linux企業(yè)級(jí)應(yīng)用lly squid實(shí)驗(yàn)報(bào)告

1、需求描述ØØ通過(guò)緩存免除客戶機(jī)的服務(wù)來(lái)提高上網(wǎng)速度設(shè)置工作實(shí)現(xiàn)思路ØØØ編寫 iptables 規(guī)則，實(shí)現(xiàn) SNAT、REDIRECT 應(yīng)用構(gòu)建 squid 服務(wù)器，支持合理使用 ACL 列表，進(jìn)行類型：的基本類型§§使用§§：適用于 Internet，需明確指定服務(wù)端：適用于共享上網(wǎng)網(wǎng)關(guān)，不需指定服務(wù)端的好處提高 Web速度隱藏客戶機(jī)的真實(shí) IP 地址Squid 常見(jiàn)配置項(xiàng)：http_port 3128默認(rèn)服務(wù)端口日志文件儲(chǔ)存路徑供給 squid 使用的內(nèi)存緩存目錄大小access_log /var/l

2、og/squid/access.log squidcache_mem 64 MBcache_dir ufs /var/spool/squid 100 16 256visible_hostname dns_testnamesum_object_size 4096 KB reply_body_max_size 10240000 allow all1.前期準(zhǔn)備：準(zhǔn)備 web 服務(wù)器：緩存的最大對(duì)象的最大對(duì)象roothttpServer Desktop# vim /etc/sysconfig/network-scripts/ifcfg-eth0DEVICE=eth0HWADDR=00:0c:29:d0

3、:9e:c4TYPE=EthernetUUID=ac1bc5a9-99dc-45ca-9d49-1a64de7c93ed ONBOOT=yesNM_CONTROLLED=yes傳統(tǒng)重啟網(wǎng)卡，查看配置roothttpServer Desktop# /etc/init.d/network restarthttp server 其實(shí)不需要兩塊網(wǎng)卡，單網(wǎng)卡即可roothttpServer Desktop# iptables -F roothttpServer Desktop# iptables -XroothttpServer Desktop# setenforce 0開(kāi)啟 httpd 服務(wù)，測(cè)試性：

4、配置 squid 服務(wù)器：（需要雙網(wǎng)卡?。﹔ootSquidServer Desktop# vim /etc/sysconfig/network-scripts/ifcfg-eth0【】DEVICE=eth0HWADDR=00:0c:29:a0:6b:40TYPE=EthernetUUID=ac1bc5a9-99dc-45ca-9d49-1a64de7c93ed ONBOOT=yesNM_CONTROLLED=yes BOOTPROTO=noneUSERCTL=noBOOTPROTO=none USERCTL=noIPV6INIT=noIPADDR=72NETMASK=2

5、 GATEWAY=【內(nèi)網(wǎng)】rootSquidServer Desktop# vim /etc/sysconfig/network-scripts/ifcfg-eth1重啟網(wǎng)卡服務(wù)：rootSquidServer Desktop# iptables -FrootSquidServer Desktop# iptables -XrootSquidServer Desktop# setenforce 0# Please read /usr/share/doc/initscripts-*/sysconfig.txt # for the documentati

6、on of these parameters.DEVICE=eth1BOOTPROTO=noneTYPE=EthernetHWADDR=00:0c:29:a0:6b:4a IPADDR=NETMASK= IPV6INIT=noONBOOT=yes USERCTL=noIPV6INIT=noIPADDR=NETMASK=由功能rootSquidServer Desktop# echo 1 > /proc/sys/net/ipv4/ip_forward配置 windows 客戶機(jī)：測(cè)試http 服

7、務(wù)器，（172 網(wǎng)段服務(wù)器）查看 http 服務(wù)器日志文件：roothttpServer # tail -3 /usr/local/httpd/logs/access_log前期準(zhǔn)備完成！2.編譯安裝 squid 服務(wù)rootSquidServer # tar -zxf squid-3.4.6.tar.gz -C /usr/src/ rootSquidServer # cd /usr/src/squid-3.4.6/rootSquidServer squid-3.4.6# ./configure -prefix=/usr/local/squid -sysconfdir=/etc -enable

8、-arp-acl -enable-linux-netfilter -enable-linux-tproxy -enable-async-io=100 -enable-err-language="Simplify_" -enable-underscore -enable-poll -enable-gnuregex注釋：【漫長(zhǎng)的等待】【優(yōu)化路徑】【創(chuàng)建程序用戶 squid】rootSquidServer squid-3.4.6# make -j8 && make installrootSquidServer squid-3.4.6# ln -s /usr/loc

9、al/squid/sbin/* /usr/local/sbin/ rootSquidServer squid-3.4.6# useradd -M -s /sbin/nologin squidrootSquidServer squid-3.4.6# chown -R squid.squid /usr/local/squid/var/自寫服務(wù)：rootSquidServer run# vim /etc/init.d/squid-prefix=/usr/local/squid安裝路徑-sysconfdir=/etc單獨(dú)將配置文件修改到其他位置-enable-arp-acl可以再規(guī)則中設(shè)置直接通過(guò)客戶

10、端 mac 地址進(jìn)行管理，防止客戶機(jī) ip-enable-linux-netfilter使用內(nèi)核過(guò)濾-enable-linux-tproxy支持透明模式-enable-async-io=100異步 i/o，提升儲(chǔ)存性能-enable-err-language="Simplify_"錯(cuò)誤信息提示語(yǔ)言-enable-underscoreURL 中有下劃線-enable-poll使用 Poll（）模式，提升性能-enable-gnuregex使用 GUN 正則表達(dá)式#!/bin/bash# chkconfig: 2345 90 25# pidfile: /usr/loca/squ

11、id/var/run/squid.pid # config: /etc/squid/squid.conf# BEGIN INIT INFO# Provides: squid# Short-Description: starting and stopping Squid Internet Object Cache # Description: Squid - Internet Object Cache. Internet object caching is # # # #a way to store requested Internet objects (i.e., data available

12、 via the HTTP, FTP, and gopher protocols) on a system closer to the requesting site than to the source. Web browsers can then use the local Squid cache as a proxy HTTP server, reducing access time as well as bandwidth consumption.# END INIT INFOPID="/usr/local/squid/var/run/squid.pid" CONF

13、="/etc/squid/squid.conf" CMD="/usr/local/squid/sbin/squid"STATUS()netstat -anpt | grep squid&>/dev/nullif $? -eq 0 thenecho "squid is running"ficase "$1" instart)netstat -anpt | grep squid &> /dev/null if $? -eq 0 thenecho "squid is running&

14、quot;elseecho "正在啟動(dòng) squid."$CMDfi;stop)$CMD -k kill &> /dev/null rm -rf $PID &> /dev/null;status) -f $PID &> /dev/null if $? -eq 0 then STATUSelseecho "Squid is not runing"firootSquidServer # chmod +x /etc/init.d/squidrootSquidServer # chkconfig -add squid ro

15、otSquidServer # chkconfig squid on 錯(cuò)誤提示：rootSquidServer local# /etc/init.d/squid start squid is running2015/06/26 20:33:12| WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.2015/06/26 20:33:12| WARNING: Could not determine this machin

16、es public hostname. Please configure one or set 'visible_hostname'.2015/06/26 20:33:12| WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.WARNING: Cannot write log file: /usr/local/squid/var/logs/cache.log/usr/local/squid/var/l

17、ogs/cache.log: Permission denied messages will be sent to 'stderr'.解決方案：2015/06/26 20:33:12| WARNING: Could not determine this machines public hostname. Please configure one or set2015/06/26 20:33:12 |警告:無(wú)法確定這公共主機(jī)名。請(qǐng)配置一個(gè)或一組“visible_hostname”。'visible_hostname'.無(wú)法確定主機(jī)名，手動(dòng)寫入主機(jī)名，重啟服務(wù)roo

18、tSquidServer Desktop# vim /etc/squid.confWARNING: Cannot write log file: /usr/local/squid/var/logs/cache.log/usr/local/squid/var/logs/cache.log: Permission denied messages will be sent to 'stderr'.警告:不能寫日志文件:/usr/local/squid/var/logs/cache.log/usr/local/squid/var/logs/cache.日志:拒絕消息將被到 stderr

19、。權(quán)限不足導(dǎo)致無(wú)權(quán)寫入文件，因?yàn)樵谥皩⑵渌拗髟O(shè)置為 squid 用戶，而現(xiàn)在以 root 用戶運(yùn)行服務(wù)，出現(xiàn)文件。處理方案：rootSquidServer local# chown -R squid:squid /usr/local/squid/var/logs/ rootSquidServer local# chmod -R 777 /usr/local/squid/var/logs/rootSquidServer local# /etc/init.d/squid restartvisible_hostname localhost.localdomain【改成本機(jī)主機(jī)名】;restart)

20、$0 stop &>/dev/null echo "正在關(guān)閉 squid."$0 start &>/dev/null echo "正在啟動(dòng) squid."reload)$CMD -k reconfigure;check)$CMD -k parse;*)echo "Usage: $0 start|stop|status|reload|check|restart"esac正在關(guān)閉 squid. 正在啟動(dòng) squid. 處理方案：rootwww squid-3.4.6# vim /etc/squid.conf【手

21、動(dòng)指定用戶以及組】3.配置傳統(tǒng)：rootSquidServer Desktop# vim /etc/squid.conf重啟服務(wù)：rootSquidServer Desktop# /etc/init.d/squid restart正在關(guān)閉 squid.正在啟動(dòng) squid.為客戶機(jī)設(shè)置：windows：55 # And finally deny all other access to this proxy56 http_access allow all默認(rèn)是 deny，手動(dòng)改為 allow 57 reply_body_max_size 10 MB的最大附件大小58 # Squid normal

22、ly listens to port 312859 http_port 3128默認(rèn)端312873 # Uncomment and adjust the following to add a disk cache directory.74 cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256開(kāi)啟本地緩存60 cache_effective_user squid61 cache_effective_group squidLinux 客戶機(jī)：rootlocalhost # vim /etc/profile【此操作只對(duì) wget、elin

23、ks 等文本瀏覽器生效，對(duì)第瀏覽器無(wú)效】rootlocalhost # . /etc/profilerootlocalhost 123# wget-2015-06-26 21:37:32-正在連接72:80. 已連接。已發(fā)出 HTTP 請(qǐng)求，正在等待回應(yīng). 200 OK長(zhǎng)度：44 text/html正在保存至: “index.html”100%=> 44-.-K/sin 0s2015-06-26 21:37:32 (10.2 MB/s) - 已保存 “index.html” 44/44)HTTP_PROXY= HTTPS_PROXY= FTP_PROXY=NO_PR

24、OXY=192.168.4.,export HTTP_PROXY HTTPS_PROXY FTP_PROXY NO_PROXY：服務(wù)器：4.【日志】rootSquidServer Desktop# tail /usr/local/squid/var/logs/access.loghttp 服務(wù)器：roothttpServer local# tail -5 /usr/local/httpd/logs/access_log【日志】5.配置配置 squid 支持rootSquidServer Desktop# vim /etc/squid.conf重啟服務(wù)rootlocalhost squid-3.

25、4.6# /etc/init.d/squid restart正在關(guān)閉 squid.正在啟動(dòng) squid.使用 iptables 進(jìn)行重定向rootSquidServer Desktop# iptables -t nat -I PREROUTING -i eth1 -s /24 -p tcp -dport 80 -j REDIRECT -to 3128rootSquidServer Desktop# iptables -t nat -I PREROUTING -i eth1 -s /24 -p tcp -dport 443 -j REDIRECT -t

26、o58 # Squid normally listens to port 3128 59 http_port 3128 transparent3128將目標(biāo)網(wǎng)段測(cè)試：客戶機(jī)關(guān)閉80,443 的請(qǐng)求重定向到本機(jī)的 3128 端口，清除緩存Squid 服務(wù)器：6.ACl根據(jù)源地址、目標(biāo) URL、文件類型等定義列表（自定義 ACL）acl列表名稱 列表類型已定義的 acl 列表進(jìn)行限制http_accessallow 或 deny列表內(nèi)容 .（ACL）列表名稱 .語(yǔ)法定義如下：acl aclname acltype string1acl aclname acltype "file"

27、;/acltype 可以是（src、dst、srcdomain、dstdomain、url_regex、urlpath_regex、time、port、proto、method）(1) src：源地址。定義如下：acl aclname src ip-address/netmask . 客戶ip 地址acl:aclname src addr1-addr2/netmask . 地址范圍(2)dst：目標(biāo)地址acl aclname dst ip-address/netmask .(3)srcdomain：客戶所屬的域acl aclname srcdomain .(4)dstdomain：請(qǐng)求服務(wù)器所

28、屬的域acl aclnamedstdomain .(5)time：時(shí)間acl aclnametime day-abbrevs h1:m1-h2:m2hh:mm-hh:mm1S：指代 Sunday2M：指代 Monday3T：指代 Tuesday4W：指代 Wednesday5H：指代 Thursday6F：指代 Friday7A：指代 Saturday(6)port：端口?？梢灾付ǘ鄠€(gè)端口acl aclnameport 80 70 21 .acl aclnameport 0-1024 . 指定一個(gè)端口范圍(7)proto：使用協(xié)議acl aclname proto HTTP FTP .(8)m

29、ethod：請(qǐng)求acl aclname method GET POST .(9)url_regex：URL 規(guī)則表達(dá)式匹配acl aclname url_regex-i pattern(10)urlpath_regex：URL-path 規(guī)則表達(dá)式匹配acl aclname urlpath_regex-i pattern2http_access列表。最后的條目設(shè)為“deny all”或“allow all”來(lái)避免根據(jù)列表或某一類用戶安全性隱患。http_access Action1 AND2 AND 多個(gè)，http_access間用或運(yùn)算連接，但每個(gè)條目的元素間用與運(yùn)算連接，列表中的規(guī)則總是遵

30、循由上而下的順序。3實(shí)例應(yīng)用（1）IP 地址為 00 的客戶機(jī)上網(wǎng)acl client src http_access deny client（2）網(wǎng)段 10-50 上網(wǎng)acl client src 0-0/32http_access deny client（3）拒絕web 的ipacl client dst http_access deny client（4）限制 URL 以 某些內(nèi)容 開(kāi)頭acl client url_regex indexhttp_access deny client（

31、5）限制 URL 以 某些內(nèi)容 結(jié)尾acl client urlpath_regex .htmlhttp_access deny client（6）限制時(shí)間段acl client time MTWHFA 9:00-18:00http_access deny client（7）限制 443 端口上網(wǎng)acl http port 443http_access deny http（8）限制用戶并發(fā)連接數(shù)為：5acl clientsrc 5acl conn5 max 5http_access deny client conn5（9）*.mp3$ *.exe$ *.zip$ *.rar

32、$ *.doc$類型的文件acl clienturlpath_regex -i .mp3$ .exe$.zip$.rar$.doc$http_access修改配置文件deny client【添加在配置文件首部！】rootlocalhost squid-3.4.6# /etc/init.d/squid restart正在關(guān)閉 squid. 正在啟動(dòng) squid. 測(cè)試：rootlocalhost squid-3.4.6# vim /etc/squid.conf#ACL #acl upload urlpath_regex -i .3gp$ .mp4$ .f4v$ .mkv$ .rmvb$ .avi

33、$ http_access deny upload#域acl balckdomain dstdomain http_access deny balckdomain#使用時(shí)間段acl truetime time MTWHF 08:30-17:30 http_access allow truetimehttp_access deny allum_object_size4 MB可以文件不后綴為不.avi可以正常網(wǎng)頁(yè)7.配置日志分析SARG 的全稱是：Squid Analysis Report GeneratorSARG 非常好用的 Squid 日志分析工具,它輸出 html 格式，可以詳細(xì)列出了每一

34、位用戶internet 的站點(diǎn)信息，時(shí)間占用信息，排名，連接次數(shù)， 的主頁(yè)：a.配置 yum，安裝 GD 庫(kù)：量，量等。rootSquidServer # mkdir /media/cdromrootSquidServer # mount /dev/cdrom /media/cdrommount: block device /dev/sr0 is write-protected, mounting read-only rootSquidServer # mv /etc/yum.repos.d/* /root/rootSquidServer # cp /root/CentOS-Media.rep

35、o /etc/yum.repos.d/base.repo【配置 yum，內(nèi)容省略】rootSquidServer # vim /etc/yum.repos.d/base.reporootSquidServer # yum clean all已加載插件：fastestmirror, refresh-packagekit, security Cleaning repos: c6-media一切Cleaning up list of fastest mirrorsrootSquidServer # yum -y install gd gd-develb.安裝 sarg【學(xué)校那個(gè)源碼包有?！縭oot

36、SquidServer Desktop# tar -zxvf sarg-2.3.1.tar.gz -C /usr/src/root SquidServer Desktop# cd /usr/src/sarg-2.3.1/root SquidServer sarg-2.3.1# ./configure -prefix=/usr/local/sarg -sysconfdir=/etc/sarg -enable-extraprotectionrootlocalhost sarg-2.3.1# make && make installC.配置 sargrootlocalhost sarg-2.3.1# vim /etc/sarg/sarg.confD.運(yùn)行rootSquidServer # touch /usr/local/sarg/noreport【創(chuàng)建top，加入則不進(jìn)行排序】rootSquidServer # ln -s /usr/local/sarg/bin/sarg /usr/local/bin/【優(yōu)化命令路徑】rootSquidServer # sarg在文件: 222, reading: 100.00%的生成報(bào)告在 /usr/local/httpd/htdocs/squid-reports/2015Jun28-2015Jun28SARG:SA