Linux_SquidProxyServer代理服务器

  • 时间:4年前
  • 浏览:1720次
  • 网赌被黑找腾龙D哥出黑【微信:gm4927 QQ:861122225】

    目录

    Squid proxy server

    Squid是基于Unix的代理服务器(proxy server),支持缓存多种不同的网络对象,包括那些通过HTTP和FTP访问的对象。缓存频繁访问的网页、媒体文件等,实现加速应答时间并减少带宽堵塞。Squid通过追踪网络中的对象来实现作用。Squid最初担当中介,仅仅是把客户请求传递到服务器并存储请求对象的副本。如果同一个用户或同一批用户再次请求还缓存(cache)在Squid中的相同对象时,Squid能够立即服务,加速下载并保存带宽。Squid代理服务器提供更快的下载速度、缩短延迟时间,尤其是在提供丰富媒体和流式视频方面。网站经营者将频繁地把Squid代理服务器作为内容加速器、频繁查看内容的缓存和网络服务器的容位负载。内容发布网络和媒体公司会采用Squid代理服务器,并在整个网络中部署它们来改善浏览者的访问体验,特别是对流式内容的负载平衡(load balancing)和处理访问高峰等方面的优化有显著效果。
    Squid can proxy http ftp ssl protocol.
    Effect:Proxy server helps client users to gets and cache the data from targeted host. Realize more fast and more secure what access web protal.

    Web proxy server operating principle

    Cache web element object(static text,picture),reduce multiple request.
    1. Forward Proxy(SNAT)
    2. Reverse Proxy(DNAT)
    Achieve firewall function via domain name limit(application layer).
    Forward proxy:
    1. Typical proxy: need setup proxy’s ip and port by manual in the browser.
    2. Transparent proxy: host gateway IP assign to proxy server

    Squid features

    Software:squid-3.1.10-1.e16_2.4.X86_64
    Service:squid
    Configure file:/etc/squid/squid.conf
    Squid control module store dirextory: /usr/lib64/squid/
    Config option:

    http_port     squidServerIP:3128
    cache_mem     64 MB     #one half as cache(64MB) when the mem > 2G
    cache_dir    nfs        /var/spool/squid    100        16        256
            #100 -->  Total disk space < 100M
            #16  -->  Total directory < 16
            #256 --> Total level2 directory in the level1 directory
    visible_hostname    proxy.fan.com   #if have not hostname and this option, the proxy server can not start.
    dns_testnames    www.baidu.com
    reply_body_max_size    10 MB     #forbid download the file when the file size greater than 10MB
    minimum_object_size    0kb         #don't cache data when the data count less than Xkb, 0 the meaning is no limit.
    maximum_object_size 4096kb     #don't cache date when the data greater than Xkb

    ACL list control mode.
    1. Format:

    acl    listName listType listContent
    http_access  allow/deny  listName
    http_access  allow/deny  "url"   #import url of ACLlist file,Create file for store ACLList when the ACLList have too much.

    Example:Deny cache web paper

    acl deny php,...
    cache_deny:deny php

    Acl list type:

    src:source address     #Can define network segment example:IP or continuous IP. 192.168.1.10-192.168.1.20/24
    dst:destination address
    port:destination port
    srcdomain:source domain
    dstdomain:destination domain
    time:access time,general the parameter is range, example:09:30-17:30
    maxconn:max concurrency connect
    url_regex:destination url address, example : ^rtsp://     #Beginning with this type
    urlpath_regex:complete destination url path, example: -i Sex adult

    Setup squid server

    step1. General squid

    yum install -y squid

    step2. Edit configuration file
    vim /etc/squid/squid.conf

    http_port 10.20.0.210(proxyServerIP):3182
    reply_body_max_size 10MB
    cache_dir    nfs        /var/spool/squid    100        16        256
    visible_hostname  proxy.fan.com

    Attention:Frist make DNS analysis as IP in the client then send the data package to squid server, but squid do not proxy DNS server, so should be setup SDNA and use it to connect DNS in the squid server.

    Setup transparent proxy

    Transparent proxy can’t support 443 port
    step1.Edit config file
    vim /etc/squid/squid.conf

    http_port ServerIP:3128        transparent

    step2. Set the iptables rules

    iptables -t nat -A PREROUTING -i eth1 -s 192.168.4.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128

    Attention:

    iptables -t nat -A PREROUTING -i eth1 -s 192.168.4.0/24 -p tcp --dport 443 -j REDIRECT --to-port 3128
    #Will 80 port access session assign to squid server's 3128 port, resolve way is use the SNAT.

    step3. Set the ACL rules

    acl worktime time D 9:00-17:30
    acl burl urlpath_regex -i game \.mp3$
    http_deny burl
    http_access allow localnet worktime

    Squit authentication

    Transparent proxy don’t use authentication ,but the classical proxy can.
    step1. Add authentition module.

    /usr/lib64/squid/ncsa_auth --> authentication mudule

    step2. Set authentication parameter in the main config file.
    step3. Set authentication ACL

    acl auth_user proxy_auth REQUIRED
    http_access allow auth_user

    step4. Create authentication account
    vim squid.conf

    acc auth_user proxy_auth REQUIRED
    http_access auth_user
    auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/auth_user.txt   #Frist line in the config file. Specify user list file for ncsa_auth authentication module
    htpasswd -c /etc/squid/auth_user.txt jmilk    #create user list file, you have to install httpd service to use command htpasswd
    cat /etc/squid/auth_user.txt

    vim /etc/squid/squid.conf

    auth_param basic children 5 --> deal with 5 concurrent authentication 
    auth_param basic realm Squid proxy-caching web  --> welcome page
    auth_param basic credentialstt2 2 hours  --> timeout

    step5. Set the speed limit for every IP.

    delay_pools 1   #relay pool number
    delay_class 1 3
                #1 --> relay pool number
                #3 --> specify network type to B;1: one IP;2:type C;3:type B;4: type A
    delay_access 1 allow localnet      #usr acl:localnet
    delay_parameters 1 -1/-1 20000/20000(byte)
                #-1/-1  --> all network segment
                #20000/20000 --> no limit download speed before 200M/speed limit beyond 200M

    Setup the Reverse Proxy Server

    Web 服务器容易出现负载瓶颈,有下面解决办法
    1. Web服务器集群
    2. 使用反向代理服务器
    反向代理服务器:类似DNS以缓存的方式,减轻web server的压力
    Listen 80
    no set ACL, allow all
    step1.
    vim squid.conf

    http_port ProxyServerIP:80 vhost
    cache_peer WebServerIP parent 80 0 originserer
    http_access allow

    Case: set the transparent proxy

    vim squid.conf

    http_port squidServerIP:3128 transparent
    visible_hostname transparent.fan.com
    cache_dir ufs /var/spool/squid 100 16 256
    cache_mem 1024 MB

    对超过3MB大小的文件不做缓存,禁止下载超过100M的文件

    maximum_object__size 3 MB
    reply_body_max_size 100 MB

    启用网址过滤,禁止访问带有”Sex”,”adult”字样的链接

    acl burl urlpath_regex -i Sex adult
            #-i --> key word
    http_access deny burl

    配置Squid使用基本的身份认证,并且创建用户jmilk,只有通过身份认证后才可以使用squid上网。(透明代理不支持,只有传统代理支持)
    vim squid.conf

    acl auth_user proxy_auth REQUIREP|-i userName     #支持所设定的用户|支持用户列表
    http_access allow auth_user
    htpasswd -c /etc/squid/auth_user.txt jmilk
    cat /etc/squid/auth_user.txt

    vim squid.conf

    auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/auth_user.txt    #put it in frist line
    auth_param basic children 5              #一次可以处理5个并发认证
    auth_param basic realm Hellow!           #设定欢迎页面
    auth_param basic credentialsttl 2 hours  #一次用户认证的有效时间

    设置客户端192.168.1.52在上班时间的最高下载速度为150k/s

    acl worktime time D 9:00-24:00  #D (周一到周五)  DSA全周
    acl lan src 192.168.1.52/32
    delay_pools 1                   #限速池1,为每个限速对象定序号
    delay_class 1 2                 #声明1号池的IP类型为C类IP地址
    delay_access 1 allow worktime lan    
    delay_parameters 1 -1/-1 150000/2000000
    网赌被黑找腾龙D哥出黑【微信:gm4927 QQ:861122225】

    留言反馈

    网赌被黑找腾龙D哥出黑【微信:JLYL78999 QQ:978107219】鲁ICP备13008445号-3||Theme by Cn+网络, Soft by ZBlogPHP
  • 网赌被黑