一,了解Squid代理服务器
什么是squid?
squid是一款代理的软件,通过缓存的方式为用户提供Web访问加速对用户的Web访问进行过滤控制,可以很好地实现HTTP和FTP,以及DNS查询、SSL等应用的缓存代理,功能十分强大
squid代理作用:缓存加速、隐藏IP地址、应用层过滤ACL
Squid主要组成部分(默认情况)
服务名:squid
主程序:/usr/sbin/squid
主配置文件位置:/etc/squid/squid.conf
监听tcp端口号:3128
默认访问日志文件:/var/log/squid/access.log
传统代理、反向代理以及透明代理的区别和特点:
传统代理:1.通过另一台主机去访问目的地址,提供一个更加有效的访问路径
2.可以起到一个缓冲的作用,提高网络的使用效率
3.对外有着隐藏作用
反向代理:1.保证内网的安全,通常将反向代理作为公网访问地址
2.负载均衡,通过反向代理服务器来优化网站的负载
透明代理:1.客户端根本不需要知道代理服务器的存在,多用于NAT转发中
2.不用设置代理就可以通过代理服务器转发到其他地址进行访问,多用于网关防火墙服务器中
注:实验环境 :
三台虚拟机为Squid服务器添加第二块网卡,使用同一块网卡类型,关闭防火墙和是Slinux
1.配置Squid服务器初始化框架
重点:记得为虚拟机添加第二块网卡,进入系统之后ifconfig查看第二块网卡的名称(ens36{7})在复制网卡的时候名为查看到的网卡名称,因为系统的不同,会出现不同名称
注:多网卡要把(UUID=047db67f-6d8c-4894-9ad1-affe5cb13ba6)这行删除!!!
[root@localhost ~]# systemctl stop firewalld [root@localhost ~]# setenforce 0 [root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 TYPE=Ethernet BOOTPROTO=static DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_PEERDNS=yes IPV6_PEERROUTES=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens33 DEVICE=ens33 ONBOOT=yes IPADDR=192.168.1.1 [root@localhost ~]# cd /etc/sysconfig/network-scripts/ [root@localhost network-scripts]# cp -f ifcfg-ens33 ifcfg-ens36 [root@localhost network-scripts]# vim ifcfg-ens36 TYPE=Ethernet BOOTPROTO=static DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_PEERDNS=yes IPV6_PEERROUTES=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens36 DEVICE=ens36 ONBOOT=yes IPADDR=192.168.2.1 [root@localhost network-scripts]# systemctl restart network [root@localhost network-scripts]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::6cbe:29cb:63d:b7c5 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:f1:3c:af txqueuelen 1000 (Ethernet) RX packets 337 bytes 35070 (34.2 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 30 bytes 4097 (4.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255 inet6 fe80::9020:f047:8271:982e prefixlen 64 scopeid 0x20<link> ether 00:0c:29:f1:3c:b9 txqueuelen 1000 (Ethernet) RX packets 214 bytes 15323 (14.9 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 149 bytes 25012 (24.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
2.配置客户端初始化框架
[root@localhost ~]# systemctl stop firewalld [root@localhost ~]# setenforce 0 [root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 TYPE=Ethernet BOOTPROTO=static DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_PEERDNS=yes IPV6_PEERROUTES=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens33 UUID=a7543d64-2e33-4269-b873-df6c9a2463ef DEVICE=ens33 ONBOOT=yes IPADDR=192.168.1.2 GATEWAY=192.168.1.1 [root@localhost ~]# systemctl restart network [root@localhost ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::df43:cabd:bd1f:b519 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:33:1e:a0 txqueuelen 1000 (Ethernet) RX packets 269 bytes 29062 (28.3 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 30 bytes 3910 (3.8 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
3.配置web服务器初始化框架
[root@localhost ~]# systemctl stop firewalld [root@localhost ~]# setenforce 0 [root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 TYPE=Ethernet BOOTPROTO=static DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_PEERDNS=yes IPV6_PEERROUTES=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens33 UUID=047db67f-6d8c-4894-9ad1-affe5cb13ba6 DEVICE=ens33 ONBOOT=yes IPADDR=192.168.2.2 GATEWAY=192.168.2.1 [root@localhost ~]# systemctl restart network
搭建yum安装httpd服务
[root@localhost ~]# rm -f /etc/yum.repos.d/* [root@localhost ~]# vim /etc/yum.repos.d/local.repo [local] name=local baseurl=file:///mnt gpgcheck=0 [root@localhost ~]# yum -y install httpd [root@localhost ~]# echo "www.baidu.com" > /var/www/html/index.html [root@localhost ~]# systemctl start httpd
初始化配置完成
二,搭建传统代理服务器
1.安装Squid服务(可以直接复制安装)
注:虚拟机需要挂载打包好镜像光盘(官网下载:squid : Optimising Web Delivery)
tar zxf /mnt/squid-3.5.23.tar.gz -C /usr/src/ cd /usr/src/squid-3.5.23/ ./configure --prefix=/usr/local/squid --sysconfdir=/etc --enable-linux-netfilter --enable-async-io=240 --enable-default-err-language=Simplify__Chinese --disable-poll --enable-epoll --enable-gnuregex && make && make install
2.创建squid用户和优化路径
ln -s /usr/local/squid/sbin/* /usr/local/sbin/ useradd -M -s /sbin/nologin squid chown -R 777 /usr/local/squid/var/ chown -R squid:squid /usr/local/squid/var/
3.修改配置文件
vim /etc/squid.conf http_port 3128 cache_effective_user squid #手工添加 cache_effective_group squid #手工添加 cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256 #去掉注释(#) squid -k parse #查看配置文件是否出现错误
4.初始化缓存目录和开启服务
squid -z squid netstat -anpt | grep 'squid'
扩充:
1. squid -k reconfigure #重启squid服务 2. killall -9 squid #关闭服务
验证:
进入客户端:
注:进入火狐浏览器--》找到首选项设置--》高级--》网络--》设置--》手动配置代理
测试成功:
三,搭建透明代理服务器
1.编辑配置文件/etc/squid.conf文件在http_port后面加上transparent
1. [root@localhost ~]# vim /etc/squid.conf 2. 3. http_port 192.168.1.1:3128 transparent
2.重启配置文件
[root@localhost ~]# squid -k reconfigure
3.开启路由转发添加字段
1. [root@localhost ~]# vim /etc/sysctl.conf 2. net.ipv4.ip_forward = 1 3. [root@localhost ~]# sysctl -p 4. net.ipv4.ip_forward = 1
4.设置防火墙策略,将网站协议HTTP,HTTPS(80,443)请求转发到3128创建两个区域,将ens33加入到external区域,ens36(7)加入internal区域
重:这里也要注意,如果网卡是ens37的同学记得更改网卡名称
systemctl start firewalld.service firewall-cmd --zone=external --add-interface=ens33 firewall-cmd --zone=internal --add-interface=ens36 firewall-cmd --zone=external --add-service=http firewall-cmd --zone=external --add-service=https firewall-cmd --zone=external --add-port=3128/tcp firewall-cmd --direct --add-rule ipv4 nat PREROUTING 0 -i ens33 -p tcp --dport 80 -j REDIRECT --to-ports 3128 firewall-cmd --direct --add-rule ipv4 nat PREROUTING 0 -i ens33 -p tcp --dport 443 -j REDIRECT --to-ports 3128 firewall-cmd --runtime-to-permanent
5.客户机取消手工代理,改为不使用代理
验证:
进入客户端:
注:进入火狐浏览器--》找到首选项设置--》高级--》网络--》设置--》不使用代理
6.在web服务器上查看访问日志(都是来自代理服务器的访问)
[root@localhost ~]# tail -f /var/log/httpd/access_log 192.168.2.1 - - [22/Jul/2022:10:06:48 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" ::1 - - [22/Jul/2022:10:07:14 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)" ::1 - - [22/Jul/2022:10:07:14 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)" ::1 - - [22/Jul/2022:10:07:14 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)" ::1 - - [22/Jul/2022:10:07:14 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)" ::1 - - [22/Jul/2022:10:07:14 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)" ::1 - - [22/Jul/2022:10:07:14 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)" 192.168.2.1 - - [22/Jul/2022:10:07:19 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" 192.168.2.1 - - [22/Jul/2022:10:07:20 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" 192.168.2.1 - - [22/Jul/2022:10:07:20 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0"
