最近又把squid拿出來測試,version 3把transparent proxy的function加進去,目前只測到bridge mode,我想要的parallel mode似乎還是得靠wccp來做,可是wccp library似乎很久沒更新了,臺灣的論壇資料好少,是大家都不用proxy這個服務了嗎?!!QQ
-------------我---是---分---格---線-------------
回到主題,以下是安裝及測試的過程,有瑕疵加上主機目前等上架測試,已經關機,所以缺很大,開機後再補上,但基本功能已經搞定了。
作業環境:
OS:Debian Linux 5 kernel-2.6.30-2
gcc:4.3.2
squid:3.1.5
library:tproxy4.1(還沒抓下來測~~)、netfilter
utilities:modconf(設定模組,debian使用)、iptables
步驟:
===============還===是===分===隔===線===============
startup squid scripts
-------------我---是---分---格---線-------------
回到主題,以下是安裝及測試的過程,有瑕疵加上主機目前等上架測試,已經關機,所以缺很大,開機後再補上,但基本功能已經搞定了。
作業環境:
OS:Debian Linux 5 kernel-2.6.30-2
gcc:4.3.2
squid:3.1.5
library:tproxy4.1(還沒抓下來測~~)、netfilter
utilities:modconf(設定模組,debian使用)、iptables
步驟:
- bridge mode
- compile squid
- config squid
- config firewall rules
- parallel mode
- compile squid
- config squid
- compile squid
- tar zxvf squid-verison.tar.gz
- cd /path/to/squid-version
- ./configure --prefix=/path/you/want --with-large-files--with-openssl=/usr --with-dl --with-aufs-threads=128 --with-gnu-ld --enable-gnuregex --enable-stacktraces --enable-linux-netfilter --enable-ipfw-transparent --enable-arp-acl --enable-disk-io=AIO,Blocking,DiskDaemon,DiskThreads --enable-storeio=aufs,ufs,diskd --enable-esi --enable-async-io=128
- --enable-wccp:要先裝wccp library,印象中直接make;make install就搞定了。
- --enable-linux-netfilter、--enable-ipfw-transparent:bridge mode才會使用,有netfilter、ip-filter、ipfw可以選擇。
- --enable-disk-io=AIO,Blocking,DiskDaemon,DiskThreads
- --enable-storeio=aufs,ufs,diskd
- --enable-async-io=128
- --enable-esi
- make;make install
- config squid
#
# Define squid user and group ID
#
cache_effective_user squid
cache_effective_group squid
#
# Define logs
#
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs % h] [% a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs % h" "%{User-Agent}>h" %Ss:%Sh
access_log /log/path/access.log squid
cache_log /log/path/cache.log
pid_filename /log/path/squid.pid
#
# Squid normally listens to port 3128
#
http_port 3128
http_port 3129 tproxy
#http_port 3128
#
# Define Transparent Proxy
#
visible_hostname OMSProxy.fcu.edu.tw
#always_direct allow all
#http_reply_access allow all
#icp_access allow all
#hierarchy_stoplist cgi-bin ?
#acl QUERY urlpath_regex cgi-bin \?
#acl apache rep_header Server ^Apache
#cache deny QUERY
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128
acl allow_access src 140.134.21.0/24
acl allow_dist dst all
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
http_access allow allow_access
http_access allow allow_dist
# And finally deny all other access to this proxy
http_access deny all
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
cache_dir aufs /cache0 8000 64 256
cache_dir aufs /cache1 8000 64 256
cache_dir aufs /cache2 8000 64 256
cache_dir aufs /cache3 8000 64 256
# Leave coredumps in the first cache dir
coredump_dir /cache0
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320 - config firewall rules
- start squid service
===============還===是===分===隔===線===============
startup squid scripts
For Debian:兩種方式。(1)寫在rc.local中。(2)寫在init.d中的script。
- vi /etc/rc.local
新增一行:/bin/sh /path/to/squid/bin/RunCache &- vi /etc/init.d/squid#! /bin/sh -e
### BEGIN INIT INFO
# Provides: squid
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: HTTP Proxy startup script
# Description: HTTP Proxy startup (http://www.squid-cache.org)
### END INIT INFO
set -e
. /lib/lsb/init-functions
export PATH=/sbin:/usr/sbin:/bin:/usr/bin
test -x /path/to/squid/sbin/squid || exit 0
test -x /path/to/squid/bin/Runcache || exit 0
/bin/sh /path/to/squid/bin/RunCache
No comments:
Post a Comment