Squid安装配置工作记录

130次阅读

共计 5978 个字符，预计需要花费 15 分钟才能阅读完成。

背景环境：开发人员不能上外网，但又有一些比较特殊的站点需要用到，所有用 squid 进行透明代理上网，之前想到 haproxy，后来查阅资料貌似 haproxy 只能转发不能代理上网。

搭建前提：squid 搭建透明代理上网，理论上需要两张网卡，两个 Ip, 两个 ip 在不同的网段，一个 ip 可以连接外网上网，一个 ip 连接内网。

[root@linux-virsh-106 log]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E1:9A:69
inet addr:192.168.1.107 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee1:9a69/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:382562 errors:0 dropped:0 overruns:0 frame:0
TX packets:65671 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:78070930 (74.4 MiB) TX bytes:5258206 (5.0 MiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:E1:9A:73
inet addr:192.168.10.26 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee1:9a73/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:320136 errors:0 dropped:0 overruns:0 frame:0
TX packets:81908 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22754485 (21.7 MiB) TX bytes:59173280 (56.4 MiB)

这里我选用了 eth0 192.168.1.107 可以和外网联通，eth1 192.168.10.26 和内网联通

关于 ip 的配置在 /etc/sysconfig/network-scripts/ 修改 ifcfg-eth0 和 ifcfg-eth1 即可修改完重启网卡就行了。
[root@linux-virsh-106 network-scripts]# cat ifcfg-eth0
# Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
DEVICE=eth0
BOOTPROTO=static
#BROADCAST=192.168.1.255
HWADDR=00:0C:29:E1:9A:69
IPADDR=192.168.1.107
IPV6INIT=yes
IPV6_AUTOCONF=yes
NETMASK=255.255.255.0
#NETWORK=192.168.1.0
GATEWAY=192.168.1.1
ONBOOT=yes
[root@linux-virsh-106 network-scripts]# cat ifcfg-eth1
# Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
#HWADDR=00:0c:29:e1:9a:73
IPADDR=192.168.10.26
NETMASK=255.255.255.0

网卡设置好了，开始设置 iptables 的参数
[root@linux-virsh-106 network-scripts]# echo “1” >> /proc/sys/net/ipv4/ip_forward
[root@linux-virsh-106 network-scripts]# service iptables start
[root@linux-virsh-106 network-scripts]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@linux-virsh-106 network-scripts]# iptables -F
[root@linux-virsh-106 network-scripts]# iptables -t nat -F
[root@linux-virsh-106 network-scripts]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@linux-virsh-106 network-scripts]# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT –to-source 192.168.1.107
[root@linux-virsh-106 network-scripts]# iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 3128
[root@linux-virsh-106 network-scripts]# service iptables save
将当前规则保存到 /etc/sysconfig/iptables：[确定]
[root@linux-virsh-106 network-scripts]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp — anywhere anywhere tcp dpt:http redir ports 3128
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all — 192.168.10.0/24 anywhere to:192.168.1.107
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

安装 squid
[root@linux-virsh-106 network-scripts]# yum install squid

配置 squid

[root@linux-virsh-106 network-scripts]# cd /etc/squid/
[root@linux-virsh-106 squid]# ls
cachemgr.conf errors icons mib.txt mime.conf mime.conf.default msntauth.conf msntauth.conf.default squid.conf squid.conf.bak20140120 squid.conf.bak2014012002 squid.conf.default

提取出配置文件中有用的信息
[root@linux-virsh-106 squid]# grep -v “^#” squid.conf.bak20140120 |grep -v “^$” >> squid.conf

启动 squid
[root@linux-virsh-106 squid]# service squid start
启动 squid：. [确定]

[root@linux-virsh-106 squid]# netstat -ntl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1004 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN

基本工作已经完成，现在根据自己的需求配置 squid
[root@linux-virsh-106 squid]# cat squid.conf
acl lan src 192.168.10.0/24 #这个是内网 ip 要连接的地址
acl all src 0.0.0.0/0.0.0.0
# 自己添加的可以允许访问的 url
acl url1 url_regex -i qq.com
acl url2 url_regex -i pengyou.com
acl url3 url_regex -i baidu.com
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow url1
http_access allow url2
http_access allow url3
http_access deny all
icp_access allow all
# 在端口的后面要加上 transparent，否则无法转发
http_port 3128 transparent
#visible_hostname 也是要自己添加上去
visible_hostname 192.168.10.26
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/spool/squid