当前位置：网站首页>Squid agent

Traditional agency ： Apply to Internet, You need to specify the address and port of the proxy server on the client .
Transparent proxy ： The client does not need to specify the address and port of the proxy server , But through the default route 、 The firewall strategy will Web Access redirection to the proxy server for processing .
Reverse proxy ： If Squid The requested resource is cached in the reverse proxy server , The requested resource is returned directly to the client ; Otherwise, the reverse proxy server will go to the background WEB Server requests resources , Then return the requested response to the client , The response is also cached （ static state ） In the local , For the next requester .

1.2 The working mechanism of agency

Instead of the client requesting data from the website , This can hide the user's real IP Address .
Will get the web page data （ static state Web Elements ） Save to cache and send to client , So that the next time you request the same data, you can respond quickly .

Two . Traditional agent project deployment

2.1 Architecture diagram

2.2 squit End configuration

[root@localhost ~]yum -y install gcc gcc-c++ make
[root@localhost ~]# cd /opt  # Upload installation package 
[root@localhost opt]# tar xvf squid-3.5.28.tar.gz
[root@localhost opt]# cd 
[root@localhost opt]# cd squid-3.5.28/
./configure --prefix=/usr/local/squid --sysconfdir=/etc --enable-arp-acl --enable-linux-netfilter --enable-linux-tproxy --enable-async-io=100 --enable-err-language="Simplify_Chinese" --enable-underscore --enable-poll --enable-gnuregex

[root@localhost squid-3.5.27]# make && make install
[root@localhost squid-3.5.27]# ln -s /usr/local/squid/sbin/* /usr/local/sbin      ## Create link file , Optimize the path 
[root@localhost squid-3.5.27]# useradd -M -s /sbin/nologin squid                      ### Create program users 、 Group 
[root@localhost squid-3.5.27]# chown -R squid:squid /usr/local/squid/var/       	## Change directory ownership

[root@localhost ~] vi /etc/squid.conf	# Put it in http_access deny all  Before , Allow any client to use the proxy service , Control rules match from top to bottom 
vim /etc/squid.conf
......
-----56 That's ok -- Insert ------
http_access allow all    # Put it in http_access deny all  Before , Allow any client to use the proxy service , Control rules match from top to bottom 
http_access deny all
http_port 3128           # Used to specify the address and port on which the proxy service listens ( The default port number is 3128)
-----61 That's ok -- Insert ------
cache_effective_user squid     # add to , Specify the program user , Used to set initialization 、 Accounts cached at runtime , Otherwise, the startup is not successful 
cache_effective_group squid    # add to , Specify account basic group 
coredump_dir /usr/local/squid/var/cache/squid   # Specify cache file directory

[root@localhost ~] squid -k parse                   	## Check the configuration file 
[root@localhost ~] squid –k rec                      	## Reload the configuration file 
[root@localhost ~] squid -zX                            ## Initialize cache directory 
[root@localhost ~]# squid                               ## start-up squid service 
[root@localhost ~]# netstat -anpt | grep squid          ## confirm squid The service is in normal listening state 
tcp6       0      0 :::3128                 :::*                    LISTEN      6699/(squid-1)

[root@localhost ~]# vi /etc/init.d/squid
#!/bin/bash
#chkconfig: 35 90 25
#config: /etc/squid.conf
#pidfile: /usr/local/squid/var/run/squid.pid
#Description: Squid - Internet Object Cache

PID="/usr/local/squid/var/run/squid.pid"
CONF="/etc/squid.conf"
CMD="/usr/local/squid/sbin/squid"

case "$1" in
        start)
                netstat -utpln | grep squid &>/dev/null
                if [ $? -eq 0 ]
                        then
                                echo "Squid is running"
                else
                        $CMD
                fi
        ;;
        stop)
                $CMD -k kill &>/dev/null
                rm -rf $PID &>/dev/null
        ;;
        status)
                [ -f $PID ] &>/dev/null
                        if [ $? -eq 0 ]
                          then
                                netstat -utpln | grep squid
                        else
                                echo "Squid is not running"
                        fi
	;;
        restart)
                $0 stop &>/dev/null
                echo " Shutting down Squid..."
                $0 start &>/dev/null
                echo " Starting Squid..."
        ;;
        reload)
                $CMD -k reconfigure
        ;;
        check)
                $CMD -k parse
        ;;
        *)
                echo " usage ：{start | stop | restart | reload | check | status}"
esac

[root@localhost ~]#chmod +x /etc/init.d/squid
[root@localhost ~]#chkconfig --add squid
[root@localhost ~]#chkconfig squid on
[root@localhost squid-3.5.27]# service squid restart   ## Test ok 
 Shutting down Squid...
 Starting Squid...

vim /etc/squid.conf 
......
http_access allow all
http_access deny all
http_port 3128
cache_effective_user squid
cache_effective_group squid

#63 Row insertion 
cache_mem 64 MB				
# Specifies the amount of memory space used by the cache function , It's easy to keep a more frequent WEB object , The capacity should preferably be 4 Multiple , Unit is MB, It is recommended to set it to... Of physical memory 1/4
reply_body_max_size 10 MB			
# The maximum file size that users are allowed to download , In bytes , When downloading more than the specified size Web Object time , The error page of the browser will appear “ Request or access is too large ” The default setting for the prompt 0 It means that there is no restriction 
maximum_object_size 4096 KB			
# Maximum object size allowed to be saved to cache space , With KB In units of , Files that exceed the size limit will not be cached , Instead, it is forwarded directly to the user 

service squid restart
systemctl restart squid

# Modify firewall rules 
iptables -F
iptables -I INPUT -p tcp --dport 3128 -j ACCEPT

2.2 Web To configure

systemctl stop firewalld.service
setenforce 0
yum -y install httpd
systemctl start httpd
netstat -natp | grep 80

2.3 Client configuration

Client configuration （ Add proxy ） Google browser ： Set up --》 senior --》 System --》 Turn on proxy settings --》 Setting agent

2.4 test

Web side access web End server

2.5 # View access logs dynamically , Observation visit IP

tail -f /var/log/httpd/access_log

3、 ... and . Transparent proxy

Construction based on traditional mode

First, add a network card on the proxy server

3.1 Squid Server configuration

cd /etc/sysconfig/network-scripts/
cp ifcfg-ens33 ifcfg-ens36
vim ifcfg-ens36
 modify 36 Of IP by 192.168.100.1
systemctl restart network

vim /etc/squid.conf

#60 Line to modify and add the... That provides intranet services IP Address , And support transparent proxy options  transparent

......
http_access allow all
http_access deny all

http_port 192.168.100.1:3128 transparent
systemctl restart squid


echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p

iptables -F
iptables -t nat -F
# Add firewall rules （ The source will be 100 Network segment :80/443 Port traffic is redirected to 3128 port ）
iptables -t nat -I PREROUTING -i ens37 -s 192.168.100.0/24 -p tcp --dport 80 -j REDIRECT --to 3128	
iptables -t nat -I PREROUTING -i ens37 -s 192.168.100.0/24 -p tcp --dport 443 -j REDIRECT --to 3128	
# If restart , You need to configure the following rules 
iptables -I INPUT -p tcp --dport 3128 -j ACCEPT

3.2 test

3、 The client closes the agent , modify win10 The address is 100 Network segment 

# visit web1 The server

Four 、ACL Access control

4.1 Modify the configuration file

vim /etc/squid.conf
acl localhost src 192.168.100.100/24 
http_access deny host
systemctl restart squid

4.2 test

5、 ... and . Squid Log analysis

5.1 Proxy configuration

yum install -y gd gd-devel pcre-devel 

mkdir /usr/local/sarg

# take zxvf sarg-2.3.7.tar.gz Upload the compressed package to /opt Under the table of contents 
tar zxvf sarg-2.3.7.tar.gz -C /opt/

cd /opt/sarg-2.3.7
./configure --prefix=/usr/local/sarg \
--sysconfdir=/etc/sarg \     # Profile directory , The default is /usr/loca/etc
--enable-extraprotection       # Additional safety protection 

./configure --prefix=/usr/local/sarg --sysconfdir=/etc/sarg --enable-extraprotection

make && make install

vim /etc/sarg/sarg.conf
--7 That's ok -- uncomment 
access_log /usr/local/squid/var/logs/access.log  # Specify access log file 
--25 That's ok -- uncomment 
title "Squid User Access Reports"     	# Webpage title 
--120 That's ok -- uncomment , modify 
output_dir /var/www/html/sarg      		# Report output directory 
--178 That's ok -- uncomment 
user_ip no           					# Use the user name to display 
--184 That's ok -- uncomment , modify 
topuser_sort_field connect reverse     	#top Sorting , Specify the number of connections in descending order , The ascending order is normal
--190 That's ok -- uncomment , modify 
user_sort_field connect reverse      	# For user access records , The number of connections is sorted in descending order 
--206 That's ok -- uncomment , modify 
exclude_hosts /usr/local/sarg/noreport  # Specify files that are not included in the sorted site list 
--257 That's ok -- uncomment 
overwrite_report no         # Whether to overwrite logs with the same name and date 
--289 That's ok -- uncomment , modify 
mail_utility mailq.postfix       # Send mail report command 
--434 That's ok -- uncomment , modify 
charset UTF-8          # Specify character set UTF-8
--518 That's ok -- uncomment 
weekdays 0-6          #top Week period of ranking 
--525 That's ok -- uncomment 
hours 0-23           #top The time period of ranking 
--633 That's ok -- uncomment 
www_document_root /var/www/html      # Specify the web root

touch /usr/local/sarg/noreport

ln -s /usr/local/sarg/bin/sarg /usr/local/bin/


# function 
sarg     # Start recording once

5.2 verification

 On the agent side 
yum install httpd -y
systemctl start httpd

 stay squid Use a browser on the server to access  http://192.168.29.33/sarg, see sarg Report page .