brief introduction
Squid is a high performance proxy cache server that supports FTP, gopher, HTTPS, and HTTP protocols.Unlike general proxy caching software, Squid handles all client requests in a separate, non-modular, I/O-driven process
Agent mode
Forward proxy allows users to use squid proxy server to access the internet. It also enables similar behavior control based on IP address, site keywords, download file suffixes, etc.
Transparent proxy does not require the user to enter the proxy server's ip in the browser, just set the server's gateway to the proxy server's ip address.
Reverse proxy can greatly increase the access speed of the website and reduce the load on the background server of the website
Customize access control rules
#Set Access Control Policy Syntax acl Policy Name src(type,ip/port) ip/port #Note: Put the deny policy before the allow policy #Customize the original address acl policy yourself acl deny_ip src 192.168.1.105 #And customize the Allow/Reject policy http_access allow deny_ip #Custom policy file (ip) acl deny_group src "/etc/squid/deny_group" http_access allow deny_group #Customize Target Address acl Policy acl deny_destination dst 192.168.29.133 http_access allow deny_destination #Customize target site acl policy acl deny_web dstdomain -i www.baidu.com http_access allow deny_web #Customize websites with xxx acl deny_url url_regex -i baidu.com http_access allow deny_url #Customize Super User Rights acl vip arp MAC address http_access allow vip #Customized Time Strategy (SMTWHFA, Days to Six) #Reverse across midnight, two lines across days acl test1 src ip acl test2 time MTWHF 9:00-18:00 http_access allow test1 test2 #Disable downloading suffix name files acl test urlpath_regex -i \.mp3$ http_access allow test
preparation in advance
Prepare two Centos7 virtual machines and one win7 virtual machine, configure IP address and hostname, close firewall and selinux, synchronize system time
| ip | hostname |
|---|---|
| 192.168.29.145,192.168.31.134 | squid_server |
| 192.168.31.129 | win7 |
| 192.168.29.134 | web_server |
Configure webserver
#Download nginx's official Yum source from the official website [root@web_server ~]# yum install nginx -y #Configure Home Page [root@web_server ~]#echo "node1" > /usr/share/nginx/html/index.html #Start Services [root@web_server ~]# systemctl start nginx
Install squid
[root@squid_server ~]# yum install squid -y
Forward Proxy
Configure and open services
[root@squid_server~]# vi /etc/squid/squid.conf http_port 3128 #Set cache folders, size, number of first-level directories, number of second-level directories cache_dir ufs /var/spool/squid 100 16 256 cache_effective_user squid cache_effective_group squid #Add Host Name visible_hostname localhost cache_mem 100 MB #Open Service [root@squid_server~]# systemctl start squid.service
Set up proxy in host browser
Browser Access web_server
View web_server and squid_server log
[root@web_server ~]# tail -f /var/log/nginx/access.log 192.168.29.145 - - [29/Jun/2020:16:06:10 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" "192.168.29.1" [root@squid_server~]# tail -f /var/log/squid/access.log 1593417955.839 2 192.168.29.1 TCP_MEM_HIT/200 355 GET http://192.168.29.134/ - HIER_NONE/- text/html
Close nginx Service
[root@web_server ~]# systemctl stop nginx
Browser Access web_server
View squid_server log
[root@squid_server~]# tail -f /var/log/squid/access.log 1593418080.136 1 192.168.29.1 TCP_REFRESH_FAIL_OLD/200 451 GET http://192.168.29.134/ - HIER_DIRECT/192.168.29.134 text/html
Transparent Proxy
Modify Profile
[root@squid_server~]# vi /etc/squid/squid.conf http_port 192.168.31.134:3128 transparent cache_dir ufs /var/spool/squid 100 16 256 cache_effective_user squid cache_effective_group squid visible_hostname localhost cache_mem 100 MB
Restart Service
systemctl restart squid
Configure DNS Forwarding Rules
[root@squid_server~]# iptables -t nat -A POSTROUTING -p udp --dport 53 -o ens33 -j MASQUERADE
Turn on packet forwarding
[root@squid_server~]# vi /etc/sysctl.conf net.ipv4.ip_forward=1 [root@squid_server~]# sysctl -p
win7 Configuration Gateway and DNS
ping at this timeWww.baidu.comOnly public IP addresses can appear but ping is not accessible
Set packet forwarding rules
[root@squid_server~]# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 [root@squid_server~]# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128 [root@squid_server~]# iptables -t nat -A POSTROUTING -s 192.168.31.0/24 -o ens33 -j SNAT --to 192.168.29.145 [root@squid_server~]# iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
At this point ping passWww.baidu.com
Browser Access web_server
View web_server and squid_server log
[root@web_server ~]# tail -f /var/log/nginx/access.log 192.168.29.145 - - [29/Jun/2020:16:32:49 +0800] "GET / HTTP/1.1" 200 6 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" "192.168.31.129" [root@squid_server~]# tail -f /var/log/squid/access.log 1593421346.838 2 192.168.31.129 TCP_MISS/200 380 GET http://192.168.29.134/ - ORIGINAL_DST/192.168.29.134 text/html
Reverse Proxy
Modify Profile
[root@squid_server~]# vi /etc/squid/squid.conf http_port 80 vhost #Specify a real server #Type: parent father #Real Port for Background web Server #Port for communication between proxy servers #weight, originserver original server cache_peer 192.168.29.133 parent 80 0 originserver
Browser Access squid_server
View web_server and squid_server log
[root@squid_server~]# tail -f /var/log/squid/access.log 1593420981.170 0 192.168.29.1 TCP_MEM_HIT/200 389 GET http://192.168.29.145/ - HIER_NONE/- text/html [root@web_server ~]# tail -f /var/log/nginx/access.log 192.168.29.145 - - [29/Jun/2020:16:56:55 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" "192.168.29.1"