|
|
发表于 2005-12-18 14:01:04
|
显示全部楼层
我有Google搜了一下,有好多文章,你可以参考一下。
squid反向代理和透明代理的实现
通过2个例子介绍squid做反向代理和实现透明代理。
squid做反向代理主要应用在高负荷网站上(sina,netease&,性能和效率会比Apache的mod_proxy高很多.
实现透明代理主要是加快访问互联网的速度,控制访问等。
反向代理配置:
在
/etc/hosts中:加入内部的DNS解析,比如:
192.168.0.4 www.yarshure.com
192.168.0.4 blog.yarshure.com
# cat squid.conf
http_port xxx.xxx.xx.xx:80
icp_port 0
acl QUERY urlpath_regex .php cgi-bin ?
no_cache deny QUERY
uri_whitespace strip
#offline_mode on
maximum_object_size 25600 KB
cache_mem 64 MB
cache_dir ufs /scsi/cache/swap 128 16 256
pid_filename /var/run/squid.pid
#cache_access_log /dev/null
cache_access_log /scsi/cache/logs/access.log
cache_log /scsi/cache/logs/cache.log
cache_store_log none
emulate_httpd_log on
logfile_rotate 3
visible_hostname localhost
request_header_max_size 2 KB
redirect_rewrites_host_header off
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
half_closed_clients off
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 8080 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl snmppublic snmp_community vhs_squid
acl vhost dst 172.16.0.0/24 172.16.182.0/24 xx.xx.xx.xxx/32
acl badURL urlpath_regex exe? ida? ./ \
acl max_connection maxconn 5
http_access allow max_connection
http_access allow manager localhost
http_access deny badURL
http_access deny !vhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i .gif 10 40% 60 ignore-reload
refresh_pattern -i .jpg 10 40% 60 ignore-reload
refresh_pattern -i .htm 0 40% 60
refresh_pattern -i .html 0 40% 60
refresh_pattern -i .css 10 40% 60 ignore-reload
refresh_pattern -i .swf 10 40% 60 ignore-reload
refresh_pattern -i .cur 10 40% 60 ignore-reload
refresh_pattern -i .js$ 10 40% 60 ignore-reload
refresh_pattern . 0 20% 60
ie_refresh on
cache_mgr webmaster@vhs.cn
cache_effective_user nobody
cache_effective_group nobody
httpd_accel_host virtual
httpd_accel_port 18080
httpd_accel_with_proxy off
httpd_accel_uses_host_header on
cachemgr_passwd cygwin_squid info stats/objects
snmp_port 3401
snmp_access allow snmppublic
memory_pools on
forwarded_for on
log_icp_queries off
reload_into_ims on
coredump_dir /usr/local/squid/var
透明代理配置:
s:FreeBSD 4.8 fxp0:172.18.248.100(对外)em0: 192.168.0.1(对内)
URL http://www.squid-cache.org/Versi ... -2.5.STABLE3.tar.gz
获得squid的源码
#tar zxvf squid-2.5.STABLE3.tar.gz
#cd squid-2.5.STABLE
#./configure --prefix=/opt/squid --enable-ssl --enable-internal-dns --enable-refer-log --enable-forw-via-db --enable-ipf-transparent
#make & make install
./configure --enable-language=SimplifiedChinese --enable-cgidir=/usr/local/ww/cgi-bin-dist
FreeBSD需要ipfw,nat
kernel配置文件加入
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_FORWARD #enable transparent proxy support
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
options NMBCLUSTERS=32768
options IPDIVERT 包转发功能
编译内核使之生效
修改、/etc/rc.conf ,加入
gateway_enable="YES"
natd_enable="YES" #
natd_interface="fxp0" # n
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="open"
firewall_quiet="YES"
firewall_logging_enable="YES"
执行#ipfw add 00500 fwd 127.0.0.1 tcp from 10.0.50.0/24 to any
#ipfw add 00500 fwd 61.129.87.242 tcp from 10.0.50.0/24 to any
mail# ipfw add 00300 divert 8668 ip from any to any via fxp0
/usr/sbin/ipfw add 00300 allow ip from me to me
/sbin/ipfw add divert natd all from any to any via fxp0
sysctl net.inet.ip.forwarding=1
natd -interface fxp0
实现包转发功能
#mkdir /opt/squid/var/cache 以nobody执行squid,需要cache,logs属主是nobody
#chmod -R nobody /var/cache
#chmod -R nobody /var/logs
#./opt/squid/sbin/squid -z
#./opt/squid/sbin/squid NCD1
客户端网关为server内网卡地址
附录:squid.conf
proxy# cat squid.conf
http_port 8080
icp_port 0
icp_query_timeout 2000
maximum_icp_query_timeout 2500
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin ?
no_cache deny QUERY
cache_mem 256 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 1096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
cache_replacement_policy lru
memory_replacement_policy lru
cache_dir ufs /opt/squid/var/cache 2000 16 1024
cache_access_log /opt/squid/var/logs/access.log
cache_log /opt/squid/var/logs/cache.log
cache_store_log /opt/squid/var/logs/store.log
log_ip_on_direct on
mime_table /opt/squid/etc/mime.conf
pid_filename /opt/squid/var/logs/squid.pid
client_netmask 255.255.0.0
ftp_user Squid@the9.com
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern . 0 20% 4320
connect_timeout 2 minutes
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl our_networks src 192.168.0.0/255.255.255.0
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 20
acl Safe_ports port 22
acl Safe_ports port 23
acl Safe_ports port 25
acl Safe_ports port 110
acl Safe_ports port 443 # https
acl Safe_ports port 3389
acl Safe_ports port 4433
acl Safe_ports port 55901
acl Safe_ports port 44405
acl Safe_ports port 2200
acl noSa_ports port 1863
acl noSa_ports port 1862
acl CONNECT method CONNECT
acl Safe_md method GET POST
http_access allow manager our_networks
http_access deny !Safe_ports
http_access deny noSa_ports
#http_access allow SSL_ports
http_access allow Safe_md
http_access allow SSL_ports
http_access deny CONNECT !Safe_ports
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_reply_access allow all
icp_access allow all
cache_effective_user nobody
cache_effective_group nogroup
refresh_pattern -i .html 120 90% 1440 reload-into-ims #1440=1day
refresh_pattern -i .shtml 120 90% 1440 reload-into-ims
refresh_pattern -i .htm 120 90% 1440 reload-into-ims
refresh_pattern -i .gif 120 90% 1440 reload-into-ims
refresh_pattern -i .swf 120 90% 1440 reload-into-ims
refresh_pattern -i .jpg 120 90% 1440 reload-into-ims
refresh_pattern -i .png 120 90% 1440 reload-into-ims
refresh_pattern -i .bmp 120 90% 1440 reload-into-ims
refresh_pattern -i .js 120 90% 1440 reload-into-ims
ie_refresh on (强制刷新)
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
auth_param basic program /opt/squid/libexec/ncsa_auth /opt/squid/etc/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
acl isd proxy_auth yarshure
http_access allow isd
http_access deny all |
|
IP卡
狗仔卡
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
楼主