当前位置:网站首页>Squid agent
Squid agent
2022-04-23 15:20:00 【C chord~】
Catalog
1.2 The working mechanism of agency
Two . Traditional agent project deployment
2.5 # View access logs dynamically , Observation visit IP
tail -f /var/log/httpd/access_log
3、 ... and . Transparent proxy
3.1 Squid Server configuration
4.1 Modify the configuration file
5、 ... and . Squid Log analysis
One .Squid proxy server
- Squid It mainly provides cache acceleration 、 Application layer filtering control function .
1.1 Type of agency
- Traditional agency : Apply to Internet, You need to specify the address and port of the proxy server on the client .
- Transparent proxy : The client does not need to specify the address and port of the proxy server , But through the default route 、 The firewall strategy will Web Access redirection to the proxy server for processing .
- Reverse proxy : If Squid The requested resource is cached in the reverse proxy server , The requested resource is returned directly to the client ; Otherwise, the reverse proxy server will go to the background WEB Server requests resources , Then return the requested response to the client , The response is also cached ( static state ) In the local , For the next requester .
1.2 The working mechanism of agency
- Instead of the client requesting data from the website , This can hide the user's real IP Address .
- Will get the web page data ( static state Web Elements ) Save to cache and send to client , So that the next time you request the same data, you can respond quickly .
Two . Traditional agent project deployment
2.1 Architecture diagram
2.2 squit End configuration
[root@localhost ~]yum -y install gcc gcc-c++ make
[root@localhost ~]# cd /opt # Upload installation package
[root@localhost opt]# tar xvf squid-3.5.28.tar.gz
[root@localhost opt]# cd
[root@localhost opt]# cd squid-3.5.28/
./configure --prefix=/usr/local/squid --sysconfdir=/etc --enable-arp-acl --enable-linux-netfilter --enable-linux-tproxy --enable-async-io=100 --enable-err-language="Simplify_Chinese" --enable-underscore --enable-poll --enable-gnuregex
[root@localhost squid-3.5.27]# make && make install
[root@localhost squid-3.5.27]# ln -s /usr/local/squid/sbin/* /usr/local/sbin ## Create link file , Optimize the path
[root@localhost squid-3.5.27]# useradd -M -s /sbin/nologin squid ### Create program users 、 Group
[root@localhost squid-3.5.27]# chown -R squid:squid /usr/local/squid/var/ ## Change directory ownership
[root@localhost ~] vi /etc/squid.conf # Put it in http_access deny all Before , Allow any client to use the proxy service , Control rules match from top to bottom
vim /etc/squid.conf
......
-----56 That's ok -- Insert ------
http_access allow all # Put it in http_access deny all Before , Allow any client to use the proxy service , Control rules match from top to bottom
http_access deny all
http_port 3128 # Used to specify the address and port on which the proxy service listens ( The default port number is 3128)
-----61 That's ok -- Insert ------
cache_effective_user squid # add to , Specify the program user , Used to set initialization 、 Accounts cached at runtime , Otherwise, the startup is not successful
cache_effective_group squid # add to , Specify account basic group
coredump_dir /usr/local/squid/var/cache/squid # Specify cache file directory
[root@localhost ~] squid -k parse ## Check the configuration file
[root@localhost ~] squid –k rec ## Reload the configuration file
[root@localhost ~] squid -zX ## Initialize cache directory
[root@localhost ~]# squid ## start-up squid service
[root@localhost ~]# netstat -anpt | grep squid ## confirm squid The service is in normal listening state
tcp6 0 0 :::3128 :::* LISTEN 6699/(squid-1)
[root@localhost ~]# vi /etc/init.d/squid
#!/bin/bash
#chkconfig: 35 90 25
#config: /etc/squid.conf
#pidfile: /usr/local/squid/var/run/squid.pid
#Description: Squid - Internet Object Cache
PID="/usr/local/squid/var/run/squid.pid"
CONF="/etc/squid.conf"
CMD="/usr/local/squid/sbin/squid"
case "$1" in
start)
netstat -utpln | grep squid &>/dev/null
if [ $? -eq 0 ]
then
echo "Squid is running"
else
$CMD
fi
;;
stop)
$CMD -k kill &>/dev/null
rm -rf $PID &>/dev/null
;;
status)
[ -f $PID ] &>/dev/null
if [ $? -eq 0 ]
then
netstat -utpln | grep squid
else
echo "Squid is not running"
fi
;;
restart)
$0 stop &>/dev/null
echo " Shutting down Squid..."
$0 start &>/dev/null
echo " Starting Squid..."
;;
reload)
$CMD -k reconfigure
;;
check)
$CMD -k parse
;;
*)
echo " usage :{start | stop | restart | reload | check | status}"
esac
[root@localhost ~]#chmod +x /etc/init.d/squid
[root@localhost ~]#chkconfig --add squid
[root@localhost ~]#chkconfig squid on
[root@localhost squid-3.5.27]# service squid restart ## Test ok
Shutting down Squid...
Starting Squid...
vim /etc/squid.conf
......
http_access allow all
http_access deny all
http_port 3128
cache_effective_user squid
cache_effective_group squid
#63 Row insertion
cache_mem 64 MB
# Specifies the amount of memory space used by the cache function , It's easy to keep a more frequent WEB object , The capacity should preferably be 4 Multiple , Unit is MB, It is recommended to set it to... Of physical memory 1/4
reply_body_max_size 10 MB
# The maximum file size that users are allowed to download , In bytes , When downloading more than the specified size Web Object time , The error page of the browser will appear “ Request or access is too large ” The default setting for the prompt 0 It means that there is no restriction
maximum_object_size 4096 KB
# Maximum object size allowed to be saved to cache space , With KB In units of , Files that exceed the size limit will not be cached , Instead, it is forwarded directly to the user
service squid restart
systemctl restart squid
# Modify firewall rules
iptables -F
iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
2.2 Web To configure
systemctl stop firewalld.service
setenforce 0
yum -y install httpd
systemctl start httpd
netstat -natp | grep 80
2.3 Client configuration
Client configuration ( Add proxy ) Google browser : Set up --》 senior --》 System --》 Turn on proxy settings --》 Setting agent
2.4 test
Web side access web End server
2.5 # View access logs dynamically , Observation visit IP
tail -f /var/log/httpd/access_log
3、 ... and . Transparent proxy
Construction based on traditional mode
First, add a network card on the proxy server
3.1 Squid Server configuration
cd /etc/sysconfig/network-scripts/
cp ifcfg-ens33 ifcfg-ens36
vim ifcfg-ens36
modify 36 Of IP by 192.168.100.1
systemctl restart network
vim /etc/squid.conf
#60 Line to modify and add the... That provides intranet services IP Address , And support transparent proxy options transparent
......
http_access allow all
http_access deny all
http_port 192.168.100.1:3128 transparent
systemctl restart squid
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p
iptables -F
iptables -t nat -F
# Add firewall rules ( The source will be 100 Network segment :80/443 Port traffic is redirected to 3128 port )
iptables -t nat -I PREROUTING -i ens37 -s 192.168.100.0/24 -p tcp --dport 80 -j REDIRECT --to 3128
iptables -t nat -I PREROUTING -i ens37 -s 192.168.100.0/24 -p tcp --dport 443 -j REDIRECT --to 3128
# If restart , You need to configure the following rules
iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
3.2 test
3、 The client closes the agent , modify win10 The address is 100 Network segment
# visit web1 The server
Four 、ACL Access control
4.1 Modify the configuration file
vim /etc/squid.conf
acl localhost src 192.168.100.100/24
http_access deny host
systemctl restart squid
4.2 test
5、 ... and . Squid Log analysis
5.1 Proxy configuration
yum install -y gd gd-devel pcre-devel
mkdir /usr/local/sarg
# take zxvf sarg-2.3.7.tar.gz Upload the compressed package to /opt Under the table of contents
tar zxvf sarg-2.3.7.tar.gz -C /opt/
cd /opt/sarg-2.3.7
./configure --prefix=/usr/local/sarg \
--sysconfdir=/etc/sarg \ # Profile directory , The default is /usr/loca/etc
--enable-extraprotection # Additional safety protection
./configure --prefix=/usr/local/sarg --sysconfdir=/etc/sarg --enable-extraprotection
make && make install
vim /etc/sarg/sarg.conf
--7 That's ok -- uncomment
access_log /usr/local/squid/var/logs/access.log # Specify access log file
--25 That's ok -- uncomment
title "Squid User Access Reports" # Webpage title
--120 That's ok -- uncomment , modify
output_dir /var/www/html/sarg # Report output directory
--178 That's ok -- uncomment
user_ip no # Use the user name to display
--184 That's ok -- uncomment , modify
topuser_sort_field connect reverse #top Sorting , Specify the number of connections in descending order , The ascending order is normal
--190 That's ok -- uncomment , modify
user_sort_field connect reverse # For user access records , The number of connections is sorted in descending order
--206 That's ok -- uncomment , modify
exclude_hosts /usr/local/sarg/noreport # Specify files that are not included in the sorted site list
--257 That's ok -- uncomment
overwrite_report no # Whether to overwrite logs with the same name and date
--289 That's ok -- uncomment , modify
mail_utility mailq.postfix # Send mail report command
--434 That's ok -- uncomment , modify
charset UTF-8 # Specify character set UTF-8
--518 That's ok -- uncomment
weekdays 0-6 #top Week period of ranking
--525 That's ok -- uncomment
hours 0-23 #top The time period of ranking
--633 That's ok -- uncomment
www_document_root /var/www/html # Specify the web root
touch /usr/local/sarg/noreport
ln -s /usr/local/sarg/bin/sarg /usr/local/bin/
# function
sarg # Start recording once
5.2 verification
On the agent side
yum install httpd -y
systemctl start httpd
stay squid Use a browser on the server to access http://192.168.29.33/sarg, see sarg Report page .
版权声明
本文为[C chord~]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204231406063891.html
边栏推荐
- Compiling OpenSSL
- 机器学习——逻辑回归
- Nacos program connects to mysql8 0+ NullPointerException
- TLS / SSL protocol details (28) differences between TLS 1.0, TLS 1.1 and TLS 1.2
- Precautions for use of dispatching system
- regular expression
- For 22 years, you didn't know the file contained vulnerabilities?
- Tun model of flannel principle
- About UDP receiving ICMP port unreachable
- My raspberry PI zero 2W tossing notes record some problems encountered and solutions
猜你喜欢
Have you really learned the operation of sequence table?
Borui data and F5 jointly build the full data chain DNA of financial technology from code to user
8.5 concise implementation of cyclic neural network
Lotus DB design and Implementation - 1 Basic Concepts
Redis master-slave synchronization
G007-HWY-CC-ESTOR-03 华为 Dorado V6 存储仿真器搭建
Leetcode151 - invert words in string - String - simulation
On the day of entry, I cried (mushroom street was laid off and fought for seven months to win the offer)
函数(第一部分)
Advanced version of array simulation queue - ring queue (real queuing)
随机推荐
API gateway / API gateway (III) - use of Kong - current limiting rate limiting (redis)
Kubernetes详解(九)——资源配置清单创建Pod实战
如何设计一个良好的API接口?
For 22 years, you didn't know the file contained vulnerabilities?
How to upload large files quickly?
C语言超全学习路线(收藏让你少走弯路)
like和regexp差别
网站某个按钮样式爬取片段
Leetcode162 - find peak - dichotomy - array
adobe illustrator 菜單中英文對照
Have you learned the basic operation of circular queue?
Design of digital temperature monitoring and alarm system based on DS18B20 single chip microcomputer [LCD1602 display + Proteus simulation + C program + paper + key setting, etc.]
Hj31 word inversion
C language super complete learning route (collection allows you to avoid detours)
YML references other variables
8.3 language model and data set
Grep was unable to redirect to the file
nuxt项目:全局获取process.env信息
8.2 text preprocessing
async关键字