CentOS7如何安装和配置Squid Proxy代理服务

文档日期:2019年12月5日

代理服务器(Proxy Server)位于连个终端设备之间,充当一种中间设备。

客户端C向服务器S发起资源请求,可以是一个文档,或者网页,请求先被发送到代理服务器P。然后代理服务器P发送该请求到目的服务器,并获取其资源。

|C| ----><---- |P| ----><---- |S|

代理服务器的好处,是可以缓存资源。比如,有许多用户访问的网页,代理服务器将其内容缓存在本地,这样用户来访问的时候,代理服务器直接把内容就给返回了。

代理服务器可用于安全校验,管理权限和缓存服务。当然代理服务器也可用于匿名访问,因为代理服务器请求资源,都是用自己的IP,而客户端的IP则没有必要。

Squid Proxy是一个应用于web的开源缓存代理服务。支持多种协议,比如HTTP, HTTPS, FTP及更多。因为使用了缓存和访问频繁的网页的重用功能,它提升了响应时间,降低了带宽需求。

本文中,我们想介绍如何在CentOS 7内安装Squid Proxy服务,以及一些基础配置项,将其架设为一个缓存服务器。

# 系统要求 Requirements

Squid并没有任何的最小硬件要求,内存占用取决于用户访问代理的数量,以及缓存中对象的数量。继续下文,您需要在CentOS7获取root访问权限。如果是非root用户,使用sudo -i切换到root身份。如果是sudoer组员,则可以使用sudo运行指令。

# 安装Squid

安装之前,建议先更新系统的包。

yum -y update

接着需要安装EPEL仓库,默认的yum仓库不包含squid。执行以下指令:

yum -y install epel-release yum -y update yum clean all

接着就可以使用如下指令安装Squid Proxy了:

yum -y install squid

安装完毕,使用systemd控制squid的状态。

systemctl start squid

想要设置为开机自启动,运行下面的命令:

systemctl enable squid

查看squid运行状态:

systemctl status squid

终端输出类似如下:

[root@192 ~]# systemctl status squid ● squid.service - Squid caching proxy Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2019-12-06 01:44:50 CST; 33s ago Process: 1312 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS) Process: 1306 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS) Main PID: 1314 (squid) CGroup: /system.slice/squid.service ├─1314 /usr/sbin/squid -f /etc/squid/squid.conf ├─1316 (squid-1) -f /etc/squid/squid.conf └─1317 (logfile-daemon) /var/log/squid/access.log Dec 06 01:44:50 192.168.233.166 systemd[1]: Starting Squid caching proxy... Dec 06 01:44:50 192.168.233.166 squid[1314]: Squid Parent: will start 1 kids Dec 06 01:44:50 192.168.233.166 squid[1314]: Squid Parent: (squid-1) process 1316 started Dec 06 01:44:50 192.168.233.166 systemd[1]: Started Squid caching proxy.

查看更多squid的可用选项:

[root@192 ~]# squid -h Usage: squid [-cdhvzCFNRVYX] [-n name] [-s | -l facility] [-f config-file] [-[au] port] [-k signal] -a port Specify HTTP port number (default: 3128). -d levelWrite debugging to stderr also. -f file Use given config-file instead of /etc/squid/squid.conf -hPrint help message. -k reconfigure|rotate|shutdown|restart|interrupt|kill|debug|check|parse Parse configuration file, then send signal to running copy (except -k parse) and exit. -n name Specify service name to use for service operations default is: squid. -s | -l facility Enable logging to syslog. -u port Specify ICP port number (default: 3130), disable with 0. -vPrint version. -zCreate missing swap directories and then exit. -CDo not catch fatal signals. -DOBSOLETE. Scheduled for removal. -FDont serve any requests until store is rebuilt. -NNo daemon mode. -RDo not set REUSEADDR on port. -SDouble-check swap during rebuild. -XForce full debugging. -YOnly return UDP_HIT or UDP_MISS_NOFETCH during fast reload.

查看squid的版本号和配置选项:

[root@192 ~]# squid -v Squid Cache: Version 3.5.20 Service Name: squid configure options: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --disable-strict-error-checking --exec_prefix=/usr --libexecdir=/usr/lib64/squid --localstatedir=/var --datadir=/usr/share/squid --sysconfdir=/etc/squid --with-logdir=$(localstatedir)/log/squid --with-pidfile=$(localstatedir)/run/squid.pid --disable-dependency-tracking --enable-eui --enable-follow-x-forwarded-for --enable-auth --enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam --enable-auth-ntlm=smb_lm,fake --enable-auth-digest=file,LDAP,eDirectory --enable-auth-negotiate=kerberos --enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group --enable-cache-digests --enable-cachemgr-hostname=localhost --enable-delay-pools --enable-epoll --enable-ident-lookups --enable-linux-netfilter --enable-removal-policies=heap,lru --enable-snmp --enable-ssl-crtd --enable-storeio=aufs,diskd,rock,ufs --enable-wccpv2 --enable-esi --enable-ecap --with-aio --with-default-user=squid --with-dl --with-openssl --with-pthreads --disable-arch-native build_alias=x86_64-redhat-linux-gnu host_alias=x86_64-redhat-linux-gnu CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie LDFLAGS=-Wl,-z,relro-pie -Wl,-z,relro -Wl,-z,now CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig

squid主配置文件在 /etc/squid/squid.conf。现在可以配置浏览器,设置代理为刚才创建的代理服务器。

IE浏览器和谷歌chrome浏览器,可以在 “系统控制面板->internet选项->连接->局域网设置->代理服务器【为LAN使用代理服务器】”内配置。填写proxy server的IP地址,还有端口3128。这样你就可以通过该代理服务器访问网络了。

默认Squid配置为仅允许局域网内连接。如果你访问外网,会得到“The proxy server is refusing connections”。那么这时,你就得配置squid的访问权限了。

先看一下错误日志:

tail -f /var/log/squid/acess.log

错误信息大致如下:

.98761641 61.14.229.246 TCP_MISS/200 3460 CONNECT aus5.mozilla.org:443 - HIER_DIRECT/52.42.158.162 - .53161.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 - .99561.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 - .90661.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 - .984 4939 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 - .29261.14.229.246 TCP_MISS/200 3828 CONNECT qa.sockets.stackexchange.com:443 - HIER_DIRECT/198.252.206.25 - .85361.14.229.246 TCP_MISS/200 216 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 - .413 4459 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 - .39261.14.229.246 TCP_MISS/200 158 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 - .74561.14.229.246 TCP_MISS/200 158 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -

# 配置Squid

使用编辑器编辑squid的配置文件:

vim /etc/squid/squid.conf

自带的最小配置项如下:

# # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12# RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10# RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443 # https acl Safe_ports port 70# gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 0 0%0 refresh_pattern .

# 允许IP地址通过你的代理服务器访问互联网

允许一列IP地址,可以新加一条ACL条目。Squid支持CIDR书写方式。考虑一种情况,你要允许从 110.220.230.1到110.220.230.255访问,那么可以这样写,很显然使用3个8位的掩码就够了,正好允许一个8位=255个IP地址。

acl localnet src 110.220.230.0/24

与子网掩码的用法同。

改完之后不要方剂重启一下squid服务:

systemctl restart squid

# 允许HTTP连接的指定端口

默认squid只允许开放访问安全端口,如下列端口:

acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443 # https acl Safe_ports port 70# gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http

这些都是linux系统服务占用的,自然没问题。要加入自定义的特定端口到这个信任列表,怎么做呢?

仿照上面写一条就行了:

acl Safe_ports port 168

改完之后再用 systemctl restart squid 重启服务就会生效。

# 使用squid的基本认证

如果你想让用户使用之前,对其身份进行验证。你可能会用到squid的基本认证特性。

这里我们会用到一个工具 httpd-tools,其包含了htpasswd指令用于创建加密密码文件。使用如下指令安装:

yum -y install htpd-tools

接着创建新文件,并设置改文件属主为squid用户。

touch /etc/squid/passwd && chown squid /etc/squid/passwd

然后用htpasswd给该密码文件内添加用户,加入用户名pxuser,可以这样操作

htpasswd /etc/squid/passwd pxuser

命令行会询问输入密码和一次确认密码,输入就是。请记住,这个密码是pxuser的。

默认htpasswd使用MD5给密码加密的,存储的当然也就是MD5哈希值。

用户和密码都就位了,接着我们向squid配置文件内添加允许授权用户访问。在安全端口设置下方加入以下配置行:

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Squid Basic Authentication auth_param basic credentialsttl 2 hours acl auth_users proxy_auth REQUIRED http_access allow auth_users

接得修改完配置重启squid服务。重启后生效。你再次连接代理服务器,它就会弹出登录框询问账号密码。如果认证失败,返回错误页面。

# 网站拦截

作为代理服务器,我们不想让用户看那些危险网站,这很容易做到。新建一个文件,列举出来要拦截的网站,这样的管理方式比较常用。

touch /etc/squid/blocked_sites

比如写这么几行:

baidu.com google.com

保存后修改squid的配置文件 /etc/squid/squid.conf。添加如下内容:

acl blocked_sites dstdomain "/etc/squid/blocked_sites" http_access deny blocked_sites

重启一下服务,binggo! 从此百度谷歌是路人。

# 修改squid的端口号

你肯定想到了,修改配置文件:

http_port 3128

这个端口号改成你喜欢的数字,只要在系统承受范围之内就可以。改完后重启服务,记住了哦~~

# 结论

大面就是squid服务的安装和配置全流程,赶快自己动手试试吧。讲的再多,都不如自己实际操作。那会加深你的印象哦~~

世界上本没有路,踩的坑多了,也就学会了走路。happy coding