squid 实现 代理

准备需要两块网卡 两个ip

192.168.1.142和192.168.142.1

yum install squid

*************************************************************************************************

正向代理实现

vi /etc/squid/squid.conf

acl SSL_ports port 443         #acl规则
acl CONNECT method CONNECT
acl mynet src 192.168.142.2/32    #acl 测试屏蔽192.168.142.2   名称为mynet  标记
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny mynet      #设置屏蔽mynet
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all     #允许代理
http_port 3128      #端口
cache_dir ufs /var/spool/squid 100 16 256      #缓存目录 大小,一级目录100个二级目录16个  
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_mem 99 MB   
maximum_object_size 20 MB
maximum_object_size_in_memory 20 MB
cache_swap_low 90
cache_swap_high 95

 

设置客户端的squid

 

 

**************************************************************************************************************************

基于用户密码

vi /etc/squid/squid.conf

acl SSL_ports port 443
acl CONNECT method CONNECT
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic mima
auth_param basic credentialsttl 2 hours
acl lookwest proxy_auth REQUIRED
http_access allow lookwest
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost


http_access deny all
http_port 3128
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid


refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_mem 99 MB
maximum_object_size 20 MB
maximum_object_size_in_memory 20 MB
cache_swap_low 90
cache_swap_high 95

 

 

3.  配置用户名 密码

在装了httpd的bin 目录下面  输入

./htpasswd  -c /etc/squid/passwd YOUR_NAME

会提示你输入密码 ,输入即可
意思就是在  /etc/squid/passwd中生成登录用户名和密码

4.  service  squid restart  重启squid

如果发现问题,到 /var/log/squid 目录下面看日志

 

 

 

 

 

*********************************************************************************************************************************

透明代理  squid+iptables

vi /etc/squid/squid.conf

acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access allow manager
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 3128 transparent
dns_nameservers 222.222.202.202
dns_nameservers 222.222.222.222
cache_dir ufs /var/spool/squid 100 16 256
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

 

 

 iptables -t nat -I POSTROUTING -s 192.168.142.0/24 -j SNAT --to 192.168.1.142
 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 3128

vi /etc/sysctl

net.ipv4.ip_forward=1

 

systemctl restart squid

 

客户端不用改成局域网lan的代理,加网关

 ***********************************************************************************************************************

反向代理

vi /etc/squid/squid.conf

acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all


http_port 80 vhost vport
cache_peer 192.168.1.148 parent 80 0 no-query originserver name=aaa
cache_peer_domain aaa www.aaa.com

coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

 

 

注意dns解析等问题

*************************************************************************************************************************

squid实现加密

配置文件为

acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all


http_port 80 vhost vport
cache_peer 192.168.1.148 parent 80 0 no-query originserver name=aaa
cache_peer_domain aaa www.aaa.com
https_port 443 accel cert=/etc/pki/tls/certs/han.pem key=/etc/pki/tls/certs/han.pem vhost
acl SITE_AAA_SSL myport 443
cache_peer 192.168.1.148 parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=ACCEL_AAA_SSL
cache_peer_access ACCEL_AAA_SSL allow SITE_AAA_SSL
http_access allow SITE_AAA_SSL


coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

 

注意在web端和squid使用同一密钥。。。开443端口

 

 

posted @ 2017-02-28 11:18  *奥特*  阅读(218)  评论(0编辑  收藏  举报