一、squid acl通路控制
mv squid.conf squid.conf.backup
egrep -v "^#|^$" squid.conf.backup > squid.conf
[root@squid etc]# wc -l squid.conf
44 squid.conf
1)對url進行關鍵字過濾
在squid.conf檔案中添加如下兩行:
acl qq url_regex -i ^http://.*qq.*$
http_access deny qq
在浏覽器中進行通路www.baidu.com,測試結果如下(注意一定要使用代理通路):
<a href="http://s4.51cto.com/wyfs02/M01/88/F5/wKioL1gDLfjQju_WAAPqg857lEw048.jpg-wh_500x0-wm_3-wmp_4-s_3328548176.jpg" target="_blank"></a>
然後使用指令讓squid重讀配置檔案:
[root@squid ~]# squid -k reconfig
[root@squid ~]# lsof -i :3128
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
squid 22446 squid 15w IPv4 43702 0t0 TCP *:squid (LISTEN)
squid 22446 squid 17u IPv4 43646 0t0 TCP 192.168.49.135:squid->192.168.49.1:11361 (ESTABLISHED)
再次在浏覽器中打開www.baidu.com,檢視結果如下:
<a href="http://s4.51cto.com/wyfs02/M02/88/F8/wKiom1gDLiyxQamOAAIWEhIusyM680.jpg-wh_500x0-wm_3-wmp_4-s_2291451222.jpg" target="_blank"></a>
已經出現"Access Denied"錯誤,說明配置生效。
2)對url路徑中的關鍵字進行過濾
将上面添加的兩行注釋掉,再添加如下兩行:
acl qq_path urlpath_regex -i \.*qq*
http_access deny qq_path
然後讓squid重讀配置檔案:
squid -k reconfig
最後在浏覽器中進行通路測試:
<a href="http://s4.51cto.com/wyfs02/M02/88/F8/wKiom1gDL-SAR5AJAALq7cbmBq8790.jpg-wh_500x0-wm_3-wmp_4-s_3799063501.jpg" target="_blank"></a>
打開http://im.qq.com/正常。
<a href="http://s2.51cto.com/wyfs02/M02/88/F5/wKioL1gDL-vBv0TPAAIjFE3EFL8981.jpg-wh_500x0-wm_3-wmp_4-s_372707297.jpg" target="_blank"></a>
3)生産案例
限制使用BT和下載下傳mp3:
acl BT urlpath_regix -i \.torrent$.
acl BT urlpath_regix -i \.torrent$ \.mp3$
http_access deny BT
限制通路某些網站:
acl sex url_regex -i ^http://.*sex.*$
http_access deny sex
二、配置web界面檢視squid相關配置
1、首先安裝apache
yum -y install httpd
2、配置并啟動apache
[root@squid etc]# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak
[root@squid etc]# vi /etc/httpd/conf/httpd.conf
[root@squid etc]# diff /etc/httpd/conf/httpd.conf.bak /etc/httpd/conf/httpd.conf
136c136
< Listen 80
---
> Listen 8001 #修改監聽端口為8001,這裡也可以不改,但是一般不适用80端口
1009a1010,1015
> ScriptAlias "/squid" "/usr/local/squid/libexec/cachemgr.cgi" #建立一個别名,使用cachemgr.cgi
> <Location "/squid"> #添加一個apache通路路徑
> Order deny,allow
> Deny from all
> Allow from all
> </Location>
[root@squid etc]# /etc/init.d/httpd start
Starting httpd: httpd: apr_sockaddr_info_get() failed for squid.contoso.com
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
[root@squid etc]#
3、修改squid.conf預設配置
因為在squid的預設配置檔案中有http_access deny !Safe_ports一行,是以需要把上面配置的8001端口添加到Safe_ports中,不然會出現通路拒絕錯誤。
acl Safe_ports port 8001
3、在浏覽器中檢視
<a href="http://s5.51cto.com/wyfs02/M00/88/F5/wKioL1gDOAvDLZGBAAGmzfbvlUY795.jpg-wh_500x0-wm_3-wmp_4-s_3778554271.jpg" target="_blank"></a>
<a href="http://s2.51cto.com/wyfs02/M01/88/F8/wKiom1gDOBTgys2GAAOCm_sWmeU138.jpg-wh_500x0-wm_3-wmp_4-s_2535835258.jpg" target="_blank"></a>
打開之後,可以看到很多squid相關的資訊。
<a href="http://s4.51cto.com/wyfs02/M02/88/F8/wKiom1gDOCeCHFYrAAO2DQXFLN0954.jpg-wh_500x0-wm_3-wmp_4-s_463422121.jpg" target="_blank"></a>
比如可以看squid緩存的對象,雖然指令行也可以進行檢視,但是這裡提供了一個友善的web界面。
三、使用squid做透明代理
主機名
角色
IP位址
squid.contoso.com
squid代理伺服器
eth0:192.168.49.135
eth1:172.16.49.135
ldapserver.contoso.com
squid用戶端
eth1:172.16.49.139
1)編輯squid配置檔案
主要是修改如下兩點:
a.設定http_port為透明代理模式
b.添加相關參數如下:
cache_mem 90 MB #注意90後面有一個空格,不然會有警告:WARNING: No units on 'cache_mem 90MB', assuming 90.00 bytes
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8192 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 4096 KB
memory_replacement_policy lru
emulate_httpd_log on
[root@squid etc]# cp squid.conf squid.conf.bak$(date +%F)
[root@squid etc]# vi squid.conf
[root@squid etc]# diff squid.conf.bak2016-10-16 squid.conf
36c36
< http_port 3128
> http_port 3128 transparent #設定透明代理模式
51a52,61
>
> cache_mem 90 MB
> cache_swap_low 90
> cache_swap_high 95
> maximum_object_size 8192 KB
> minimum_object_size 0 KB
> maximum_object_size_in_memory 4096 KB
> memory_replacement_policy lru
> emulate_httpd_log on
2)修改防火牆設定
添加防火牆規則:
[root@squid etc]# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 3128
[root@squid etc]# iptables -t nat -A POSTROUTING -o eth0 -s 172.16.49.0/24 -j MASQUERADE
3)開啟ipv4轉發功能
[root@squid etc]# sed -i '/net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf
[root@squid etc]# grep ip_forward /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@squid etc]# sysctl -p
4)測試squid用戶端網絡
[root@ldapserver ~]# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:0C:29:A5:4C:68
inet addr:172.16.49.139 Bcast:172.16.49.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fea5:4c68/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:349 errors:0 dropped:0 overruns:0 frame:0
TX packets:223 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:30075 (29.3 KiB) TX bytes:24303 (23.7 KiB)
[root@ldapserver ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.49.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1
[root@ldapserver ~]# ping 202.96.128.86
connect: Network is unreachable
[root@ldapserver ~]# ping www.baidu.com
ping: unknown host www.baidu.com
5)重讀squid配置
6)将squid伺服器的内網IP位址設定為squid用戶端的預設網關
[root@ldapserver ~]# route add default gw 172.16.49.135
0.0.0.0 172.16.49.135 0.0.0.0 UG 0 0 0 eth1
7)測試squid透明代理
在squid伺服器上:
[root@squid network-scripts]# squid -k rotate #日志輪詢
[root@squid network-scripts]# tail -f /usr/local/squid/var/logs/access.log #觀察通路日志
在squid用戶端上:
PING www.a.shifen.com (14.215.177.38) 56(84) bytes of data.
64 bytes from 14.215.177.38: icmp_seq=1 ttl=127 time=8.00 ms
64 bytes from 14.215.177.38: icmp_seq=2 ttl=127 time=8.13 ms
64 bytes from 14.215.177.38: icmp_seq=3 ttl=127 time=7.89 ms
64 bytes from 14.215.177.38: icmp_seq=4 ttl=127 time=35.1 ms
^C
--- www.a.shifen.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3229ms
rtt min/avg/max/mdev = 7.890/14.790/35.124/11.740 ms
squid用戶端已經可以通過squid伺服器上網了。
本文轉自 jerry1111111 51CTO部落格,原文連結:http://blog.51cto.com/jerry12356/1862393,如需轉載請自行聯系原作者
![搭建httpd服務[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)