centos6.4下反向代理伺服器squid安裝,配置,日誌管理,監控及壓力測試
1.centos6.4 32位安裝
硬體:2個cpu,4GB記憶體,100GB硬碟,swap8GB,其它給/
選擇最小安裝,服務自定義:
1.基本系統:①JAVA平臺②Perl支援③容兼程式庫④基本⑤硬體監控工具⑥繼承UNIX相容性⑦網路檔案系統客戶端⑧除錯工具
2.開發:開發工具
3.伺服器:伺服器平臺
伺服器名:
IP配置:
DNS:
修改系統limits.conf
修改/etc/security/limits.conf
* soft nofile 32768
* hard nofile 65536
2.squid安裝
[[email protected] ~]#yum -y install squid
Loaded plugins:fastestmirror, security
Determining fastestmirrors
* base: mirrors.btte.net
* extras: mirrors.btte.net
* updates: mirrors.btte.net
Setting up InstallProcess
ResolvingDependencies
--> Runningtransaction check
---> Packagesquid.i686 7:3.1.10-16.el6 will be installed
--> FinishedDependency Resolution
DependenciesResolved
===================================================================================
PackageArchVersionRepositorySize
===================================================================================
Installing:
squidi6867:3.1.10-16.el6base1.7 M
Transaction Summary
===================================================================================
Install1 Package(s)
Total downloadsize: 1.7 M
Installed size: 5.7M
DownloadingPackages:
squid-3.1.10-16.el6.i686.rpm| 1.7 MB00:00
warning:rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
Retrieving key fromfile:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
Importing GPG key0xC105B9DE:
Userid : CentOS-6 Key (CentOS 6 OfficialSigning Key) <[email protected]>
Package: centos-release-6-4.el6.centos.10.i686(@anaconda-CentOS-201303020136.i386/6.4)
From:/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
Runningrpm_check_debug
Running TransactionTest
Transaction TestSucceeded
Running Transaction
Installing : 7:squid-3.1.10-16.el6.i6861/1
Verifying: 7:squid-3.1.10-16.el6.i6861/1
Installed:
squid.i686 7:3.1.10-16.el6
Complete!
3.squid配置
[[email protected] ~]#vi /etc/squid/squid.conf
[[email protected]]# vi /etc/squid/squid.conf
#
# Recommendedminimum configuration:
#
acl manager protocache_object
acl localhost src127.0.0.1/32 ::1
acl to_localhostdst 127.0.0.0/8 0.0.0.0/32 ::1
# Example ruleallowing access from your local networks.
# Adapt to listyour (internal) IP networks from where browsing
# should be allowed
acl localnet src10.0.0.0/8# RFC1918 possibleinternal network
acl localnet src172.16.0.0/12# RFC1918 possibleinternal network
acl localnet src192.168.0.0/16 # RFC1918 possible internal network
acl localnet srcfc00::/7# RFC 4193 local privatenetwork range
acl localnet srcfe80::/10# RFC 4291 link-local(directly plugged) machines
acl SSL_ports port443
acl Safe_ports port80# http
acl Safe_ports port21# ftp
acl Safe_ports port443# https
acl Safe_ports port70# gopher
acl Safe_ports port210# wais
acl Safe_ports port1025-65535# unregistered ports
acl Safe_ports port280# http-mgmt
acl Safe_ports port488# gss-http
acl Safe_ports port591# filemaker
acl Safe_ports port777# multiling http
acl CONNECT methodCONNECT
#
# Recommendedminimum Access Permission configuration:
#
#
# Recommendedminimum configuration:
#
acl manager protocache_object
acl localhost src127.0.0.1/32 ::1
acl to_localhostdst 127.0.0.0/8 0.0.0.0/32 ::1
# Example ruleallowing access from your local networks.
# Adapt to listyour (internal) IP networks from where browsing
# should be allowed
acl localnet src10.0.0.0/8# RFC1918 possibleinternal network
acl localnet src172.16.0.0/12# RFC1918 possibleinternal network
acl localnet src192.168.0.0/16 # RFC1918 possible internal network
acl localnet srcfc00::/7# RFC 4193 local private networkrange
acl localnet srcfe80::/10# RFC 4291 link-local(directly plugged) machines
acl SSL_ports port443
acl Safe_ports port80# http
acl Safe_ports port21# ftp
acl Safe_ports port443# https
acl Safe_ports port70# gopher
acl Safe_ports port210# wais
acl Safe_ports port1025-65535# unregistered ports
acl Safe_ports port280# http-mgmt
acl Safe_ports port488# gss-http
acl Safe_ports port591# filemaker
acl Safe_ports port777# multiling http
acl CONNECT methodCONNECT
#
# Recommendedminimum Access Permission configuration:
#
# Only allowcachemgr access from localhost
http_access allowmanager localhost
http_access denymanager
# Deny requests tocertain unsafe ports
http_access deny!Safe_ports
# Deny CONNECT toother than secure SSL ports
http_access denyCONNECT !SSL_ports
# We stronglyrecommend the following be uncommented to protect innocent
# web applicationsrunning on the proxy server who think the only
# one who canaccess services on "localhost" is a local user
#http_access denyto_localhost
#
# INSERT YOUR OWNRULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example ruleallowing access from your local networks.
# Adapt localnet inthe ACL section to list your (internal) IP networks
# from wherebrowsing should be allowed
http_access allowlocalnet
http_access allowlocalhost
# And finally denyall other access to this proxy
http_access denyall
# Squid normallylistens to port 3128
http_port 3128
# We recommend youto use at least the following line.
hierarchy_stoplistcgi-bin ?
# Uncomment andadjust the following to add a disk cache directory.
#cache_dir ufs/var/spool/squid 100 16 256
# Leave coredumpsin the first cache dir
coredump_dir/var/spool/squid
# Add any of yourown refresh_pattern entries above these.
refresh_pattern^ftp:144020%10080
refresh_pattern^gopher:14400%1440
refresh_pattern -i(/cgi-bin/|\?) 00%0
refresh_pattern .
上面是預設的配置檔案。
3.1需要改2個地方
#http_port 3128
http_port 80 vhost vport
還要註釋掉和新增
#http_access deny all
http_access allow all
3.2在最後增加
visible_hostname squidproxy
cache_dir ufs /var/spool/squid 2048 16 256
cache_mem 2048 MB
maximum_object_size_in_memory 4096 KB
maximum_object_size 4096 KB
minimum_object_size 0 KB
error_directory /usr/share/squid/errors/zh-cn
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_mgr [email protected]
cache_peer 實際IPparent 80 0 no-query originserverno-digest name=wangzhan
cache_peer_domain wangzhan實際域名
cache_peer實際IPparent 80 0 no-query originserver no-digest name=cactiez
cache_peer_domain cactiez實際域名
cache_peer實際IPparent 80 0 no-query originserver no-digest name=nagios
cache_peer_domain nagios 實際域名
httpd_suppress_version_stringon
儲存退出
[[email protected] ~]#service squid start
init_cache_dir/var/spool/squid... 正在啟動 squid:.[確定]
[[email protected] ~]#chkconfig -level 35 squid on
-level: 未知的選項
[[email protected] ~]#chkconfig --level 35 squid on
3.3防火牆開通80埠
[[email protected] ~]#vi /etc/sysconfig/iptables
新增80埠
[[email protected] ~]#service iptables restart
iptables:清除防火牆規則:[確定]
iptables:將鏈設定為政策 ACCEPT:filter [確定]
iptables:正在解除安裝模組:[確定]
iptables:應用防火牆規則:[確定]
3.4改域名指向
然後在DNS伺服器上將域名指向squid代理伺服器
檢視squid執行狀態
[[email protected] ~]#squidclient -p 80 mgr:info
4.用cacti監控squid
4.1配置squid
[[email protected] ~]#vi /etc/squid/squid.conf
在最後新增如下5行
acl cactiserver src監控伺服器實際IP
acl SNMPsnmp_community squidpublic
snmp_port 3401
snmp_access allowSNMP cactiserver
snmp_access denyall
4.2安裝net-snmp
[[email protected] ~]#yum -y install net-snmp
Loaded plugins:fastestmirror, security
Loading mirrorspeeds from cached hostfile
* base: mirrors.btte.net
* extras: mirrors.btte.net
* updates: mirrors.btte.net
Setting up InstallProcess
ResolvingDependencies
--> Runningtransaction check
---> Packagenet-snmp.i686 1:5.5-44.el6_4.1 will be installed
--> ProcessingDependency: net-snmp-libs = 1:5.5-44.el6_4.1 for package:1:net-snmp-5.5-44.el6_4.1.i686
--> ProcessingDependency: libsensors.so.4 for package: 1:net-snmp-5.5-44.el6_4.1.i686
--> ProcessingDependency: libnetsnmptrapd.so.20 for package: 1:net-snmp-5.5-44.el6_4.1.i686
--> ProcessingDependency: libnetsnmpmibs.so.20 for package: 1:net-snmp-5.5-44.el6_4.1.i686
--> ProcessingDependency: libnetsnmphelpers.so.20 for package: 1:net-snmp-5.5-44.el6_4.1.i686
--> ProcessingDependency: libnetsnmpagent.so.20 for package: 1:net-snmp-5.5-44.el6_4.1.i686
--> ProcessingDependency: libnetsnmp.so.20 for package: 1:net-snmp-5.5-44.el6_4.1.i686
--> Runningtransaction check
---> Packagelm_sensors-libs.i686 0:3.1.1-17.el6 will be installed
---> Packagenet-snmp-libs.i686 1:5.5-44.el6_4.1 will be installed
--> FinishedDependency Resolution
DependenciesResolved
=====================================================================================
PackageArchVersionRepositorySize
=====================================================================================
Installing:
net-snmpi6861:5.5-44.el6_4.1updates302 k
Installing fordependencies:
lm_sensors-libsi6863.1.1-17.el6base37 k
net-snmp-libsi6861:5.5-44.el6_4.1updates1.5 M
Transaction Summary
=====================================================================================
Install3 Package(s)
Total downloadsize: 1.8 M
Installed size: 6.4M
DownloadingPackages:
(1/3):lm_sensors-libs-3.1.1-17.el6.i686.rpm|37 kB00:00
(2/3):net-snmp-5.5-44.el6_4.1.i686.rpm| 302 kB00:00
(3/3):net-snmp-libs-5.5-44.el6_4.1.i686.rpm| 1.5 MB00:00
-------------------------------------------------------------------------------------
Total4.5 MB/s | 1.8 MB00:00
Runningrpm_check_debug
Running TransactionTest
Transaction TestSucceeded
Running Transaction
Installing :lm_sensors-libs-3.1.1-17.el6.i6861/3
Installing :1:net-snmp-libs-5.5-44.el6_4.1.i6862/3
Installing :1:net-snmp-5.5-44.el6_4.1.i6863/3
Verifying: 1:net-snmp-libs-5.5-44.el6_4.1.i6861/3
Verifying: lm_sensors-libs-3.1.1-17.el6.i6862/3
Verifying: 1:net-snmp-5.5-44.el6_4.1.i6863/3
Installed:
net-snmp.i686 1:5.5-44.el6_4.1
DependencyInstalled:
lm_sensors-libs.i686 0:3.1.1-17.el6net-snmp-libs.i686 1:5.5-44.el6_4.1
Complete!
4.3配置net-snmp
[[email protected] ~]#vi /etc/snmp/snmpd.conf
新增如下2行
viewsystemviewincluded .1.3.6.1.4.1.3495.1
proxy -v 2c -c squidpublic 0.0.0.0:3401.1.3.6.1.4.1.3495.1
修改下面3個地方
#com2secnotConfigUserdefaultpublic
com2secnotConfigUser監控伺服器IPpublic
#accessnotConfigGroup ""anynoauthexactsystemview none none
accessnotConfigGroup ""anynoauthexactall none none
查詢以下程式碼:
#view all included .1 80
將該行前面的"#"去掉.
3.啟動服務,新增開機啟動
[[email protected] ~]#service snmpd start
正在啟動 snmpd:[確定]
[[email protected] ~]#chkconfig --level 35 snmpd on
4.開啟防火牆udp3401埠
[[email protected] ~]#vi /etc/sysconfig/iptables
-A INPUT -m udp -pudp --dport 3401 -j ACCEPT
再重啟這三個服務
[[email protected] ~]#service squid restart
[[email protected] ~]#service snmpd restart
[[email protected] ~]#service iptables restart
4.4配置cacti
可以在cacti伺服器上測試
[[email protected] ~]#snmpwalk -v2c -c squidpublic squid伺服器IP:3401 .1.3.6.1.4.1.3495.1
CactiEZ裡面的配置:
4.5cacti效果圖
5.squid日誌管理
5.1安裝webalizer
[[email protected] ~]#yum -y install webalizer
結果
Installed:
webalizer.i686 0:2.21_02-3.3.el6
DependencyInstalled:
apr-util-ldap.i686 0:1.3.9-3.el6_0.1gd.i686 0:2.0.35-11.el6
httpd.i686 0:2.2.15-26.el6.centoshttpd-tools.i6860:2.2.15-26.el6.centos
libXpm.i686 0:3.5.10-2.el6
Complete!
[[email protected] ~]#vi /etc/httpd/conf/httpd.conf
Listen 8080
找到<Directory "/var/www/html">
在</Directory>前加入以下4行。
AuthType Basic
AuthName"admin"
AuthUserFile/var/www/passwd/admin
require valid-user
[[email protected] ~]#mkdir /var/www/passwd
[[email protected] ~]# cd/var/www/passwd
[[email protected] passwd]# htpasswd -c adminadministrator
New password:
Re-type newpassword:
Adding password foruser administrator
使用者名稱是administrator密碼是
[[email protected]]# chown apache.apache admin
[[email protected]]# service httpd restart
[[email protected] ~]# vi/etc/sysconfig/iptables
-A INPUT -m state--state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
[[email protected] ~]#service iptables restart
5.2配置webalizer
使用vi編輯Webalizer配置檔案。
[[email protected] ~]# vi /etc/webalizer.conf |
設定訪問日誌的存放路徑。
將系統預設值:
LogFile /var/log/httpd/access_log |
改為如下內容:
LogFile /var/log/squid/access.log |
設定訪問日誌的格式型別。
將格式型別引數:
LogType clf |
修改為:
LogType squid |
設定報表輸出目錄。
從預設值:
OutputDir /var/www/html |
修改為Squid的統計報表儲存目錄。
5.3新增計劃任務
使用crontab命令讓Webalizer每小時整點生成Squid流量統計分析。
[[email protected] ~]# crontab -e |
0 */1 * * *webalizer -c /etc/webalizer.conf
儲存後,service crond restart
5.4訪問日誌分析結果
使用者名稱:administrator
密碼:
6.手動清空squid快取
[[email protected] ~]#service squid stop
停止 squid:................[確定]
[[email protected] ~]#rm -rf /var/spool/squid/*
[[email protected] ~]#cd /var/spool/squid/
[[email protected]]# ls
[[email protected]]# cd /
[[email protected] /]#squid -z
2013/05/0811:49:14| Creating Swap Directories
2013/05/0811:49:14| /var/spool/squid exists
2013/05/0811:49:14| Making directories in /var/spool/squid/00
2013/05/0811:49:14| Making directories in /var/spool/squid/01
2013/05/0811:49:14| Making directories in /var/spool/squid/02
2013/05/0811:49:14| Making directories in /var/spool/squid/03
2013/05/0811:49:14| Making directories in /var/spool/squid/04
2013/05/0811:49:14| Making directories in /var/spool/squid/05
2013/05/0811:49:14| Making directories in /var/spool/squid/06
2013/05/0811:49:14| Making directories in /var/spool/squid/07
2013/05/0811:49:14| Making directories in /var/spool/squid/08
2013/05/0811:49:14| Making directories in /var/spool/squid/09
2013/05/0811:49:14| Making directories in /var/spool/squid/0A
2013/05/0811:49:14| Making directories in /var/spool/squid/0B
2013/05/0811:49:14| Making directories in /var/spool/squid/0C
2013/05/0811:49:14| Making directories in /var/spool/squid/0D
2013/05/0811:49:14| Making directories in /var/spool/squid/0E
2013/05/0811:49:14| Making directories in /var/spool/squid/0F
[[email protected] /]#cd /var/spool/squid
[[email protected]]# ls
000102030405060708090A0B0C0D0E0F
[[email protected]]# service squid start
正在啟動 squid:.[確定]
[[email protected]]# ls
000102030405060708090A0B0C0D 0E0Fswap.state
7.squid壓力測試
下載siege-3.0.0.tar.gz(2013-5-8最新版本)上傳至/usr/local/src目錄下
[[email protected]]# tar zxvf siege-3.0.0.tar.gz
[[email protected]]# ls
[[email protected]]# cd siege-3.0.0
[[email protected]]# ./configure
[[email protected]]# make
[[email protected]]# make install
[[email protected] /]#find / -name siegerc
[[email protected] /]#vi /usr/local/etc/siegerc
修改
Verbose = false
Concurrent = 50
Internet = true
Benchmark = true
[[email protected] /]# siege-c 100 -r 10 http://網站域名
** SIEGE 3.0.0
** Preparing 100concurrent users for battle.
The server is nowunder siege..done.
Transactions:1000 hits
Availability:100.00 %
Elapsed time:2.99 secs
Datatransferred:8.28 MB
Response time:0.29 secs
Transactionrate:334.45 trans/sec
Throughput:2.77 MB/sec
Concurrency:96.24
Successfultransactions:1000
Failedtransactions:0
Longesttransaction:1.07
Shortesttransaction:0.13
FILE:/usr/local/var/siege.log
You can disablethis annoying message by editing
the .siegerc filein your home directory; change
the directive'show-logfile' to false.
[error] unable tocreate log file: No such file or directory
[[email protected] /]#siege -c 200 -r 10 http:// 網站域名
** SIEGE 3.0.0
** Preparing 200concurrent users for battle.
The server is nowunder siege..done.
Transactions:2000 hits
Availability:100.00 %
Elapsed time:14.88 secs
Datatransferred:16.56 MB
Response time:0.60 secs
Transactionrate:134.41 trans/sec
Throughput:1.11 MB/sec
Concurrency:80.44
Successfultransactions:2000
Failedtransactions:0
Longesttransaction:10.05
Shortesttransaction:0.01
[[email protected] /]#siege -c 300 -r 10 http:// 網站域名
** SIEGE 3.0.0
** Preparing 300concurrent users for battle.
The server is nowunder siege..done.
Transactions:3000 hits
Availability:100.00 %
Elapsed time:14.50 secs
Datatransferred:3.33 MB
Response time:0.85 secs
Transactionrate:206.90 trans/sec
Throughput:0.23 MB/sec
Concurrency:175.13
Successfultransactions:0
Failedtransactions:0
Longesttransaction:10.01
Shortesttransaction:0.00
[[email protected] /]#siege -c 500 -r 10 http:// 網站域名
[fatal] unable toallocate memory for 500 simulated browser: Resource temporarily unavailable
7.1siege測試結果
併發數 | 100 | 200 | 300 |
每秒傳輸率 | 334.45 trans/sec | 134.41 trans/sec | 206.90 trans/sec |
實際併發數 | 96.24 | 80.44 | 175.13 |
響應時間 | 0.29 secs | 0.60 secs | 0.85 secs |
Siege測試指標部分描述:
Transactions: 已完成的事務總數
Availability: 完成的成功率
Elapsedtime: 總共使用的時間
Data transferred: 響應中資料的總大小
Responsetime: 顯示網略連線的速度
Transactionrate: 平均每秒完成的事務數
Throughput: 平均每秒傳送的資料量
Concurrency: 實際最高併發連線數
Successfultransactions: 成功處理的次數
Failedtransactions: 失敗處理的次數
Longesttransaction: 最長事務處理的時間
Shortesttransaction: 最短事務處理時間
轉載於:https://blog.51cto.com/linglilau/1207638