Squid传统、透明、反向代理、ACL控制、sarg日志
- Squid
-
- squid代理的作用
- squid工作流程
- squid代理类型
- Squid主要组成部分
- squid常用配置选项
- 传统代理配置
-
- 测试访问
- 透明代理
-
- 项目环境
- squid服务器配置
- web服务器配置(web2相同)
- 测试访问
- ACL访问控制
-
- squid上配置
- 测试访问
- Squid日志分析(sarg工具)
-
- squid上配置
- 反向代理
-
- squid配置
- web服务器配置(web2相同)
- 测试访问
Squid
Squid cache(简称为Squid)是一个流行的自由软件(GNU通用公共许可证)的代理服务器和Web缓存服务器。Squid有广泛的用途,从作为网页服务器的前置cache服务器缓存相关请求来提高Web服务器的速度,到为一组人共享网络资源而缓存万维网,域名系统和其他网络搜索,到通过过滤流量帮助网络安全,到局域网通过代理上网。
squid代理的作用
通过缓存的方式为用户提供Web访问加速
对用户的Web访问进行过滤控制
squid工作流程
当代理服务器中有客户端需要的数据时:
a. 客户端向代理服务器发送数据请求;
b. 代理服务器检查自己的数据缓存;
c. 代理服务器在缓存中找到了用户想要的数据,取出数据;
d. 代理服务器将从缓存中取得的数据返回给客户端。
当代理服务器中没有客户端需要的数据时:
1.客户端向代理服务器发送数据请求;
2.代理服务器检查自己的数据缓存;
3.代理服务器在缓存中没有找到用户想要的数据;
4.代理服务器向Internet 上的远端服务器发送数据请求;
5.远端服务器响应,返回相应的数据;
6.代理服务器取得远端服务器的数据,返回给客户端,并保留一份到自己的数据缓存中。
squid代理类型
传统代理
适用于Internet,需明确指定服务端
透明代理
客户机不需指定代理服务器的地址和端口,而是通过默认路由、防火墙策略将Web访问重定向给代理服务器处理
反向代理
如果Squid反向代理服务器中缓存了该请求的资源,则将该请求的资源直接返回给客户端;否则反向代l理服务器将向后台的WEB服务器请求资源,然后将请求的应答返回给客户端,同时也将该应答缓存在本地,供下一个请求者使用
Squid主要组成部分
服务名:squid
主程序:/usr/sbin/squid
配置目录:/etc/squid
主配置文件:/etc/squid/squid.conf
监听tcp端口号:3128
默认访问日志文件:/var/log/squid/access.log
squid常用配置选项
/etc/squid/squid.conf
http_port 3128 (还可以只监听一个IP http_port 192.168.0.1:3128)
cache_mem 64MB #缓存占内存大小
maximum_object_size 4096KB #最大缓存块
reply_body_max_size 1024000 allow all #限定下载文件大小
access_log /var/log/squid/access.log #访问日志存放的地方
visible_hostname proxy.test.xom #可见的主机名
cache_dir ufs /var/spool/squid 100 16 256
#ufs:缓存数据的存储格式
#/var/spool/squid 缓存目录
#100:缓存目录占磁盘空间大小(M)
#16:缓存空间一级子目录个数
#256:缓存空间二级子目录个数
cache_mgr [email protected].com #定义管理员邮箱
http_access deny all #访问控制
传统代理配置
Squid代理服务器:192.168.100.10
Web网站服务:192.168.100.20
客户机:192.168.100.30
模块定义
./configure --prefix=/usr/local/squid
–sysconfdir=/etc \ ###指定配置文件位置
–enable-arp-acl \ ###支持acl访问控制列表
–enable-linux-netfilter \ ###打开网络筛选
–enable-linux-tproxy \ ###支持透明代理
–enable-async-io=100 \ ###io优化
–enable-err-language=“Simplify_Chinese” \ ###报错显示简体中文
–enable-underscore \ ###支持下划线
–enable-poll \ ###默认使用poll模式,开启epoll模式时提升性能
–enable-gnuregex ###支持正则表达式
[[email protected] ~]# yum -y install gcc gcc-c++ make
[[email protected] ~]# tar zxf squid-3.5.23.tar.gz
[[email protected] ~]# cd squid-3.5.23/
[[email protected] squid-3.5.23]# ./configure --prefix=/usr/local/squid --sysconfdir=/etc --enable-arp-acl --enable-linux-netfilter --enable-linux-tproxy --enable-async-io=100 --enable-err-language="Simplify_Chinese" --enable-underscore --enable-poll --enable-gnuregex
[[email protected] squid-3.5.23]# make && make install
[[email protected] squid-3.5.23]# useradd -M -s /sbin/nologin squid
[root@Squid squid-3.5.23]# chown -R squid.squid /usr/local/squid/var
[root@Squid squid-3.5.23]# cd
[root@Squid squid-3.5.23]# ln -s /usr/local/squid/sbin/* /usr/local/sbin
[[email protected] ~]# vi /etc/squid.conf
添加:
cache_effective_user squid
cache_effective_group squid
[[email protected] ~]# squid -k parse ###检查配置文件语法
[[email protected] ~]# squid -z ###初始化缓存目录
[[email protected] ~]# squid ###启动服务
[[email protected] ~]# netstat -anpt | grep squid
tcp6 0 0 :::3128 :::* LISTEN 104314/(squid-1)
[[email protected] ~]# vi /etc/init.d/squid
#!/bin/bash
#chkconfig: 2345 90 25
PID="/usr/local/squid/var/run/squid.pid"
CONF="/etc/squid.conf"
CMD="/usr/local/squid/sbin/squid"
case "$1" in
start)
netstat -natp | grep squid &> /dev/null
if [ $? -eq 0 ]
then
echo "squid is running"
else
echo "正在启动 squid..."
$CMD
fi
;;
stop)
$CMD -k kill &> /dev/null
rm -rf $PID &> /dev/null
;;
status)
[ -f $PID ] &> /dev/null
if [ $? -eq 0 ]
then
netstat -natp | grep squid
else
echo "squid is not running"
fi
;;
restart)
$0 stop &> /dev/null
echo "正在关闭 squid..."
$0 start &> /dev/null
echo "正在启动 squid..."
;;
reload)
$CMD -k reconfigure
;;
check)
$CMD -k parse
;;
*)
echo "用法:$0{start|stop|status|reload|check|restart}"
;;
esac
[[email protected] ~]# chmod +x /etc/init.d/squid
[[email protected] ~]# chkconfig --add squid
[[email protected] ~]# chkconfig --level 35 squid on
[[email protected] ~]# vi /etc/squid.conf
http_access allow all
http_access deny all
http_port 3128
cache_mem 64 MB ###指定缓存功能所使用的内存空间大小,便于保持访问较频繁的WEB对象,容量最好为4的倍数,单位为MB,建议设为物理内存的1/4
reply_body_max_size 10 MB ###允许用户下载的最大文件大小,以字节为单位。默认设置0表示不进行限制
maximum_object_size 4096 KB ###允许保存到缓存空间的最大对象大小,以KB为单位,超过大小限制的文件将不被缓存,而是直接转发给用户
[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
[[email protected] ~]# systemctl restart squid
[[email protected] ~]# systemctl stop firewalld
[[email protected] ~]# setenforce 0
在web服务器上安装http服务
[[email protected] ~]# systemctl stop firewalld
[[email protected] ~]# setenforce 0
[[email protected] ~]# yum -y install httpd
[[email protected] ~]# vi /var/www/html/index.html
<h1>123</h1>
[[email protected] ~]# systemctl start httpd
测试访问
web服务器上查看日志
透明代理
项目环境
squid服务器配置
[[email protected] ~]# systemctl stop firewalld
[[email protected] ~]# setenforce 0
[[email protected] ~]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
[[email protected] ~]# sysctl -p
net.ipv4.ip_forward = 1
[[email protected] ~]# vi /etc/squid.conf
http_port 192.168.100.20:3128 transparent
[[email protected] ~]# systemctl restart squid
[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -t nat -F
[[email protected] ~]# iptables -t nat -I PREROUTING -i ens33 -s 192.168.100.0/24 -p tcp --dport 80 -j REDIRECT --to 3128
[[email protected] ~]# iptables -t nat -I PREROUTING -i ens33 -s 192.168.100.0/24 -p tcp --dport 443 -j REDIRECT --to 3128
[[email protected] ~]# iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
web服务器配置(web2相同)
[[email protected] ~]# systemctl stop firewalld
[[email protected] ~]# setenforce 0
[[email protected] ~]# route add -net 192.168.100.0/24 gw 192.168.200.10 ###添加一条静态路由
测试访问
web上查看日志
ACL访问控制
squid上配置
[[email protected] ~]# vi /etc/squid.conf
acl client src 192.168.100.30/32
http_access deny client ###禁止访问,注意置顶
[[email protected] ~]# systemctl restart squid
测试访问
Squid日志分析(sarg工具)
squid上配置
[[email protected] ~]# yum -y install gd
[[email protected] ~]# mkdir /usr/local/sarg
[[email protected] ~]# tar zxf sarg-2.3.7.tar.gz -C /opt
[[email protected] ~]# cd /opt/sarg-2.3.7/
[[email protected] sarg-2.3.7]# ./configure --prefix=/usr/local/sarg --sysconfdir=/etc/sarg \ --enable-extraprotection
[root@Squid sarg-2.3.7]# make && make install
[[email protected] ~]# vi /etc/sarg/sarg.conf
7: access_log /usr/local/squid/var/logs/access.log //指定访问日志文件
25: title "Squid User Access Reports" //网页标题
120: output_dir /var/www/html/squid-reports //报告输出目录
178: user_ip no //使用用户名显示
206: exclude_hosts /usr/local/sarg/noreport //不计入排序的站点列表文件
184: topuser_sort_field connect reverse //top排序中有连接次数、访问字节、降序排列 升序是normal
257:overwrite_report no //同名日志是否覆盖
289/ mail_utility mailq.postfix //发送邮件报告命令
434: charset UTF-8 //使用字符集
518: weekdays 0-6 //top排行的星期周期
525: hours 0-23 //top排行的时间周期
633: www_document_root /var/www/html //网页根目录
[[email protected] ~]# touch /usr/local/sarg/noreport
[[email protected] sarg-2.3.7]# ln -s /usr/local/sarg/bin/sarg /usr/local/bin
[[email protected] sarg-2.3.7]# cd
[[email protected] ~]# sarg
SARG: Unknown sort criterion "reverse" for parameter "user_sort_field"
[[email protected] ~]# sarg
SARG: 纪录在文件: 36, reading: 100.00%
SARG: 成功的生成报告在 /var/www/html/squid-reports/2020Dec15-2020Dec15
[[email protected] ~]# yum -y install httpd
[[email protected] ~]# systemctl start httpd
**做周期性计划任务crontab使其每天生成报告**
```csharp
[[email protected] ~]# sarg -l /usr/local/squid/var/logs/access.log -o /var/www/html/squid-reports/ -z -d $(date -d "1 day ago" +%d/%m/%Y)-$(date +%d/%m/%Y)
SARG: TAG: access_log /usr/local/squid/var/logs/access.log
SARG: TAG: title "Squid User Access Reports"
SARG: TAG: output_dir /var/www/html/squid-reports
SARG: TAG: user_ip no
SARG: TAG: topuser_sort_field connect reverse
SARG: TAG: exclude_hosts /usr/local/sarg/noreport
SARG: TAG: overwrite_report no
SARG: TAG: mail_utility mailq.postfix
SARG: TAG: charset UTF-8
SARG: TAG: weekdays 0-6
SARG: TAG: hours 0-23
SARG: TAG: www_document_root /var/www/html
SARG: 纪录在文件: 36, reading: 100.00%
SARG: 期间被日志文件覆盖: 15/12/2020 - 15/12/2020
SARG: (info) date=15/12/2020
SARG: (info) period=2020 12月 14-2020 12月 15
SARG: (info) outdirname=/var/www/html/squid-reports//2020Dec14-2020Dec15
SARG: (info) Dansguardian report not produced because no dansguardian configuration file was provided
SARG: (info) No redirector logs provided to produce that kind of report
SARG: (info) No downloaded files to report
SARG: (info) Authentication failures report not produced because it is empty
SARG: (info) Redirector report not generated because it is empty
SARG: 成功的生成报告在 /var/www/html/squid-reports//2020Dec14-2020Dec15
[[email protected] ~]# crontab -e
添加:
* 3 * * * /usr/local/bin/sarg -l /usr/local/var/logs/access.log -o /var/www/html/squid-reports/ -z -d $(date -d "1 day" +%Y/%m/%d)-$(date +%Y/%m/%d)
no crontab for root - using an empty one
crontab: installing new crontab
"/tmp/crontab.1UBA5J":2: bad minute
errors in crontab file, can't install.
Do you want to retry the same edit? y
crontab: installing new crontab
"/tmp/crontab.1UBA5J":2: bad minute
errors in crontab file, can't install.
Do you want to retry the same edit? y
crontab: installing new crontab
[[email protected] ~]# date -d "-1 day" +%Y/%m/%d
2020/12/14
[[email protected] ~]# date -d "1 day" +%Y/%m/%d
2020/12/16
[[email protected] ~]# date -d "1 day ago" +%Y/%m/%d
2020/12/14
[[email protected] ~]# systemctl stop httpd
[[email protected] ~]# cd /var/www/html/squid-reports/
[[email protected] squid-reports]# ll
总用量 8
drwxr-xr-x. 3 root root 180 12月 15 23:29 2020Dec14-2020Dec15
drwxr-xr-x. 3 root root 180 12月 15 23:23 2020Dec15-2020Dec15
drwxr-xr-x. 2 root root 92 12月 15 23:23 images
-rw-r--r--. 1 root root 4682 12月 15 23:29 index.html
反向代理
在透明模式的基础上进行反向代理
因为httpd会占用80端口,所以必须关闭squid服务器中的httpd服务
squid配置
[[email protected] ~]# systemctl stop httpd
[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -t nat -F
[[email protected] ~]# iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
[[email protected] ~]# vi /etc/squid.conf
添加:
# Squid normally listens to port 3128
http_port 192.168.200.10:80 accel vhost vport ###squid外网口IP
cache_peer 192.168.200.20 parent 80 0 no-query originserver round-robin max_conn=30 weight=1 name=web1
cache_peer 192.168.200.60 parent 80 0 no-query originserver round-robin max_conn=30 weight=1 name=web2
cache_peer_domain web1 web2 www.yun.com
[[email protected] ~]# systemctl stop httpd
[[email protected] ~]# systemctl restart squid
[[email protected] ~]# systemctl status squid
● squid.service - (null)
Loaded: loaded (/etc/rc.d/init.d/squid; bad; vendor preset: disabled)
Active: active (running) since 二 2020-12-15 23:59:56 CST; 9s ago
Docs: man:systemd-sysv-generator(8)
Process: 15638 ExecStop=/etc/rc.d/init.d/squid stop (code=exited, status=0/SUCCESS)
Process: 15641 ExecStart=/etc/rc.d/init.d/squid start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/squid.service
├─15645 /usr/local/squid/sbin/squid
├─15647 (squid-1)
└─15648 (logfile-daemon) /usr/local/squid/var/logs/access.lo...
12月 15 23:59:56 squid systemd[1]: Starting (null)...
12月 15 23:59:56 squid squid[15641]: 正在启动 squid...
12月 15 23:59:56 squid squid[15645]: Squid Parent: will start 1 kids
12月 15 23:59:56 squid squid[15645]: Squid Parent: (squid-1) process ...d
12月 15 23:59:56 squid systemd[1]: Started (null).
Hint: Some lines were ellipsized, use -l to show in full.
[[email protected] ~]# systemctl restart squid
web服务器配置(web2相同)
[[email protected] ~]# yum -y install httpd
[[email protected] ~]# echo "<h1>this is test1 web </h1>" > /var/www/html/index.html
[[email protected] ~]# systemctl start httpd
[[email protected] ~]# netstat -anpt | grep httpd
tcp6 0 0 :::80 :::* LISTEN 13675/httpd
[[email protected] ~]# route add -net 192.168.100.0/24 gw 192.168.200.10 ###添加静态路由
测试访问
[[email protected] ~]# vi /etc/hosts
末尾添加:
192.168.200.10 www.yun.com
浏览器输入 www.yun.com
刷新