squid代理上網
阿新 • • 發佈:2018-01-31
basic 局域網 src 就是 配置 工作 規則 支持 perm Squid介紹
Squid是一個高性能的代理緩存服務器,Squid支持FTP、gopher、HTTPS和HTTP協議。和一般的代理緩存軟件不同,Squid用一個單獨的、非模塊化的、I/O驅動的進程來處理所有的客戶端請求。 Squid是一種用來緩沖Internet數據的軟件。它是這樣實現其功能的,接受來自人們需要下載的目標(object)的請求並適當地處理這些請求。也就是說,如果一個人想下載一web頁面,他請求Squid為他取得這個頁面。Squid隨之連接到遠程服務器(比如:www.baidu.com)並向這個頁面發出請求。然後,Squid顯式地聚集數據到客戶端機器,而且同時復制一份。當下一次有人需要同一頁面時,Squid可以簡單地從磁盤中讀到它,那樣數據迅即就會傳輸到客戶機上。當前的Squid可以處理HTTP,FTP,GOPHER,SSL和WAIS等協議。但它不能處理如POP,NNTP,RealAudio以及其它類型的東西。
1、 安裝squid代理組件
yum -y install squid httpd-tools
2、 生成密碼文件
創建存放密碼的目錄
mkdir /etc/squid3/
創建用戶
htpasswd -cd /etc/squid3/passwords test0001 #創建用戶test0001
輸入密碼 回車
再輸入密碼 回車
3、 測試密碼文件
/usr/lib64/squid/basic_ncsa_auth /etc/squid3/passwords 密碼存放的位置:/etc/squid3/passwords 輸入用戶名 密碼 之後,出來驗證ok ;ctrl + c 結束即可。 ![](http://i2.51cto.com/images/blog/201801/31/a6b3d739e8f8425fc350fe705cc2a9be.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
4、 配置squid.conf文件
vi /etc/squid/squid.conf 在最後添加: auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid3/passwords auth_param basic realm proxy acl authenticated proxy_auth REQUIRED http_access allow authenticated # Squid的監聽端口 http_port 0.0.0.0:端口號 #這裏是設置客戶端連接的代理端口號,防火墻要允許端口號。 ![](http://i2.51cto.com/images/blog/201801/31/099d675208485f63406166d89076b275.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
5、 配置上網權限規則
squid的權限控制很靈活,具體配置方法可以參考 官方文檔, 或者 Squid中文權威指南, 具體工作原理有點像iptables,用規則去卡控流量。默認的配置只能允許內網用戶訪問,如果有更多需求,你還可以指定很多規則!
默認配置如下:
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#允許連接代理上網的內網地址段
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
# 定義SSL_ports為443
acl SSL_ports port 443
#允許通過的協議
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
# 定義CONNECT代表http裏的CONNECT請求方法
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
#拒絕所有其他不安全的端口
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
# 允許本機管理緩存
http_access allow localhost manager
# 拒絕其他地址管理緩存
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
# 允許局域網用戶的請求
http_access allow localnet
# 允許本機用戶的請求
http_access allow localhost
# And finally deny all other access to this proxy
# 拒絕其他所有請求
http_access deny all
# Squid normally listens to port 3128
# 默認Squid的監聽端口
#http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
# 磁盤緩存目錄
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
# squid掛掉後,臨終遺言要放到哪裏
coredump_dir /var/spool/squid
# 刷新緩存規則
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#配置客戶端連接代理用戶認證
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid3/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
#配置squid 監聽端口號
http_port 0.0.0.0:31280
6、 啟動服務
Systemctl start squid
Systemctl enable squid
Systemctl status squid
7、 在客戶端設置代理方法
代理格式:proxy = http://username:password@proxy_ip:port
設置全局環境變量代理:
echo "export http_proxy="http://test0001:[email protected]:1404"" >> /etc/profile
echo "export https_proxy="http://test0001:[email protected]:1404"" >> /etc/profile
yum代理設置:
echo "proxy=http://test0001:[email protected]:1404" >> /etc/yum.conf
wget代理設置:
echo "http_proxy=http://test0001:[email protected]:1404/" >> /etc/wgetrc
echo "https_proxy=http://test0001:[email protected]:1404/" >> /etc/wgetrc
echo "ftp_proxy=http://test0001:[email protected]:1404/" >> /etc/wgetrc
curl代理設置:
echo "alias curl="curl -x http://test0001:[email protected]:1404"" >> ~/.bashrc
#去掉默認的npm:
npm config set proxy null
num代理設置
npm config set proxy http://test0001:[email protected]:1404
npm config set https-proxy http://test0001:[email protected]:1404
git代理設置
git config --global http.proxy http://test0001:[email protected]:1404
git config --global https.proxy http://test0001:[email protected]:1404
整理一下整體的代理腳本如下:
echo "export http_proxy="http://test0001:[email protected]:1404"" >> /etc/profile
echo "export https_proxy="http://test0001:[email protected]:1404"" >> /etc/profile
echo "proxy=http://test0001:[email protected]:14041" >> /etc/yum.conf
echo "http_proxy=http://test0001:[email protected]:1404/" >> /etc/wgetrc
echo "https_proxy=http://test0001:[email protected]:1404/" >> /etc/wgetrc
echo "ftp_proxy=http://test0001:[email protected]:1404/" >> /etc/wgetrc
echo "alias curl="curl -x http://test0001:[email protected]:1404"" >> ~/.bashrc
npm config set proxy null
npm config set proxy http://test0001:[email protected]:1404
npm config set https-proxy http://test0001:[email protected]:1404
git config --global http.proxy http://test0001:[email protected]:1404
git config --global https.proxy http://test0001:[email protected]:1404
source /etc/profile
8、 查看squid日誌
在代理服務器上:
more /var/log/squid/access.log
more /var/log/squid/cache.log
![](http://i2.51cto.com/images/blog/201801/31/218a927f4464c6b9095f6744dd22fe58.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
9、 客戶端測試
curl www.baidu.com
yum update
squid代理上網