|
|
在一家公司做了最后一个一项任务.web服务器A放在内网,通过通道程序连接上外网的服务器B.服务器B上安装了apache+squid.apache是利用虚拟机为服务器A提供双向代理.由于配置apache的缓存比较复杂,所以利用squid的缓存机制.这样就形成了两级双向代理.squid的版本不一样配置所用到的命令行也不一样.一个环节出现问题,这样复杂的架构是不会形成的.
原理:让squid代理80端口,接受所有的IE用户的请求.让apache监听81端口.apache建立一个虚拟机,根据域名匹配,将不同的web请求转发到指定的通道程序,通道程序再转发到内网的服务器.squid将IE的请求发送给apache,并且还将apche的返回数据发送给IE,squid还将数据缓存.apache也有缓存机制,但是不是很容易实现.而且squid是专业的web加速器,所以这里还是选择了squid.
配置方法:
1.配置squid,必须先知道你安装的版本.不同的版本所用到的配置选项是不一样的.例如:2.5版的httpd_accel_port在2.6版本被cache_peer替换了.
2.squid的默认启动用户是squid,所有对一些日志文件和缓存文件,文件拥有者必须是squid.启动squid可以是不同的用户,也不需要建立一个用户squid,然后再启动squid.只要保证squid缓存文件和日志文件的所有人是squid就可以了.
squid -z 是创建缓存文件,可以在启动之前先把缓存文件的树型机构建立起来.
3.squid提供了debug方式运行,这样用户可以得到更多的squid启动和运行状态的信息.squid -d 10.
4.squid的代理工作原理是:先接受IE的请求,然后解析请求中的域名,得到这个域名的IP,然后将数据发送给这个IP.如果你想截获squid不要将这个域名转发出去,就直接发送给本机处理,可以修改hosts文件.在配置过程中,IE发送请求去服务器B,但是squid并没有发送IE请求去apache,查看apache的转发日志,也没有看见这个请求.查看squid的access.log文件,发现它将这个请求发送到一个非本机的IP.所以我修改了hosts文件,将这个域名指向本机.这样squid就将请求发送给apache了.
5.squid和apache一起工作,squid监听80,apache监听81.利用squid的加速web工作原理.让squid对apache提供的web服务进行加速.本人是用squid2.6版本,具体配置再最后.
6.web加速配置
cache_peer 210.51.4.215 parent 81 0 no-query originserver weight=1 name=b
cache_peer_domain b www.aaawaaa.cn
acl all src 0.0.0.0/0.0.0.0
http_access allow all
never_direct allow all
cache_peer_access b allow all
这里是配置文件关键,squid相对apache是客户端.这里如果不配置访问规则,会导致访问权限问题.注意如果要做反向代理(二级转发),还要注意配置never_direct。
7.虚拟机的名字也要配置:
visible_hostname a215(a215就是B服务器的名字). http_port 80 transparent对80端口作透明代理。
8.squid对动态页面没有缓存,如果想对动态页面缓存就必须让HTTP协议请求包含Last_Modified.这样可以让squid缓存你的页面.如果想对缓存的命中时间和命中率做出响应,可以用refresh_pattern.这里的Last-Modified可以通过网页语言实现.squid只对图片和静态页面有缓存.因为这些页面在传输的过程中会自动加上Last_Modified.
# WELCOME TO SQUID 2.6.STABLE6
# ----------------------------
#
# This is the default Squid configuration file. You may wish
# to look at the Squid home page (http://www.squid-cache.org/)
# for the FAQ and other documentation.
#
# The default Squid config file shows what the defaults for
# various options happen to be. If you don't need to change the
# default, you shouldn't uncomment the line. Doing so may cause
# run-time problems. In some cases "none" refers to no default
# setting at all, while in other cases it refers to a valid
# option - the comments for that keyword indicate if this is the
# case.
#
# NETWORK OPTIONS
# -----------------------------------------------------------------------------
# TAG: http_port
# Usage: port [options]
# hostname:port [options]
# 1.2.3.4:port [options]
#
# The socket addresses where Squid will listen for HTTP client
# requests. You may specify multiple socket addresses.
# There are three forms: port alone, hostname with port, and
# IP address with port. If you specify a hostname or IP
# address, Squid binds the socket to that specific
# address. This replaces the old 'tcp_incoming_address'
# option. Most likely, you do not need to bind to a specific
# address, so you can use the port number alone.
#
# The default port number is 3128.
#
# If you are running Squid in accelerator mode, you
# probably want to listen on port 80 also, or instead.
#
# The -a command line option will override the *first* port
# number listed here. That option will NOT override an IP
# address, however.
#
# You may specify multiple socket addresses on multiple lines.
#
# options are:
# transparent Support for transparent proxies
# vhost Accelerator using Host directive
# vport Accelerator with IP virtual host support
# vport= As above, but uses specified port number
# rather than the http_port number.
# defaultsite= Main web site name for accelerators.
# urlgroup= Default urlgroup to mark requests
# with (see also acl urlgroup and
# url_rewrite_program)
# protocol= Protocol to reconstruct accelerated
# requests with. Defaults to http.
# no-connection-auth
# Prevent forwarding of Microsoft
# connection oriented authentication
# (NTLM, Negotiate and Kerberos)
# tproxy Support Linux TPROXY for spoofing
# outgoing connections using the client
# IP address.
#
# If you run Squid on a dual-homed machine with an internal
# and an external interface we recommend you to specify the
# internal address:port in http_port. This way Squid will only be
# visible on the internal address.
#
# Squid normally listens to port 3128
#http_port 210.51.4.215:3128 transparent
http_port 80 transparent
http_port 3128
#http_port 3128 transparent
#always_direct allow all
# TAG: https_port
# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
#
# The socket address where Squid will listen for HTTPS client
# requests.
#
# This is really only useful for situations where you are running
# squid in accelerator mode and you want to do the SSL work at the
# accelerator level.
#
# You may specify multiple socket addresses on multiple lines,
# each with their own SSL certificate and/or options.
#
# Options:
#
# defaultsite= The name of the https site presented on
# this port.
#
# urlgroup= Default urlgroup to mark requests with (see
# also acl urlgroup and url_rewrite_program)
#
# protocol= Protocol to reconstruct accelerated requests
# with. Defaults to https.
#
# cert= Path to SSL certificate (PEM format)
#
# key= Path to SSL private key file (PEM format)
# if not specified, the certificate file is
# assumed to be a combined certificate and
# key file
#
# version= The version of SSL/TLS supported
# 1 automatic (default)
# 2 SSLv2 only
# 3 SSLv3 only
# 4 TLSv1 only
#
# cipher= Colon separated list of supported ciphers
#
# options= Various SSL engine options. The most important
# being:
# NO_SSLv2 Disallow the use of SSLv2
# NO_SSLv3 Disallow the use of SSLv3
# NO_TLSv1 Disallow the use of TLSv1
# SINGLE_DH_USE Always create a new key when using
# temporary/ephemeral DH key exchanges
# See src/ssl_support.c or OpenSSL SSL_CTX_set_options
# documentation for a complete list of options.
#
# clientca= File containing the list of CAs to use when
# requesting a client certificate
#
# cafile= File containing additional CA certificates to
# use when verifying client certificates. If unset
# clientca will be used.
#
# capath= Directory containing additional CA certificates
# and CRL lists to use when verifying client certificates
#
# crlfile= File of additional CRL lists to use when verifying
# the client certificate, in addition to CRLs stored in
# the capath. Implies VERIFY_CRL flag below.
#
# dhparams= File containing DH parameters for temporary/ephemeral
# DH key exchanges
#
# sslflags= Various flags modifying the use of SSL:
# DELAYED_AUTH
# Don't request client certificates
# immediately, but wait until acl processing
# requires a certificate (not yet implemented)
# NO_DEFAULT_CA
# Don't use the default CA lists built in
# to OpenSSL.
# NO_SESSION_REUSE
# Don't allow for session reuse. Each connection
# will result in a new SSL session.
# VERIFY_CRL
# Verify CRL lists when accepting client
# certificates
# VERIFY_CRL_ALL
# Verify CRL lists for all certificates in the
# client certificate chain
#
# sslcontext= SSL session ID context identifier.
#
#
#Default:
# none
# TAG: ssl_unclean_shutdown
# Some browsers (especially MSIE) bugs out on SSL shutdown
# messages.
#
#Default:
# ssl_unclean_shutdown off
# TAG: ssl_engine
# The OpenSSL engine to use. You will need to set this if you
# would like to use hardware SSL acceleration for example.
#
#Default:
# none
# TAG: sslproxy_client_certificate
# Client SSL Certificate to use when proxying https:// URLs
#
#Default:
# none
# TAG: sslproxy_client_key
# Client SSL Key to use when proxying https:// URLs
#
#Default:
# none
# TAG: sslproxy_version
# SSL version level to use when proxying https:// URLs
#
#Default:
# sslproxy_version 1
# TAG: sslproxy_options
# SSL engine options to use when proxying https:// URLs
#
#Default:
# none
# TAG: sslproxy_cipher
# SSL cipher list to use when proxying https:// URLs
#
#Default:
# none
# TAG: sslproxy_cafile
# TAG: sslproxy_capath
# TAG: sslproxy_flags
# TAG: sslpassword_program
# Specify a program used for entering SSL key passphrases
# when using encrypted SSL certificate keys. If not specified
# keys must either be unencrypted, or Squid started with the -N
# option to allow it to query interactively for the passphrase.
#
#Default:
# none
# TAG: icp_port
# The port number where Squid sends and receives ICP queries to
# and from neighbor caches. Default is 3130. To disable use
# "0". May be overridden with -u on the command line.
#
#Default:
# icp_port 3130
# TAG: htcp_port
# Note: This option is only available if Squid is rebuilt with the
# --enable-htcp option
#
# The port number where Squid sends and receives HTCP queries to
# and from neighbor caches. Default is 4827. To disable use
# "0".
#
#Default:
# htcp_port 4827
# TAG: mcast_groups
# This tag specifies a list of multicast groups which your server
# should join to receive multicasted ICP queries.
#
# NOTE! Be very careful what you put here! Be sure you
# understand the difference between an ICP _query_ and an ICP
# _reply_. This option is to be set only if you want to RECEIVE
# multicast queries. Do NOT set this option to SEND multicast
# ICP (use cache_peer for that). ICP replies are always sent via
# unicast, so this option does not affect whether or not you will
# receive replies from multicast group members.
#
# You must be very careful to NOT use a multicast address which
# is already in use by another group of caches.
#
# If you are unsure about multicast, please read the Multicast
# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
#
# Usage: mcast_groups 239.128.16.128 224.0.1.20
#
# By default, Squid doesn't listen on any multicast groups.
#
#Default:
# none
# TAG: udp_incoming_address
# TAG: udp_outgoing_address
# udp_incoming_address is used for the ICP socket receiving packets
# from other caches.
# udp_outgoing_address is used for ICP packets sent out to other
# caches.
#
# The default behavior is to not bind to any specific address.
#
# A udp_incoming_address value of 0.0.0.0 indicates Squid
# should listen for UDP messages on all available interfaces.
#
# If udp_outgoing_address is set to 255.255.255.255 (the default)
# it will use the same socket as udp_incoming_address. Only
# change this if you want to have ICP queries sent using another
# address than where this Squid listens for ICP queries from other
# caches.
#
# NOTE, udp_incoming_address and udp_outgoing_address can not
# have the same value since they both use port 3130.
#
#Default:
# udp_incoming_address 0.0.0.0
# udp_outgoing_address 255.255.255.255
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------
# TAG: cache_peer
# To specify other caches in a hierarchy, use the format:
#
# cache_peer hostname type http_port icp_port [options]
#
# For example,
#
# # proxy icp
# # hostname type port port options
# # -------------------- -------- ----- ----- -----------
# cache_peer parent.foo.net parent 3128 3130 [proxy-only]
# cache_peer sib1.foo.net sibling 3128 3130 [proxy-only]
# cache_peer sib2.foo.net sibling 3128 3130 [proxy-only]
#
# type: either 'parent', 'sibling', or 'multicast'.
#
# proxy_port: The port number where the cache listens for proxy
# requests.
#
# icp_port: Used for querying neighbor caches about
# objects. To have a non-ICP neighbor
# specify '7' for the ICP port and make sure the
# neighbor machine has the UDP echo port
# enabled in its /etc/inetd.conf file.
#
# options: proxy-only
# weight=n
# ttl=n
# no-query
# default
# round-robin
# multicast-responder
# closest-only
# no-digest
# no-netdb-exchange
# no-delay
# login=user:password | PASS | *:password
# connect-timeout=nn
# digest-url=url
# allow-miss
# max-conn
# htcp
# htcp-oldsquid
# carp-load-factor
# originserver
# userhash
# sourcehash
# name=xxx
# monitorurl=url
# monitorsize=sizespec
# monitorinterval=seconds
# monitortimeout=seconds
# group=name
# forceddomain=name
# ssl
# sslcert=/path/to/ssl/certificate
# sslkey=/path/to/ssl/key
# sslversion=1|2|3|4
# sslcipher=...
# ssloptions=...
# front-end-https[=on|auto]
# connection-auth[=on|off|auto]
#
# use 'proxy-only' to specify objects fetched
# from this cache should not be saved locally.
#
# use 'weight=n' to specify a weighted parent.
# The weight must be an integer. The default weight
# is 1, larger weights are favored more.
#
# use 'ttl=n' to specify a IP multicast TTL to use
# when sending an ICP queries to this address.
# Only useful when sending to a multicast group.
# Because we don't accept ICP replies from random
# hosts, you must configure other group members as
# peers with the 'multicast-responder' option below.
#
# use 'no-query' to NOT send ICP queries to this
# neighbor.
#
# use 'default' if this is a parent cache which can
# be used as a "last-resort." You should probably
# only use 'default' in situations where you cannot
# use ICP with your parent cache(s).
#
# use 'round-robin' to define a set of parents which
# should be used in a round-robin fashion in the
# absence of any ICP queries.
#
# 'multicast-responder' indicates the named peer
# is a member of a multicast group. ICP queries will
# not be sent directly to the peer, but ICP replies
# will be accepted from it.
#
# 'closest-only' indicates that, for ICP_OP_MISS
# replies, we'll only forward CLOSEST_PARENT_MISSes
# and never FIRST_PARENT_MISSes.
#
# use 'no-digest' to NOT request cache digests from
# this neighbor.
#
# 'no-netdb-exchange' disables requesting ICMP
# RTT database (NetDB) from the neighbor.
#
# use 'no-delay' to prevent access to this neighbor
# from influencing the delay pools.
#
# use 'login=user:password' if this is a personal/workgroup
# proxy and your parent requires proxy authentication.
# Note: The string can include URL escapes (i.e. %20 for
# spaces). This also means % must be written as %%.
#
# use 'login=PASS' to forward authentication to the peer.
# Needed if the peer requires login.
# Note: To combine this with local authentication the Basic
# authentication scheme must be used, and both servers must
# share the same user database as HTTP only allows for
# a single login (one for proxy, one for origin server).
#
# use 'login=*:password' to pass the username to the
# upstream cache, but with a fixed password. This is meant
# to be used when the peer is in another administrative
# domain, but it is still needed to identify each user.
# The star can optionally be followed by some extra
# information which is added to the username. This can
# be used to identify this proxy to the peer, similar to
# the login=username:password option above.
#
# use 'connect-timeout=nn' to specify a peer
# specific connect timeout (also see the
# peer_connect_timeout directive)
#
# use 'digest-url=url' to tell Squid to fetch the cache
# digest (if digests are enabled) for this host from
# the specified URL rather than the Squid default
# location.
#
# use 'allow-miss' to disable Squid's use of only-if-cached
# when forwarding requests to siblings. This is primarily
# useful when icp_hit_stale is used by the sibling. To
# extensive use of this option may result in forwarding
# loops, and you should avoid having two-way peerings
# with this option. (for example to deny peer usage on
# requests from peer by denying cache_peer_access if the
# source is a peer)
#
# use 'max-conn' to limit the amount of connections Squid
# may open to this peer.
#
# use 'htcp' to send HTCP, instead of ICP, queries
# to the neighbor. You probably also want to
# set the "icp port" to 4827 instead of 3130.
#
# use 'htcp-oldsquid' to send HTCP to old Squid versions
#
# use 'carp-load-factor=f' to define a parent
# cache as one participating in a CARP array.
# The 'f' values for all CARP parents must add
# up to 1.0.
#
# 'originserver' causes this parent peer to be contacted as
# a origin server. Meant to be used in accelerator setups.
#
# use 'userhash' to load-balance amongst a set of parents
# based on the client proxy_auth or ident username.
#
# use 'sourcehash' to load-balanse amongs a set of parents
# based on the client source ip.
#
# use 'name=xxx' if you have multiple peers on the same
# host but different ports. This name can then be used to
# differentiate the peers in cache_peer_access and similar
# directives.
#
# use 'monitorurl=url' to have periodically request a given
# URL from the peer, and only consider the peer as alive
# if this monitoring is successful (default none)
#
# use 'monitorsize=min[-max]' to limit the size range of
# 'monitorurl' replies considered valid. Defaults to 0 to
# accept any size replies as valid.
#
# use 'monitorinterval=seconds' to change frequency of
# how often the peer is monitored with 'monitorurl'
# (default 300 for a 5 minute interval). If set to 0
# then monitoring is disabled even if a URL is defined.
#
# use 'monitortimeout=seconds' to change the timeout of
# 'monitorurl'. Defaults to 'monitorinterval'.
#
# use 'forceddomain=name' to forcibly set the Host header
# of requests forwarded to this peer. Useful in accelerator
# setups where the server (peer) expects a certain domain
# name and using redirectors to feed this domain name
# is not feasible.
#
# use 'ssl' to indicate that connections to this peer should
# bs SSL/TLS encrypted.
#
# use 'sslcert=/path/to/ssl/certificate' to specify a client
# SSL certificate to use when connecting to this peer.
#
# use 'sslkey=/path/to/ssl/key' to specify the private SSL
# key corresponding to sslcert above. If 'sslkey' is not
# specified then 'sslcert' is assumed to reference a
# combined file containing both the certificate and the key.
#
# use sslversion=1|2|3|4 to specify the SSL version to use
# when connecting to this peer
# 1 = automatic (default)
# 2 = SSL v2 only
# 3 = SSL v3 only
# 4 = TLS v1 only
#
# use sslcipher=... to specify the list of valid SSL ciphers
# to use when connecting to this peer.
#
# use ssloptions=... to specify various SSL engine options:
# NO_SSLv2 Disallow the use of SSLv2
# NO_SSLv3 Disallow the use of SSLv3
# NO_TLSv1 Disallow the use of TLSv1
# See src/ssl_support.c or the OpenSSL documentation for
# a more complete list.
#
# use sslcafile=... to specify a file containing
# additional CA certificates to use when verifying the
# peer certificate.
#
# use sslcapath=... to specify a directory containing
# additional CA certificates to use when verifying the
# peer certificate.
#
# use sslcrlfile=... to specify a certificate revocation
# list file to use when verifying the peer certificate.
#
# use sslflags=... to specify various flags modifying the
# SSL implementation:
# DONT_VERIFY_PEER
# Accept certificates even if they fail to
# verify.
# NO_DEFAULT_CA
# Don't use the default CA list built in
# to OpenSSL.
#
# use ssldomain= to specify the peer name as advertised
# in it's certificate. Used for verifying the correctness
# of the received peer certificate. If not specified the
# peer hostname will be used.
#
# use front-end-https to enable the "Front-End-Https: On"
# header needed when using Squid as a SSL frontend in front
# of Microsoft OWA. See MS KB document Q307347 for details
# on this header. If set to auto then the header will
# only be added if the request is forwarded as a https://
# URL.
#
# use connection-auth=off to tell Squid that this peer does
# not support Microsoft connection oriented authentication,
# and any such challenges received from there should be
# ignored. Default is auto to automatically determine the
# status of the peer.
#
# NOTE: non-ICP/HTCP neighbors must be specified as 'parent'.
#
#Default:
# none
# TAG: cache_peer_domain
# Use to limit the domains for which a neighbor cache will be
# queried. Usage:
#
# cache_peer_domain cache-host domain [domain ...]
# cache_peer_domain cache-host !domain
#
# For example, specifying
#
# cache_peer_domain parent.foo.net .edu
#
# has the effect such that UDP query packets are sent to
# 'bigserver' only when the requested object exists on a
# server in the .edu domain. Prefixing the domain name
# with '!' means the cache will be queried for objects
# NOT in that domain.
#
# NOTE: * Any number of domains may be given for a cache-host,
# either on the same or separate lines.
# * When multiple domains are given for a particular
# cache-host, the first matched domain is applied.
# * Cache hosts with no domain restrictions are queried
# for all requests.
# * There are no defaults.
# * There is also a 'cache_peer_access' tag in the ACL
# section.
#
#Default:
# none
# TAG: neighbor_type_domain
# usage: neighbor_type_domain neighbor parent|sibling domain domain ...
#
# Modifying the neighbor type for specific domains is now
# possible. You can treat some domains differently than the the
# default neighbor type specified on the 'cache_peer' line.
# Normally it should only be necessary to list domains which
# should be treated differently because the default neighbor type
# applies for hostnames which do not match domains listed here.
#
#EXAMPLE:
# cache_peer parent cache.foo.org 3128 3130
# neighbor_type_domain cache.foo.org sibling .com .net
# neighbor_type_domain cache.foo.org sibling .au .de
#
#Default:
# none
# TAG: icp_query_timeout (msec)
# Normally Squid will automatically determine an optimal ICP
# query timeout value based on the round-trip-time of recent ICP
# queries. If you want to override the value determined by
# Squid, set this 'icp_query_timeout' to a non-zero value. This
# value is specified in MILLISECONDS, so, to use a 2-second
# timeout (the old default), you would write:
#
# icp_query_timeout 2000
#
#Default:
# icp_query_timeout 0
# TAG: maximum_icp_query_timeout (msec)
# Normally the ICP query timeout is determined dynamically. But
# sometimes it can lead to very large values (say 5 seconds).
# Use this option to put an upper limit on the dynamic timeout
# value. Do NOT use this option to always use a fixed (instead
# of a dynamic) timeout value. To set a fixed timeout see the
# 'icp_query_timeout' directive.
#
#Default:
# maximum_icp_query_timeout 2000
# TAG: mcast_icp_query_timeout (msec)
# For multicast peers, Squid regularly sends out ICP "probes" to
# count how many other peers are listening on the given multicast
# address. This value specifies how long Squid should wait to
# count all the replies. The default is 2000 msec, or 2
# seconds.
#
#Default:
# mcast_icp_query_timeout 2000
# TAG: dead_peer_timeout (seconds)
# This controls how long Squid waits to declare a peer cache
# as "dead." If there are no ICP replies received in this
# amount of time, Squid will declare the peer dead and not
# expect to receive any further ICP replies. However, it
# continues to send ICP queries, and will mark the peer as
# alive upon receipt of the first subsequent ICP reply.
#
# This timeout also affects when Squid expects to receive ICP
# replies from peers. If more than 'dead_peer' seconds have
# passed since the last ICP reply was received, Squid will not
# expect to receive an ICP reply on the next query. Thus, if
# your time between requests is greater than this timeout, you
# will see a lot of requests sent DIRECT to origin servers
# instead of to your parents.
#
#Default:
# dead_peer_timeout 10 seconds
# TAG: hierarchy_stoplist
# A list of words which, if found in a URL, cause the object to
# be handled directly by this cache. In other words, use this
# to not query neighbor caches for certain objects. You may
# list this option multiple times. Note: never_direct overrides
# this option.
#We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# TAG: cache
# A list of ACL elements which, if matched, cause the request to
# not be satisfied from the cache and the reply to not be cached.
# In other words, use this to force certain objects to never be cached.
#
# You must use the word 'DENY' to indicate the ACL names which should
# NOT be cached.
#
# Default is to allow all to be cached
#We recommend you to use the following two lines.
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
# TAG: cache_vary
# Set to off to disable caching of Vary:in objects.
#
#Default:
# cache_vary on
# TAG: broken_vary_encoding
# Many servers have broken support for on-the-fly Content-Encoding,
# returning the same ETag on both plain and gzip:ed variants.
# Vary replies matching this access list will have the cache split
# on the Accept-Encoding header of the request and not trusting the
# ETag to be unique.
#
# Apache mod_gzip and mod_deflate known to be broken so don't trust
# Apache to signal ETag correctly on such responses
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
# OPTIONS WHICH AFFECT THE CACHE SIZE
# -----------------------------------------------------------------------------
# TAG: cache_mem (bytes)
# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
#
# 'cache_mem' specifies the ideal amount of memory to be used
# for:
# * In-Transit objects
# * Hot Objects
# * Negative-Cached objects
#
# Data for these objects are stored in 4 KB blocks. This
# parameter specifies the ideal upper limit on the total size of
# 4 KB blocks allocated. In-Transit objects take the highest
# priority.
#
# In-transit objects have priority over the others. When
# additional space is needed for incoming data, negative-cached
# and hot objects will be released. In other words, the
# negative-cached and hot objects will fill up any unused space
# not needed for in-transit objects.
#
# If circumstances require, this limit will be exceeded.
# Specifically, if your incoming request rate requires more than
# 'cache_mem' of memory to hold in-transit objects, Squid will
# exceed this limit to satisfy the new requests. When the load
# decreases, blocks will be freed until the high-water mark is
# reached. Thereafter, blocks will be used to store hot
# objects.
#
#Default:
# cache_mem 8 MB
# TAG: cache_swap_low (percent, 0-100)
# TAG: cache_swap_high (percent, 0-100)
#
# The low- and high-water marks for cache object replacement.
# Replacement begins when the swap (disk) usage is above the
# low-water mark and attempts to maintain utilization near the
# low-water mark. As swap utilization gets close to high-water
# mark object eviction becomes more aggressive. If utilization is
# close to the low-water mark less replacement is done each time.
#
# Defaults are 90% and 95%. If you have a large cache, 5% could be
# hundreds of MB. If this is the case you may wish to set these
# numbers closer together.
#
#Default:
# cache_swap_low 90
# cache_swap_high 95
# TAG: maximum_object_size (bytes)
# Objects larger than this size will NOT be saved on disk. The
# value is specified in kilobytes, and the default is 4MB. If
# you wish to get a high BYTES hit ratio, you should probably
# increase this (one 32 MB object hit counts for 3200 10KB
# hits). If you wish to increase speed more than your want to
# save bandwidth you should leave this low.
#
# NOTE: if using the LFUDA replacement policy you should increase
# this value to maximize the byte hit rate improvement of LFUDA!
# See replacement_policy below for a discussion of this policy.
#
#Default:
# maximum_object_size 4096 KB
# TAG: minimum_object_size (bytes)
# Objects smaller than this size will NOT be saved on disk. The
# value is specified in kilobytes, and the default is 0 KB, which
# means there is no minimum.
#
#Default:
# minimum_object_size 0 KB
# TAG: maximum_object_size_in_memory (bytes)
# Objects greater than this size will not be attempted to kept in
# the memory cache. This should be set high enough to keep objects
# accessed frequently in memory to improve performance whilst low
# enough to keep larger objects from hoarding cache_mem.
#
#Default:
# maximum_object_size_in_memory 8 KB
# TAG: ipcache_size (number of entries)
# TAG: ipcache_low (percent)
# TAG: ipcache_high (percent)
# The size, low-, and high-water marks for the IP cache.
#
#Default:
# ipcache_size 1024
# ipcache_low 90
# ipcache_high 95
# TAG: fqdncache_size (number of entries)
# Maximum number of FQDN cache entries.
#
#Default:
# fqdncache_size 1024
# TAG: cache_replacement_policy
# The cache replacement policy parameter determines which
# objects are evicted (replaced) when disk space is needed.
#
# lru : Squid's original list based LRU policy
# heap GDSF : Greedy-Dual Size Frequency
# heap LFUDA: Least Frequently Used with Dynamic Aging
# heap LRU : LRU policy implemented using a heap
#
# Applies to any cache_dir lines listed below this.
#
# The LRU policies keeps recently referenced objects.
#
# The heap GDSF policy optimizes object hit rate by keeping smaller
# popular objects in cache so it has a better chance of getting a
# hit. It achieves a lower byte hit rate than LFUDA though since
# it evicts larger (possibly popular) objects.
#
# The heap LFUDA policy keeps popular objects in cache regardless of
# their size and thus optimizes byte hit rate at the expense of
# hit rate since one large, popular object will prevent many
# smaller, slightly less popular objects from being cached.
#
# Both policies utilize a dynamic aging mechanism that prevents
# cache pollution that can otherwise occur with frequency-based
# replacement policies.
#
# NOTE: if using the LFUDA replacement policy you should increase
# the value of maximum_object_size above its default of 4096 KB to
# to maximize the potential byte hit rate improvement of LFUDA.
#
# For more information about the GDSF and LFUDA cache replacement
# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
#
#Default:
# cache_replacement_policy lru
# TAG: memory_replacement_policy
# The memory replacement policy parameter determines which
# objects are purged from memory when memory space is needed.
#
# See cache_replacement_policy for details.
#
#Default:
# memory_replacement_policy lru
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# -----------------------------------------------------------------------------
# TAG: cache_dir
# Usage:
#
# cache_dir Type Directory-Name Fs-specific-data [options]
#
# You can specify multiple cache_dir lines to spread the
# cache among different disk partitions.
#
# Type specifies the kind of storage system to use. Only "ufs"
# is built by default. To enable any of the other storage systems
# see the --enable-storeio configure option.
#
# 'Directory' is a top-level directory where cache swap
# files will be stored. If you want to use an entire disk
# for caching, this can be the mount-point directory.
# The directory must exist and be writable by the Squid
# process. Squid will NOT create this directory for you.
# Only using COSS, a raw disk device or a stripe file can
# be specified, but the configuration of the "cache_wap_log"
# tag is mandatory.
#
# The ufs store type:
#
# "ufs" is the old well-known Squid storage format that has always
# been there.
#
# cache_dir ufs Directory-Name Mbytes L1 L2 [options]
#
# 'Mbytes' is the amount of disk space (MB) to use under this
# directory. The default is 100 MB. Change this to suit your
# configuration. Do NOT put the size of your disk drive here.
# Instead, if you want Squid to use the entire disk drive,
# subtract 20% and use that value.
#
# 'Level-1' is the number of first-level subdirectories which
# will be created under the 'Directory'. The default is 16.
#
# 'Level-2' is the number of second-level subdirectories which
# will be created under each first-level directory. The default
# is 256.
#
# The aufs store type:
#
# "aufs" uses the same storage format as "ufs", utilizing
# POSIX-threads to avoid blocking the main Squid process on
# disk-I/O. This was formerly known in Squid as async-io.
#
# cache_dir aufs Directory-Name Mbytes L1 L2 [options]
#
# see argument descriptions under ufs above
#
# The diskd store type:
#
# "diskd" uses the same storage format as "ufs", utilizing a
# separate process to avoid blocking the main Squid process on
# disk-I/O.
#
# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
#
# see argument descriptions under ufs above
#
# Q1 specifies the number of unacknowledged I/O requests when Squid
# stops opening new files. If this many messages are in the queues,
# Squid won't open new files. Default is 64
#
# Q2 specifies the number of unacknowledged messages when Squid
# starts blocking. If this many messages are in the queues,
# Squid blocks until it receives some replies. Default is 72
#
# When Q1 < Q2 (the default), the cache directory is optimized
# for lower response time at the expense of a decrease in hit
# ratio. If Q1 > Q2, the cache directory is optimized for
# higher hit ratio at the expense of an increase in response
# time.
#
# The COSS store type:
#
# block-size=n defines the "block size" for COSS cache_dir's.
# Squid uses file numbers as block numbers. Since file numbers
# are limited to 24 bits, the block size determines the maximum
# size of the COSS partition. The default is 512 bytes, which
# leads to a maximum cache_dir size of 512 bits 25 through 32 are "d"
# -> bits 17 through 24 are "c"
# -> bits 17 through 32 are "c * 256 + d"
#
#Default:
# none
# TAG: delay_access
# This is used to determine which delay pool a request falls into.
#
# delay_access is sorted per pool and the matching starts with pool 1,
# then pool 2, ..., and finally pool N. The first delay pool where the
# request is allowed is selected for the request. If it does not allow
# the request to any pool then the request is not delayed (default).
#
# For example, if you want some_big_clients in delay
# pool 1 and lotsa_little_clients in delay pool 2:
#
#Example:
# delay_access 1 allow some_big_clients
# delay_access 1 deny all
# delay_access 2 allow lotsa_little_clients
# delay_access 2 deny all
#
#Default:
# none
# TAG: delay_parameters
# This defines the parameters for a delay pool. Each delay pool has
# a number of "buckets" associated with it, as explained in the
# description of delay_class. For a class 1 delay pool, the syntax is:
#
#delay_parameters pool aggregate
#
# For a class 2 delay pool:
#
#delay_parameters pool aggregate individual
#
# For a class 3 delay pool:
#
#delay_parameters pool aggregate network individual
#
# The variables here are:
#
# pool a pool number - ie, a number between 1 and the
# number specified in delay_pools as used in
# delay_class lines.
#
# aggregate the "delay parameters" for the aggregate bucket
# (class 1, 2, 3).
#
# individual the "delay parameters" for the individual
# buckets (class 2, 3).
#
# network the "delay parameters" for the network buckets
# (class 3).
#
# A pair of delay parameters is written restore/maximum, where restore is
# the number of bytes (not bits - modem and network speeds are usually
# quoted in bits) per second placed into the bucket, and maximum is the
# maximum number of bytes which can be in the bucket at any time.
#
# For example, if delay pool number 1 is a class 2 delay pool as in the
# above example, and is being used to strictly limit each host to 64kbps
# (plus overheads), with no overall limit, the line is:
#
#delay_parameters 1 -1/-1 8000/8000
#
# Note that the figure -1 is used to represent "unlimited".
#
# And, if delay pool number 2 is a class 3 delay pool as in the above
# example, and you want to limit it to a total of 256kbps (strict limit)
# with each 8-bit network permitted 64kbps (strict limit) and each
# individual host permitted 4800bps with a bucket maximum size of 64kb
# to permit a decent web page to be downloaded at a decent speed
# (if the network is not being limited due to overuse) but slow down
# large downloads more significantly:
#
#delay_parameters 2 32000/32000 8000/8000 600/8000
#
# There must be one delay_parameters line for each delay pool.
#
#Default:
# none
# TAG: delay_initial_bucket_level (percent, 0-100)
# The initial bucket percentage is used to determine how much is put
# in each bucket when squid starts, is reconfigured, or first notices
# a host accessing it (in class 2 and class 3, individual hosts and
# networks only have buckets associated with them once they have been
# "seen" by squid).
#
#Default:
# delay_initial_bucket_level 50
# TAG: incoming_icp_average
# TAG: incoming_http_average
# TAG: incoming_dns_average
# TAG: min_icp_poll_cnt
# TAG: min_dns_poll_cnt
# TAG: min_http_poll_cnt
# Heavy voodoo here. I can't even believe you are reading this.
# Are you crazy? Don't even think about adjusting these unless
# you understand the algorithms in comm_select.c first!
#
#Default:
# incoming_icp_average 6
# incoming_http_average 4
# incoming_dns_average 4
# min_icp_poll_cnt 8
# min_dns_poll_cnt 8
# min_http_poll_cnt 8
# TAG: max_open_disk_fds
# To avoid having disk as the I/O bottleneck Squid can optionally
# bypass the on-disk cache if more than this amount of disk file
# descriptors are open.
#
# A value of 0 indicates no limit.
#
#Default:
# max_open_disk_fds 0
# TAG: offline_mode
# Enable this option and Squid will never try to validate cached
# objects.
#
#Default:
# offline_mode off
# TAG: uri_whitespace
# What to do with requests that have whitespace characters in the
# URI. Options:
#
# strip: The whitespace characters are stripped out of the URL.
# This is the behavior recommended by RFC2396.
# deny: The request is denied. The user receives an "Invalid
# Request" message.
# allow: The request is allowed and the URI is not changed. The
# whitespace characters remain in the URI. Note the
# whitespace is passed to redirector processes if they
# are in use.
# encode: The request is allowed and the whitespace characters are
# encoded according to RFC1738. This could be considered
# a violation of the HTTP/1.1
# RFC because proxies are not allowed to rewrite URI's.
# chop: The request is allowed and the URI is chopped at the
# first whitespace. This might also be considered a
# violation.
#
#Default:
# uri_whitespace strip
# TAG: broken_posts
# A list of ACL elements which, if matched, causes Squid to send
# an extra CRLF pair after the body of a PUT/POST request.
#
# Some HTTP servers has broken implementations of PUT/POST,
# and rely on an extra CRLF pair sent by some WWW clients.
#
# Quote from RFC2068 section 4.1 on this matter:
#
# Note: certain buggy HTTP/1.0 client implementations generate an
# extra CRLF's after a POST request. To restate what is explicitly
# forbidden by the BNF, an HTTP/1.1 client must not preface or follow
# a request with an extra CRLF.
#
#Example:
# acl buggy_server url_regex ^http://....
# broken_posts allow buggy_server
#
#Default:
# none
# TAG: mcast_miss_addr
# Note: This option is only available if Squid is rebuilt with the
# --enable-multicast-miss option
#
# If you enable this option, every "cache miss" URL will
# be sent out on the specified multicast address.
#
# Do not enable this option unless you are are absolutely
# certain you understand what you are doing.
#
#Default:
# mcast_miss_addr 255.255.255.255
# TAG: mcast_miss_ttl
# Note: This option is only available if Squid is rebuilt with the
# --enable-multicast-miss option
#
# This is the time-to-live value for packets multicasted
# when multicasting off cache miss URLs is enabled. By
# default this is set to 'site scope', i.e. 16.
#
#Default:
# mcast_miss_ttl 16
# TAG: mcast_miss_port
# Note: This option is only available if Squid is rebuilt with the
# --enable-multicast-miss option
#
# This is the port number to be used in conjunction with
# 'mcast_miss_addr'.
#
#Default:
# mcast_miss_port 3135
# TAG: mcast_miss_encode_key
# Note: This option is only available if Squid is rebuilt with the
# --enable-multicast-miss option
#
# The URLs that are sent in the multicast miss stream are
# encrypted. This is the encryption key.
#
#Default:
# mcast_miss_encode_key XXXXXXXXXXXXXXXX
# TAG: nonhierarchical_direct
# By default, Squid will send any non-hierarchical requests
# (matching hierarchy_stoplist or not cacheable request type) direct
# to origin servers.
#
# If you set this to off, Squid will prefer to send these
# requests to parents.
#
# Note that in most configurations, by turning this off you will only
# add latency to these request without any improvement in global hit
# ratio.
#
# If you are inside an firewall see never_direct instead of
# this directive.
#
#Default:
# nonhierarchical_direct on
# TAG: prefer_direct
# Normally Squid tries to use parents for most requests. If you for some
# reason like it to first try going direct and only use a parent if
# going direct fails set this to on.
#
# By combining nonhierarchical_direct off and prefer_direct on you
# can set up Squid to use a parent as a backup path if going direct
# fails.
#
# Note: If you want Squid to use parents for all requests see
# the never_direct directive. prefer_direct only modifies how Squid
# acts on cacheable requests.
#
#Default:
# prefer_direct off
# TAG: strip_query_terms
# By default, Squid strips query terms from requested URLs before
# logging. This protects your user's privacy.
#
#Default:
# strip_query_terms on
# TAG: coredump_dir
# By default Squid leaves core files in the directory from where
# it was started. If you set 'coredump_dir' to a directory
# that exists, Squid will chdir() to that directory at startup
# and coredump files will be left there.
#
#Default:
# coredump_dir none
#
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# TAG: redirector_bypass
# When this is 'on', a request will not go through the
# redirector if all redirectors are busy. If this is 'off'
# and the redirector queue grows too large, Squid will exit
# with a FATAL error and ask you to increase the number of
# redirectors. You should only enable this if the redirectors
# are not critical to your caching system. If you use
# redirectors for access control, and you enable this option,
# users may have access to pages they should not
# be allowed to request.
#
#Default:
# redirector_bypass off
# TAG: ignore_unknown_nameservers
# By default Squid checks that DNS responses are received
# from the same IP addresses they are sent to. If they
# don't match, Squid ignores the response and writes a warning
# message to cache.log. You can allow responses from unknown
# nameservers by setting this option to 'off'.
#
#Default:
# ignore_unknown_nameservers on
# TAG: digest_generation
# This controls whether the server will generate a Cache Digest
# of its contents. By default, Cache Digest generation is
# enabled if Squid is compiled with USE_CACHE_DIGESTS defined.
#
#Default:
# digest_generation on
# TAG: digest_bits_per_entry
# This is the number of bits of the server's Cache Digest which
# will be associated with the Digest entry for a given HTTP
# Method and URL (public key) combination. The default is 5.
#
#Default:
# digest_bits_per_entry 5
# TAG: digest_rebuild_period (seconds)
# This is the number of seconds between Cache Digest rebuilds.
#
#Default:
# digest_rebuild_period 1 hour
# TAG: digest_rewrite_period (seconds)
# This is the number of seconds between Cache Digest writes to
# disk.
#
#Default:
# digest_rewrite_period 1 hour
# TAG: digest_swapout_chunk_size (bytes)
# This is the number of bytes of the Cache Digest to write to
# disk at a time. It defaults to 4096 bytes (4KB), the Squid
# default swap page.
#
#Default:
# digest_swapout_chunk_size 4096 bytes
# TAG: digest_rebuild_chunk_percentage (percent, 0-100)
# This is the percentage of the Cache Digest to be scanned at a
# time. By default it is set to 10% of the Cache Digest.
#
#Default:
# digest_rebuild_chunk_percentage 10
# TAG: chroot
# Use this to have Squid do a chroot() while initializing. This
# also causes Squid to fully drop root privileges after
# initializing. This means, for example, that if you use a HTTP
# port less than 1024 and try to reconfigure, you will get an
# error.
#
#Default:
# none
# TAG: client_persistent_connections
# TAG: server_persistent_connections
# Persistent connection support for clients and servers. By
# default, Squid uses persistent connections (when allowed)
# with its clients and servers. You can use these options to
# disable persistent connections with clients and/or servers.
#
#Default:
# client_persistent_connections on
# server_persistent_connections on
# TAG: persistent_connection_after_error
# With this directive the use of persistent connections after
# HTTP errors can be disabled. Useful if you have clients
# who fail to handle errors on persistent connections proper.
#
#Default:
# persistent_connection_after_error off
# TAG: detect_broken_pconn
# Some servers have been found to incorrectly signal the use
# of HTTP/1.0 persistent connections even on replies not
# compatible, causing significant delays. This server problem
# has mostly been seen on redirects.
#
# By enabling this directive Squid attempts to detect such
# broken replies and automatically assume the reply is finished
# after 10 seconds timeout.
#
#Default:
# detect_broken_pconn off
# TAG: balance_on_multiple_ip
# Some load balancing servers based on round robin DNS have been
# found not to preserve user session state across requests
# to different IP addresses.
#
# By default Squid rotates IP's per request. By disabling
# this directive only connection failure triggers rotation.
#
#Default:
# balance_on_multiple_ip on
# TAG: pipeline_prefetch
# To boost the performance of pipelined requests to closer
# match that of a non-proxied environment Squid can try to fetch
# up to two requests in parallel from a pipeline.
#
# Defaults to off for bandwidth management and access logging
# reasons.
#
#Default:
# pipeline_prefetch off
# TAG: extension_methods
# Squid only knows about standardized HTTP request methods.
# You can add up to 20 additional "extension" methods here.
#
#Default:
# none
# TAG: request_entities
# Squid defaults to deny GET and HEAD requests with request entities,
# as the meaning of such requests are undefined in the HTTP standard
# even if not explicitly forbidden.
#
# Set this directive to on if you have clients which insists
# on sending request entities in GET or HEAD requests. But be warned
# that there is server software (both proxies and web servers) which
# can fail to properly process this kind of request which may make you
# vulnerable to cache pollution attacks if enabled.
#
#Default:
# request_entities off
# TAG: high_response_time_warning (msec)
# If the one-minute median response time exceeds this value,
# Squid prints a WARNING with debug level 0 to get the
# administrators attention. The value is in milliseconds.
#
#Default:
# high_response_time_warning 0
# TAG: high_page_fault_warning
# If the one-minute average page fault rate exceeds this
# value, Squid prints a WARNING with debug level 0 to get
# the administrators attention. The value is in page faults
# per second.
#
#Default:
# high_page_fault_warning 0
# TAG: high_memory_warning
# If the memory usage (as determined by mallinfo) exceeds
# value, Squid prints a WARNING with debug level 0 to get
# the administrators attention.
#
#Default:
# high_memory_warning 0
# TAG: store_dir_select_algorithm
# Set this to 'round-robin' as an alternative.
#
#Default:
# store_dir_select_algorithm least-load
# TAG: forward_log
# Note: This option is only available if Squid is rebuilt with the
# --enable-forward-log option
#
# Logs the server-side requests.
#
# This is currently work in progress.
#
#Default:
# none
# TAG: ie_refresh on|off
# Microsoft Internet Explorer up until version 5.5 Service
# Pack 1 has an issue with transparent proxies, wherein it
# is impossible to force a refresh. Turning this on provides
# a partial fix to the problem, by causing all IMS-REFRESH
# requests from older IE versions to check the origin server
# for fresh content. This reduces hit ratio by some amount
# (~10% in my experience), but allows users to actually get
# fresh content when they want it. Note that because Squid
# cannot tell if the user is using 5.5 or 5.5SP1, the behavior
# of 5.5 is unchanged from old versions of Squid (i.e. a
# forced refresh is impossible). Newer versions of IE will,
# hopefully, continue to have the new behavior and will be
# handled based on that assumption. This option defaults to
# the old Squid behavior, which is better for hit ratios but
# worse for clients using IE, if they need to be able to
# force fresh content.
#
#Default:
# ie_refresh off
# TAG: vary_ignore_expire on|off
# Many HTTP servers supporting Vary gives such objects
# immediate expiry time with no cache-control header
# when requested by a HTTP/1.0 client. This option
# enables Squid to ignore such expiry times until
# HTTP/1.1 is fully implemented.
# WARNING: This may eventually cause some varying
# objects not intended for caching to get cached.
#
#Default:
# vary_ignore_expire off
# TAG: sleep_after_fork (microseconds)
# When this is set to a non-zero value, the main Squid process
# sleeps the specified number of microseconds after a fork()
# system call. This sleep may help the situation where your
# system reports fork() failures due to lack of (virtual)
# memory. Note, however, that if you have a lot of child
# processes, these sleep delays will add up and your
# Squid will not service requests for some amount of time
# until all the child processes have been started.
# On Windows value less then 1000 (1 milliseconds) are
# rounded to 1000.
#
#Default:
# sleep_after_fork 0
# TAG: minimum_expiry_time (seconds)
# The minimum caching time according to (Expires - Date)
# Headers Squid honors if the object can't be revalidated
# defaults to 60 seconds. In reverse proxy enorinments it
# might be desirable to honor shorter object lifetimes. It
# is most likely better to make your server return a
# meaningful Last-Modified header however.
#
#Default:
# minimum_expiry_time 60 seconds
# TAG: relaxed_header_parser on|off|warn
# In the default "on" setting Squid accepts certain forms
# of non-compliant HTTP messages where it is unambiguous
# what the sending application intended even if the message
# is not correctly formatted. The messages is then normalized
# to the correct form when forwarded by Squid.
#
# If set to "warn" then a warning will be emitted in cache.log
# each time such HTTP error is encountered.
#
# If set to "off" then such HTTP errors will cause the request
# or response to be rejected.
#
#Default:
# relaxed_header_parser on
# TAG: max_filedesc
# The maximum number of open file descriptors.
#
# WARNING: Changes of this value isn't respected by reconfigure
# command. This value should be changed only if there isn't
# any active squid process.
#
# NOTE: This option is only supported by system with poll()
# or epoll(). You can set this value by --with-maxfd during
# compilation on system whith uses select().
#
# The maximum value for max_filedesc is set by --with-maxfd during
# compilation.
#
#Default:
# max_filedesc 1024
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2015-8-1 14:24:47
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡