[root@master ~]# vim /etc/squid.conf #(Usage: cachemgr_passwd password action action ...
cachemgr_passwd jowinconfig
[root@master ~]# vim /etc/squid.conf
[root@master ~]# service httpd start
Starting httpd: httpd: Could not reliablydetermine the server's fully qualified domain name, using 10.96.20.113 forServerName
[ OK ]
iptables+squid的透明代理(在网关主机上配置,需至少2块网卡,实现:内部员工上网行为控制、提升上网速度、对早期来说可节约带宽成本):
--enable-linux-netfilter Enable Transparent Proxy support for Linux(Netfilter)
[root@master ~]# ifconfig | egrep -A 1 "eth0|eth1"
eth0 Link encap:Ethernet HWaddr00:0C:29:1F:B6:AC
inet addr:10.96.20.113 Bcast:10.96.20.255 Mask:255.255.255.0
--
eth1 Link encap:Ethernet HWaddr00:0C:29:1F:B6:B6
inet addr:192.168.10.113 Bcast:192.168.10.255 Mask:255.255.255.0
[root@master ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@master ~]# sysctl -p
[root@master ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@master ~]# vim /etc/squid.conf (更改或添加如下内容,http_port3129 intercept为必须项;squid上的时间要保持与现实同步)
#http_port 3128
http_port 3129 intercept #(3.1版本之后透明代理不能为http_port3128 transparent,改为http_port 3129 intercept,3128继续用作普通代理)
cache_mem 64 MB #(默认cache_mem 256 MB,不能比cache_dir中设置的磁盘空间大,否则启动报错,'cache_mem' specifies the ideal amount of memory to be used for:In-Transitobjects、Hot Objects、Negative-Cached objects)
cache_swap_low 90 #(默认认90,The low-watermark for AUFS/UFS/diskd cache object eviction by he cache_replacement_policyalgorithm.)
cache_swap_high 95 #(默认95,Thehigh-water mark for AUFS/UFS/diskd cache object eviction by thecache_replacement_policy algorithm.)
maximum_object_size 8192 KB #(Set the defaultvalue for max-size parameter on any cache_dir. The value is specified in bytes,and the default is 4 MB.)
minimum_object_size 0 KB #(Objects smaller thanthis size will NOT be saved on disk. Thevalue is specified in bytes, and the default is 0 KB, which means all responsescan be stored. Default:no limit)
maximum_object_size_in_memory 4096 KB #(默认值512KB,Objectsgreater than this size will not be attempted to kept in the memory cache. Thisshould be set high enough to keep objects accessed frequently in memory toimprove performance whilst low enough to keep larger objects from hoardingcache_mem.)
#emulate_httpd_log on #(3.5版本已将此项废弃,obsolete,Replace this with an access_log directive using the format 'common' or 'combined'. Default:none)
memory_replacement_policy lru #(默认lru最近最少使用算法,least、recently、used;另cache_replace_policty有:(lru : Squid's original list based LRU policy)(heap GDSF :Greedy-Dual Size Frequency)、(heap LFUDA: Least Frequently Used with Dynamic Aging)、(heapLRU : LRU policy implemented using aheap))
[root@master ~]# squid -k parse
[root@master ~]# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 3129
[root@master ~]# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 10.96.20.113
[root@master ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3129
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.10.0/24 0.0.0.0/0 to:10.96.20.113
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
内网主机192.168.10.118上的配置(网关要是squid主机的eth1),测试使用#elinks www.baidu.com上网,同时监控squid的access.log
[root@master ~]# tail -f /usr/local/squid/var/logs/access.log
1472719549.725 9 192.168.10.118 TCP_MISS/2007822 GET http://www.baidu.com/baidu.html? - ORIGINAL_DST/115.239.210.27text/html
1472719556.301 24 192.168.10.118 TCP_MISS/200100873 GET http://www.baidu.com/ - ORIGINAL_DST/115.239.210.27 text/html
1472719557.303 0 192.168.10.118 TCP_MEM_HIT/2007828 GET http://www.baidu.com/baidu.html? - HIER_NONE/- text/html
举例(reverse proxy,cache server,提升用户体验,在后端web server、storage、DB扛不住时再部署):
squid reverse proxy一般只缓存可缓冲的数据,如html网页、js、css、picture,而一些CGI脚本程序或asp、jsp、php之类的动态程序默认不缓存,它根据从web server返回的http head标记来缓冲静态页面,有4个重要的http头标记:
Last-Modified(告诉reverse proxy页面什么时候被修改);
Expires(告诉reverse proxy页面什么时间从缓冲区删除);
Cache-Control(告诉reverse proxy页面是否应该被缓冲,常用的有:no-store(不缓存控制,禁止中间的cache server存储这个对象,并把header转发给用户),no-cache(cache server可以把文件缓存在本地,只是在和源站重新验证前,不能提供给用户使用),must-revalidate(严格模式,默认缓存代理可提供给用户旧对象的内容以提高性能,有此项后,旧对象不会返回,会报504 GatewayTimeout),max-age(表示若cache server拿到这个文件后,这个object多久之内是可用的,可以让用户使用),s-maxage(与max-age相同,仅用于public缓存));
Pragma(用来包含实现特定的指令,常用的是Pragma:no-cache(兼容http/1.0时使用,原则只能用于http请求,功能和Cache-Control: no-cache一样));
注:这几个优先级顺序,Cache-Control、Expires、refresh_pattern、Last-Modified,前面的生效后,后面的基本就失效了,Etag要向源server发送请求头确认,而Last-Modified默认是不向源server确认的
[root@master ~]# ifconfig | egrep -A 1 "eth0|eth1"
eth0 Link encap:Ethernet HWaddr00:0C:29:1F:B6:AC
inet addr:10.96.20.113 Bcast:10.96.20.255 Mask:255.255.255.0
--
eth1 Link encap:Ethernet HWaddr00:0C:29:1F:B6:B6
inet addr:192.168.10.113 Bcast:192.168.10.255 Mask:255.255.255.0
[root@master ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@master ~]# curl 192.168.10.118 #(在后端192.168.10.118上部署httpd)
www.test.com
[root@master ~]# vim /etc/hosts
192.168.10.118 www.test.com
[root@master ~]# vim /etc/squid.conf #(修改添加如下信息)
http_port 80 accel vhost vport
cache_peer www.test.com parent 80 0 no-query no-digest max-conn=32 originserver #(cache_peer hostname type http-port icp-port [options];type有:either 'parent', 'sibling', or 'multicast'.;icp-port为0表示Set to 0 if the peer does not support ICP or HTCP.;no-query是icp options,Disable ICP queries to this neighbor.;max-conn=N是general options,Limit the number of concurrent connections the Squid may open tothis peer, including already opened idle and standby connections. There is nopeer-specific connection limit by default.;originserver和no-digest是accelerator/reverse-proxyoptions;originserver,Causes this parent to be contacted as an origin server. Meant to beused in accelerator setups when the peer is a web server.;no-digest,Disablerequest of cache digests.)
refresh_pattern -i \.jpg$ 30 50% 4320 reload-into-ims #(usage: refresh_pattern [-i] regex min percent max [options];'Min' is the time (in minutes) an object without an explicit expiry timeshould be considered fresh. The recommended value is 0, any higher values maycause dynamic applications to be erroneously cached unless the applicationdesigner has taken the appropriate actions.;'Percent'is a percentage of the objects age (time since last modificationage) an object without explicit expiry time will be considered fresh.;'Max' is an upper limit on how longobjects without an explicit expiry time will be considered fresh.;reload-into-ims changes a clientno-cache or ``reload'' request for a cached entry into a conditional requestusing If-Modified-Since and/or If-None-Match headers, provided the cached entryhas a Last-Modified and/or a strong ETag header. Doing this VIOLATES the HTTPstandard. Enabling this feature could make you liable for problems which itcauses.;另options还有:override-expire、override-lastmod、reload-into-ims、ignore-reload、ignore-no-store、ignore-must-revalidate、ignore-private、ignore-auth、max-stale=NN、refresh-ims、store-stale;若某个响应驻留在cache里的时间未超过30min的最低限制,那它不会过期,4320min是存活响应的最高时间限制,若某个响应驻留在cache里的时间高于最高限制,那它必须被刷新,在最低和最高限制之间的响应,会根据squid的LM-factor算法,squid计算响应的年龄和最后修改系数,作为比值,若超过50%,该响应要被刷新,resource age=对象进入cache的时间-对象的Last-Modified,response age=当前时间-对象进入cache的时间,LM-factor=response age/resource age)
refresh_pattern -i \.png$ 30 50% 4320 reload-into-ims
refresh_pattern -i \.gif$ 30 50% 4320 reload-into-ims
hosts_file /etc/hosts
request_header_max_size 128 KB #(This specifies themaximum size for HTTP headers in a request.Request headers are usuallyrelatively small (about 512 bytes). Placing a limit on the request header sizewill catch certain bugs (for example with persistent connections) and possibly buffer-overflowor denial-of-service attacks. Default: request_header_max_size 64 KB)
ipcache_size 1024 #(Maximum number ofDNS IP cache entries. Default:ipcache_size 1024)
ipcache_low 90
ipcache_high 95
offline_mode on #(Enable thisoption and Squid will never try to validate cached objects.Default:offline_modeoff;离线模式,后端web server挂掉,若squid上有缓存则网页依然可访问的到)
[root@master ~]# squid -k parse
……
[root@master ~]# squid -s
[root@master ~]# ps aux | grep squid | grep-v grep
root 10663 0.0 0.4 53372 2404 ? Ss 01:00 0:00 squid -s
squid 10665 0.1 2.7 68264 13568 ? S 01:00 0:00 (squid-1) -s
squid 10666 0.0 0.2 20288 984 ? S 01:00 0:00 (unlinkd)
在win主机上测试