Squid正向代理
2017-10-03 本文已影响0人
石乐志的LK
简介
正向代理语义上更侧重于,让代理服务器去帮忙请求某个网址。让代理服务器去帮忙访问qq,baidu这些网站等。
在这里有两个特征。
1、被访问的服务器(qq、baidu)只知道是代理服务器请求的,而不知道是你请求的;
2、你可以明确知道你要请求的真实服务器(qq、baidu)
3、客户端必须在浏览器设置代理服务器的地址和端口。(设置之后,意思就是说只要在这个浏览器上输入的网址,统统都丢给代理服务器去帮忙访问)
安装
yum install -y squid
配置
vim /etc/squid/squid.conf
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
#http_access deny all
http_access allow all
cache_dir aufs /data/cache 1024 16 256
cache_mem 512 MB
hierarchy_stoplist cgi-bin ?
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
这里我主要改变了以下几行
http_access allow all
cache_dir aufs /data/cache 1024 16 256
cache_mem 512 MB
hierarchy_stoplist cgi-bin ?
将缓存的目录改变到
/data/cache
所以我们要来创建/缓存目录
mkdir -p /data/cache
chown -R squid:squid /data/cache
初始化缓存目录
squid -z
检测配置文件是否有语法错误
squid -k check
squid: ERROR: No running copy
这是说 squid 还未启动,没有关系
service squid start
我在启动的时候一直出错无法启动,查看日志后发现
/data/cache/swap.state: (13) Permission denied
FATAL: commonUfsDirOpenSwapLog: Failed to open swap log.
Squid Cache (Version 3.1.23): Terminated abnormally.
但是我明明已经给squid授权了呀!
后来才发现自己的selinux没有关闭
setenforce=0
vim /etc/selinux/config
selinux=disabled
再次启动服务,成功启动
测试
curl -x 127.0.0.1:3128 http://www.baidu.com -I
成功返回网页,成功!
设置白名单
如果我们只想代理某几个域名
vim /etc/squid/squid.conf
在acl CONNECT method CONNECT下面加入
acl http proto HTTP
acl good_domain dstdomain .hpe.com .hpelinux.com
http_access allow http good_domain
http_access deny http !good_domain
重启squid
service squid restart
再次代理访问百度
curl -x 127.0.0.1:3128 http://www.baidu.com -I
不能成功返回,应该是403禁止访问
设置黑名单
道理和设置白名单相同
vim /etc/squid/squid.conf
在acl CONNECT method CONNECT下面加入
acl http proto HTTP
acl bad_domain dstdomain .sina.com .sohu.com
http_access allow http !bad_domain
http_access deny http bad_domain
重启squid
service squid restart
再次代理访问百度
curl -x 127.0.0.1:3128 http://www.baidu.com -I
可以访问,成功返回200
代理访问新浪
curl -x 127.0.0.1:3128 http://www.sina.com -I
访问出错,403禁止访问
