码迷,mamicode.com
首页 > 其他好文 > 详细

squid 正向代理

时间:2015-11-26 19:25:22      阅读:179      评论:0      收藏:0      [点我收藏+]

标签:squid 正向代理

有时候我们的机器处于内网环境中,无法直接访问外网。如果此时有机器能够访问外网的资源,那么就可以让这台服务器充当squid,并且做正向代理。一般这个机器是有2块网卡,一块连接内网,一块连接外网


技术分享

一、环境准备:


squid服务器: eth0:192.168.233.128/24(外网网卡,能上外网)

         eth1:192.168.231.129/24(内网网卡)


内网服务器:192.168.231.130/24(内网网卡)



二、安装Squid

#需要配置好本地yum源

yum install squid -y  




三、Squid配置文件

# cat /etc/squid/squid.conf

#

# Recommended minimum configuration:

#

#############################################################################

# squid权限控制 acl和http_access

#############################################################################

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1


# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

# 局域网内的IP,看情况是否考虑需要

acl localnet src 10.0.0.0/8# RFC1918 possible internal network

acl localnet src 172.16.0.0/12# RFC1918 possible internal network

acl localnet src 192.168.231.0/24# RFC1918 possible internal network

acl localnet src fc00::/7       # RFC 4193 local private network range

acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines


# 定义ssl端口、一些安全端口和http访问的connect方法

acl SSL_ports port 443

acl Safe_ports port 80# http

acl Safe_ports port 21# ftp

acl Safe_ports port 443# https

acl Safe_ports port 70# gopher

acl Safe_ports port 210# wais

acl Safe_ports port 1025-65535# unregistered ports

acl Safe_ports port 280# http-mgmt

acl Safe_ports port 488# gss-http

acl Safe_ports port 591# filemaker

acl Safe_ports port 777# multiling http

acl CONNECT method CONNECT


#

# Recommended minimum Access Permission configuration:

# 推荐最小访问权限配置


#

# Only allow cachemgr access from localhost

# 允许本机管理缓存,其他的拒绝

http_access allow manager localhost

http_access deny manager


# Deny requests to certain unsafe ports

http_access deny !Safe_ports


# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports


# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user


# 强烈建议去除注释。防止通过代理来访问本代理服务器上的web程序


http_access deny to_localhost


# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# 下面插入你自己的规则


# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed


# 允许localhost和局域网内用户的请求

http_access allow localnet

http_access allow localhost


# And finally deny all other access to this proxy

# 拒绝其他的对代理的访问,squid的ACL规则类似iptables的规则匹配,从上到下依次匹配,上面规则的匹配到了,下面的规则就不匹配了

http_access deny all



#############################################################################

     Squid的基本配置

#############################################################################

# 默认监听内网地址的3128端口

# Squid normally listens to port 3128

http_port 192.168.231.129:3128




#############################################################################

###    squid缓存配置

#############################################################################


# We recommend you to use at least the following line.

hierarchy_stoplist cgi-bin ?


# Uncomment and adjust the following to add a disk cache directory.

# 去除注释并调整下面这行语句来增加一个磁盘缓存目录


cache_dir ufs /var/spool/squid 100 16 256


# Leave coredumps in the first cache dir

# 将核心输出保存在第一个缓存目录

coredump_dir /var/spool/squid


# Add any of your own refresh_pattern entries above these.

# 添加自己的刷新缓存的正则

refresh_pattern ^ftp:144020%10080

refresh_pattern ^gopher:14400%1440

refresh_pattern -i (/cgi-bin/|\?) 00%0

refresh_pattern .020%4320



默认的log路径为/var/log/squid/。可以进行查看一下相关的日志。

# cd /var/log/squid/

# ls

access.log  cache.log  squid.out


四、运行服务


# service squid start


五、客户端测试


技术分享


技术分享


六、ACL权限控制详解

squid 的ACL规则非常强大



本文出自 “小鱼的博客” 博客,转载请与作者联系!

squid 正向代理

标签:squid 正向代理

原文地址:http://395469372.blog.51cto.com/1150982/1717143

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!