配置squid，实现正向代理

环境：CentOS 6.5

代理主机ip：192.168.3.224，10.0.0.10

内网主机ip：10.0.0.11

安装前准备

1、关闭selinux

[root@php-proxy ~]# setenforce 0[root@php-proxy ~]# getenforcepermissive[root@php-proxy ~]# vim /etc/selinux/configSELINUX=disabled

2、关闭防火墙filter表，设置防火墙端口转发规则

[root@php-proxy ~]# iptables -t filter -F[root@php-proxy ~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE[root@php-proxy ~]# service iptables save

3、修改主机路由模式

[root@php-proxy ~]# vim /etc/sysctl.confnet.ipv4.ip_forward = 1

编译安装squid

1、安装squid

http://www.squid-cache.org/Versions/v3/3.2/squid-3.2.3.tar.gz

[root@php-proxy ~]# tar xf squid-3.2.3.tar.gz[root@php-proxy ~]# cd squid-3.2.3[root@php-proxy ~]# ./configure --prefix=/usr/local/squid --enable-dlmalloc --enable-gnuregex --disable-carp --enable-async-io=100 --with-aufs-threads=32 --with-pthreads --enable-storeio="ufs,aufs" --enable-removal-policies="heap,lru" --enable-icmp --enable-htcp --enable-delay-pools --enable-useragent-log --enable-referer-log --disable-wccp --disable-wccpv2 --enable-kill-parent-hack --enable-arp-acl --disable-snmp --enable-default-err-language=Simplify_Chinese --enable-err-languages="Simplify_Chinese English" --disable-poll --disable-select --enable-epoll --enable-auth --enable-auth-basic="DB,NCSA,PAM,RADIUS,SASL" --with-aio --disable-ident-lookups --enable-truncate --enable-stacktraces --with-maxfd=65535 --disable-ipv6 --enable-ipf-transparent --enable-linux-netfilter

2、配置squid

[root@php-proxy ~]# mkdir -p /data/squid/{cache,coredump,logs}[root@php-proxy ~]# /usr/sbin/groupadd squid[root@php-proxy ~]# /usr/sbin/useradd squid -g squid -s /sbin/nologin[root@php-proxy ~]# chmod -R 777 /data/squid/{cache,coredump,logs}[root@php-proxy ~]# chown -R squid.squid /data/squid/{cache,coredump,logs}

3、配置文件内容

[root@php-proxy ~]# vim /usr/local/squid/etc/squid.confhttp_port 10.0.0.10:1080                                           cache_effective_user squidcache_effective_group squid                                           cache_mem 2048 MBcache_swap_low 90cache_swap_high 95                                           ipcache_size 1024ipcache_low 90ipcache_high 95                                           cache_replacement_policy lrumemory_replacement_policy lru                                           cache_dir aufs /data/squid/cache 20480 16 256coredump_dir /data/squid/coredump                                           memory_pools_limit 1024 MBmax_open_disk_fds 0minimum_object_size 0 KBmaximum_object_size 32768 KBmaximum_object_size_in_memory 2048 KB                                           access_log /dev/nullcache_access_log none                                           cache_log /dev/nullcache_store_log none                                           cache_swap_log /data/squid/logs/swap.log                                           logfile_rotate 1pid_filename /usr/local/squid/var/logs/squid.pid                                           cache_mgr lovezym5@126.comstrip_query_terms offvisible_hostname ProxySrverror_directory /usr/local/squid/share/errors/zh-cn                                           request_header_max_size 64 KBrequest_body_max_size 0 KB                                           negative_ttl 5 minutesread_timeout 1 minutesclient_lifetime 10 minutesconnect_timeout 1 minutepeer_connect_timeout 30 secondsrequest_timeout 2 minutespersistent_request_timeout 1 minute                                           client_persistent_connections offserver_persistent_connections ontcp_recv_bufsize 65535 byteshalf_closed_clients offhttpd_suppress_version_string offie_refresh offallow_underscore on                                           refresh_pattern ^ftp:           1440    20%     10080refresh_pattern ^gopher:        1440    0%      1440refresh_pattern -i (/cgi-bin/|\?) 0     0%      0refresh_pattern .               0       20%     4320                                           dns_nameservers DNS服务器IP                                           acl OverConnLimit maxconn 300http_access deny OverConnLimit                                           acl our_network src 192.168.0.0/16http_access allow our_network                                           acl SSL_ports port 443acl CONNECT method CONNECThttp_access deny CONNECT !SSL_ports                                           request_header_access Via deny allrequest_header_access X-Forwarded-For deny all

#检查配置是否正确[root@php-proxy ~]# /usr/local/squid/sbin/squid -k parse#初始化cache缓存目录[root@php-proxy ~]# /usr/local/squid/sbin/squid -z

4、配置启动脚本

[root@php-proxy ~]# vim /etc/init.d/squid#!/bin/sh##squid - this script start and stop the squid daemon## chkconfig: - 90 25# description: squid is a pagecache reverse proxy.# processname: squid# pidfile: /usr/local/squid/var/logs/squid.pid# config: /usr/local/squid/etc/squid.conf#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin              BINFILE="/usr/local/squid/sbin/squid"CFGFILE="/usr/local/squid/etc/squid.conf"PIDFILE="/usr/local/squid/var/logs/squid.pid"LOCKFILE="/var/lock/squid.lock"CACHEPATH="/data/squid/cache"OUTFILE="/data/squid/logs/squid.out"              SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20}SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}              [[ -f $BINFILE ]] && SQUID="${BINFILE}"              CACHE_SWAP=`sed -e 's/#.*//g' ${CFGFILE} | grep cache_dir | awk '{print $3}'`[ -z "$CACHE_SWAP" ] && CACHE_SWAP="${CACHEPATH}"              RETVAL=0              start() {    if [[ ! -f ${CFGFILE} ]]; then        echo "The configuration file: ${CFGFILE} has no found!" 1>&2        exit 6    fi                     SQUID_OPTS="-s -f ${CFGFILE}"                     [[ -z "$SQUID" ]] && echo "Insufficient privilege" 1>&2 && exit 4                     for adir in $CACHE_SWAP    do        if [[ ! -d $adir/00 ]]; then            echo -n "init_cache_dir $adir"            $SQUID -z -F -D >> ${OUTFILE} 2>&1        fi    done                     echo -n "Starting squid..."    $SQUID $SQUID_OPTS >> ${OUTFILE} 2>&1                     RETVAL=$?                     if [[ $RETVAL -eq 0 ]]; then        timeout=0;                             while :        do            [[ ! -f ${PIDFILE} ]] || break            [[ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]] && RETVAL=1 && break                                     sleep 1 && echo -n "."            timeout=$((timeout+1))        done    fi                     echo ""    [[ $RETVAL -eq 0 ]] && touch ${LOCKFILE}    [[ $RETVAL -eq 0 ]] && echo "start squid is ok!"    [[ $RETVAL -ne 0 ]] && echo "start squid is failed!"                     return $RETVAL}              stop() {    SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}    echo -n "Stopping squid..."    $SQUID -k check >> ${OUTFILE} 2>&1                     RETVAL=$?                     if [[ $RETVAL -eq 0 ]]; then        $SQUID -k shutdown &        rm -f ${LOCKFILE}                             timeout=0                             while :        do            [[ -f ${PIDFILE} ]] || break            [[ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]] && echo "" && return 1                                     sleep 2 && echo -n "."            timeout=$((timeout+2))        done                             echo ""        echo "Stop squid is ok!"    else        echo ""        echo "Stop squid is failed!"        [[ ! -e ${LOCKFILE} ]] && RETVAL=0    fi                     return $RETVAL}              restart() {    stop    sleep 1    start}              case "$1" instart)    start    ;;                 stop)    stop    ;;                 reload)    SQUID_OPTS=${SQUID_OPTS:-"-D"}    $SQUID -k reconfigure -f ${CFGFILE}    ;;                 restart)    restart    ;;                 condrestart)    [[ -e ${LOCKFILE} ]] && restart || :    ;;                 *)    echo $"Usage: $0 {start|stop|reload|restart|condrestart}"    exit 2esac              exit $?

[root@php-proxy ~]# chmod +x /etc/init.d/squid  #添加执行权限[root@php-proxy ~]# service squid start         #启动服务

3、配置主机ip地址

代理主机内网ip

[root@php-proxy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0:0DEVICE=eth0:0TYPE=EthernetONBOOT=yesNM_CONTROLLED=yesBOOTPROTO=noneIPADDR=10.0.0.10NETMASK=255.0.0.0

内网主机ip地址

[root@php ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0DEVICE=eth0HWADDR=52:54:00:B1:B4:99TYPE=EthernetUUID=4dd9081e-2cf6-4f81-bde4-561d3877267eONBOOT=yesNM_CONTROLLED=yesBOOTPROTO=staticIPADDR=10.0.0.11NETMASK=255.0.0.0GATEWAY=10.0.0.10DNS1=8.8.8.8DNS2=8.8.4.4

内网主机测试可行：

[root@php ~]# curl -I www.qq.comHTTP/1.1 200 OKServer: squid/3.4.3Date: Wed, 13 Jul 2016 06:01:36 GMTContent-Type: text/html; charset=GB2312Connection: keep-aliveVary: Accept-EncodingVary: Accept-EncodingExpires: Wed, 13 Jul 2016 06:02:36 GMTCache-Control: max-age=60Vary: Accept-EncodingAccess-Control-Allow-Origin: http://bz.qq.comX-Cache: HIT from nanjing.qq.com