 (squid/3.1.10)
Connection: keep-alive

Contents