squid安装配置工作记录

zhangli-s · 发表于 2018-12-26 11:16:56

　　背景环境：开发人员不能上外网，但又有一些比较特殊的站点需要用到，所有用squid进行透明代理上网，之前想到haproxy，后来查阅资料貌似haproxy只能转发不能代理上网。
　　

　　搭建前提：squid搭建透明代理上网，理论上需要两张网卡，两个Ip,两个ip在不同的网段，一个ip可以连接外网上网，一个ip连接内网。
　　

[root@linux-virsh-106 log]# ifconfig
eth0    Link encap:Ethernet  HWaddr 00:0C:29:E1:9A:69
inet addr:192.168.1.107  Bcast:192.168.1.255  Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee1:9a69/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:382562 errors:0 dropped:0 overruns:0 frame:0
TX packets:65671 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:78070930 (74.4 MiB)  TX bytes:5258206 (5.0 MiB)
eth1    Link encap:Ethernet  HWaddr 00:0C:29:E1:9A:73
inet addr:192.168.10.26  Bcast:192.168.10.255  Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee1:9a73/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:320136 errors:0 dropped:0 overruns:0 frame:0
TX packets:81908 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22754485 (21.7 MiB)  TX bytes:59173280 (56.4 MiB)　　这里我选用了eth0 192.168.1.107可以和外网联通，eth1 192.168.10.26和内网联通
　　

　　关于ip的配置在/etc/sysconfig/network-scripts/修改 ifcfg-eth0和ifcfg-eth1即可修改完重启网卡就行了。
[root@linux-virsh-106 network-scripts]# cat ifcfg-eth0
# Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
DEVICE=eth0
BOOTPROTO=static
#BROADCAST=192.168.1.255
HWADDR=00:0C:29:E1:9A:69
IPADDR=192.168.1.107
IPV6INIT=yes
IPV6_AUTOCONF=yes
NETMASK=255.255.255.0
#NETWORK=192.168.1.0
GATEWAY=192.168.1.1
ONBOOT=yes
[root@linux-virsh-106 network-scripts]# cat ifcfg-eth1
# Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
#HWADDR=00:0c:29:e1:9a:73
IPADDR=192.168.10.26
NETMASK=255.255.255.0　　

　　

　　网卡设置好了，开始设置iptables的参数
[root@linux-virsh-106 network-scripts]# echo "1" >> /proc/sys/net/ipv4/ip_forward
[root@linux-virsh-106 network-scripts]# service iptables start
[root@linux-virsh-106 network-scripts]# iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source             destination
Chain FORWARD (policy ACCEPT)
target    prot opt source             destination
Chain OUTPUT (policy ACCEPT)
target    prot opt source             destination
[root@linux-virsh-106 network-scripts]# iptables -F
[root@linux-virsh-106 network-scripts]# iptables -t nat -F
[root@linux-virsh-106 network-scripts]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target    prot opt source             destination
Chain POSTROUTING (policy ACCEPT)
target    prot opt source             destination
Chain OUTPUT (policy ACCEPT)
target    prot opt source             destination
[root@linux-virsh-106 network-scripts]# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 192.168.1.107
[root@linux-virsh-106 network-scripts]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
[root@linux-virsh-106 network-scripts]# service iptables save
将当前规则保存到 /etc/sysconfig/iptables：                [确定]
[root@linux-virsh-106 network-scripts]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target    prot opt source             destination
REDIRECT tcp  --  anywhere          anywhere          tcp dpt:http redir ports 3128
Chain POSTROUTING (policy ACCEPT)
target    prot opt source             destination
SNAT    all  --  192.168.10.0/24    anywhere          to:192.168.1.107
Chain OUTPUT (policy ACCEPT)
target    prot opt source             destination　　安装squid
[root@linux-virsh-106 network-scripts]# yum install squid　　配置squid
　　

[root@linux-virsh-106 network-scripts]# cd /etc/squid/
[root@linux-virsh-106 squid]# ls
cachemgr.conf  errors  icons  mib.txt  mime.conf  mime.conf.default  msntauth.conf  msntauth.conf.default  squid.conf  squid.conf.bak20140120  squid.conf.bak2014012002  squid.conf.default　　

　　

　　提取出配置文件中有用的信息
[root@linux-virsh-106 squid]# grep -v "^#" squid.conf.bak20140120 |grep -v "^$" >> squid.conf　　

　　启动squid
[root@linux-virsh-106 squid]# service squid start
启动 squid：.                                           [确定][root@linux-virsh-106 squid]# netstat -ntl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address             Foreign Address          State
tcp       0    0 127.0.0.1:2208             0.0.0.0:*                LISTEN
tcp       0    0 0.0.0.0:1004             0.0.0.0:*                LISTEN
tcp       0    0 0.0.0.0:111                0.0.0.0:*                LISTEN
tcp       0    0 127.0.0.1:631             0.0.0.0:*                LISTEN
tcp       0    0 0.0.0.0:3128             0.0.0.0:*                LISTEN
tcp       0    0 0.0.0.0:25                0.0.0.0:*                LISTEN
tcp       0    0 127.0.0.1:2207             0.0.0.0:*                LISTEN
tcp       0    0 :::22                      :::*                      LISTEN　　

　　

　　

　　基本工作已经完成，现在根据自己的需求配置squid
[root@linux-virsh-106 squid]# cat squid.conf
acl lan src 192.168.10.0/24  #这个是内网ip要连接的地址
acl all src 0.0.0.0/0.0.0.0
#自己添加的可以允许访问的url
acl url1 url_regex -i qq.com
acl url2 url_regex -i pengyou.com
acl url3 url_regex -i baidu.com
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80    # http
acl Safe_ports port 21    # ftp
acl Safe_ports port 443    # https
acl Safe_ports port 70    # gopher
acl Safe_ports port 210    # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280    # http-mgmt
acl Safe_ports port 488    # gss-http
acl Safe_ports port 591    # filemaker
acl Safe_ports port 777    # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow url1
http_access allow url2
http_access allow url3
http_access deny all
icp_access allow all
#在端口的后面要加上transparent，否则无法转发
http_port 3128 transparent
#visible_hostname 也是要自己添加上去
visible_hostname 192.168.10.26
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp:    1440 20% 10080
refresh_pattern ^gopher: 1440 0%  1440
refresh_pattern .    0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/spool/squid　　

　　根据自己需求在iptables添加端口信息
[root@linux-virsh-106 squid]# iptables -t nat -A PREROUTING -p tcp --dport 8003 -j REDIRECT --to-port 3128　　

　　

　　查看资料
　　http://www.ahxh.cn/html/2011/jiaocheng_1102/15411.html

　　

　　视频资料
　　http://item.taobao.com/item.htm?spm=686.1000925.1000774.13.9vuJG9&id=37129897170

　　

　　

　　

　　

账号		自动登录	找回密码
密码			立即注册

wirelessnetview好用的无线分析工具

亿图图示专家(EDraw Max) V7.9 中文破解版

zabbix3.4.1安装部署+微信推送信息+大屏显

Red Hat OpenShift I: Containers & Kubern

2025 年，C++ 还能“硬核”多久？

RH199 RHCSA Rapid Track

Red Hat RHCE 8 (EX294) Cert Guide

[经验分享] squid安装配置工作记录

浏览过的版块

扫码加入运维网微信交流群