Squid代理服務部署
構建Squid代理服務器
1、配置IP地址
2、編譯安裝Squid軟件
[root@localhost ~]# tar -zxvf squid-3.4.6.tar.gz -C /usr/src/
[root@localhost ~]# cd /usr/src/squid-3.4.6/
[root@localhost squid-3.4.6]# ./configure --prefix=/usr/local/squid --sysconfdir=/etc --enable-arp-acl --enable-linux-netfilter --enable-linuxtproxy
--enable-async-io=100 --enable-err-language="Simplify_Chinese" --enable-underscore --enable-poll --enable-gnuregex
[root@localhost squid-3.4.6]# ./configure
--prefix=/usr/local/squid //指定安裝目錄
--sysconfdir=/etc //指定配置文件目錄
--enable-arp-acl //啟用防止arp攻擊功能
--enable-linux-netfilter //啟用內核過濾功能
--enable-linux-tproxy //啟用透明代理
--enable-async-io=100 //調整IO線程參數
--enable-err-language="Simplify_Chinese" //中文
--enable-underscore
--enable-poll
--enable-gnuregex
[root@localhost squid-3.4.6]# make
[root@localhost squid-3.4.6]# make install
3、創建用戶並優化路徑
[root@localhost ~]# useradd -M -s /sbin/nologin squid
[root@localhost ~]# ln -s /usr/local/squid/sbin/* /usr/local/sbin/
[root@localhost ~]# chown -R squid:squid /usr/local/squid/var/
[root@localhost ~]# chmod -R 757 /usr/local/squid/var/
4、檢查語法並啟動
[root@localhost ~]# squid -k parse
[root@localhost ~]# squid -z
[root@localhost ~]# squid
[root@localhost ~]# netstat -anpt | grep squid
[root@localhost ~]# echo "/usr/local/squid/sbin/squid" >> /etc/rc.local
[root@localhost ~]# killall -9 squid //停止squid服務
+++++++++++配置傳統代理+++++++++++
-----WEB服務器------------Squid代理-------------Clinet--------
192.168.1.1 192.168.1.10 192.168.1.100
傳統代理:需要手動配置(為客戶端指定代理服務器的IP和端口)
1、修改squid.conf配置文件
[root@localhost ~]# vim /etc/squid.conf 添加:
http_port 3128
reply_body_max_size 10 MB //允許下載的文件大小為10M
http_access allow all //此行要放在http_access deny all之前
2、重啟Squid服務
[root@localhost ~]# killall -9 squid
[root@localhost ~]# squid
3、客戶端設置代理 打開IE瀏覽器:打開“工具”---“Internet選項”。“連接”---“局域網設置”中進行設置:
IP地址:192.168.1.10 端口:3128
//驗證語法並顯示有效的配置項 //清除緩存
//啟動squid服務
linux客戶端設置:
[root@localhost ~]# vim /etc/profile
HTTP_PROXY=http://192.168.56.200:3128
HTTPS_PROXY=http://192.168.56.200:3128
FTP_PROXY=http://192.168.56.200:3128
NO_PROXY=http://192.168.1.
4、驗證:
客戶端client訪問WEB服務器http://192.168.1.1/
1)Squid代理服務器:
[root@localhost ~]# tail -f /usr/local/squid/var/logs/access.log
2)WEB服務器:
[root@localhost ~]# tail -f /etc/httpd/logs/access_log
+++++++++++配置透明代理+++++++++++
-----WEB服務器------------Squid代理--------------Clinet------
9.9.9.9 eth1:9.9.9.1
eth0:192.168.1.1
1、配置IP地址
註意:指定網關
2、開啟路由轉發功能
[root@localhost ~]# vim /etc/sysctl.conf 修改:
net.ipv4.ip_forward = 1
[root@localhost ~]#sysctl -p
2、修改squid.conf配置文件
[root@localhost ~]# vim /etc/squid.conf 添加:
http_port 192.168.1.1:3128 transparent
//客戶端訪問了WEB服務
//Squid服務器訪問了WEB服務器
3、重啟Squid服務
[root@localhost ~]# killall -9 squid
[root@localhost ~]# squid
4、設置防火墻規則
[root@localhost ~]#iptables -t nat -I PREROUTING -i eth0 -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128
[root@localhost ~]#iptables -t nat -I PREROUTING -i eth0 -s 192.168.1.0/24 -p tcp --dport 443 -j REDIRECT --to-ports 3128
5、驗證:
客戶端client訪問WEB服務器http://9.9.9.9/
1)Squid代理服務器:
[root@localhost ~]# tail -f /usr/local/squid/var/logs/access.log
2)WEB服務器:
[root@localhost ~]# tail -f /etc/httpd/logs/access_log
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE 動態轉換開啟配置文件中的deny全部註釋
+++++++++++配置ACL+++++++++++
1、拒絕訪問列表hehe
[root@localhost ~]# vim /etc/squid.conf 添加:
acl hehe src all
http_access deny hehe
2、拒絕指定ip和域名訪問
[root@localhost ~]# vi /etc/squid/ip_list 添加:
192.168.1.0/24
1.1.1.1/8
[root@localhost ~]# vi /etc/squid/dns_list 添加:
.qq.com
.msn.com
[root@localhost ~]# vi /etc/squid.conf 添加:
acl haha dst "/etc/squid/ip_list"
acl xixi dstdomain "/etc/squid/dns_list"
http_access deny haha
http_access deny xixi
[root@localhost ~]# killall -9 squid
[root@localhost ~]# squid
客戶端驗證:
客戶端訪問,能否成功!
+++++++++++配置透Squid日誌分析系統+++++++++++
[root@localhost ~]#yum -y install gd gd-devel
[root@localhost ~]#tar -zxvf sarg-2.3.7.tar.gz -C /usr/src/
[root@localhost ~]#cd /usr/src/sarg-2.3.7/
[root@localhost sarg-2.3.7]#./configure
--prefix=/usr/local/sarg
--sysconfdir=/etc/sarg
--enable-extraprotection
[root@localhost sarg-2.3.7]#make && make install
[root@localhost ~]# vim /etc/sarg/sarg.conf 添加:
access_log /usr/local/squid/var/logs/access.log
title "Squid User Access Reports"
output_dir /var/www/html/sarg
user_ip no
topuser_sort_field BYTES reverse
user_sort_field BYTES reverse
exclude_hosts /usr/local/sarg/noreport
overwrite_report no
mail_utility mail.postfix
charset UTF-8
weekdays 0-6
hours 7-12,14,16,18-20
www_document_root /var/www/html
[root@localhost ~]# service httpd restart
客戶端:
[root@localhost ~]# firefox http://192.168.1.1/sarg &
Squid代理服務部署