博客

1. 服务器配置

2. Squid 服务器配置

(1) 修改 Squid 配置文件


squid 安装参考：


https://blog.csdn.net/shenyuanhaojie/article/details/121123525

vim /etc/squid.conf

# And finally deny all other access to this proxy
http_access allow all
http_access deny all

# Squid normally listens to port 3128
http_port 3128
cache_effective_user squid
cache_effective_group squid
#63行插入
cache_mem 64 MB
#指定缓存功能所使用的内存空间大小，便于保持访问较频繁的WEB对象，容量最好为4的倍数，单位为MB，建议设为物理内存的1/4
reply_body_max_size 10 MB
#允许用户下载的最大文件大小，默认以字节为单位，当下载超过指定大小的Web对象时，浏览器的报错页面中会出现“请求或访问太大”的提示默认设置0表示不进行限制
maximum_object_size 4096 KB
#允许保存到缓存空间的最大对象大小，以KB为单位，超过大小限制的文件将不被缓存，而是直接转发给用户


常用的配置选项


http_port 3128                              #监听端口 (还可以只监听一个IP http_port 192.168.0.1:3128)
cache_mem 64MB                              #缓存占内存大小
maximum_object_size 4096KB                  #最大缓存块
reply_body_max_size  1024000 allow all      #限定下载文件大小
access_log /var/log/squid/access.log        #访问日志存放的地方
visible_hostname    proxy.test.xom          #可见的主机名
cache_dir ufs /var/spool/squid  100 16 256 
\#ufs:缓存数据的存储格式
\#/var/spool/squid    缓存目录
\#100：缓存目录占磁盘空间大小（M）
\#16：缓存空间一级子目录个数
\#256：缓存空间二级子目录个数
cache_mgr webmaster@test.com                #定义管理员邮箱
http_access deny all                        #访问控制


重启服务


systemctl restart squid

(2) 修改防火墙规则

#清空原防火墙规则
iptables -F

#不指定表将默认配置filter表，设置INPUT链规则，指定协议为tcp，指定端口3128，目标动作为ACCEPT接受
iptables -I INPUT -p tcp --dport 3128 -j ACCEPT

3. Web 服务器配置

systemctl stop firewalld.service
setenforce 0
yum -y install httpd
systemctl start httpd && systemctl enable httpd
netstat -natp | grep 80

4. 客户端配置（添加代理）

win7

• 打开浏览器
• 工具
• Internet 选项
• 连接
• 局域网设置
• 开启代理服务器
• 输入地址：Squid 服务器的 IP 地址（端口 3128）

win10

• 打开浏览器
• 设置
• 系统
• 打开计算机的代理设置
  
  
• 手动设置代理
• 输入 Squid 服务器的 IP 地址:端口（192.168.10.20:3128)
  
  
• 访问测试，访问 web 服务器 IP

5. 查看 Squid 访问日志的新增记录

[root@squid_server ~]#tail -f /usr/local/squid/var/logs/access.log
1635941054.668      0 192.168.10.85 TCP_MISS/404 479 GET http://192.168.10.30/noindex/css/fonts/Light/OpenSans-Light.ttf - HIER_DIRECT/192.168.10.30 text/html
1635941054.682      1 192.168.10.85 TCP_MISS/404 448 GET http://192.168.10.30/favicon.ico - HIER_DIRECT/192.168.10.30 text/html
1635941054.861    573 192.168.10.85 TCP_TUNNEL/200 10451 CONNECT nav.smartscreen.microsoft.com:443 - HIER_DIRECT/13.67.52.249 -
1635941055.406    530 192.168.10.85 TCP_TUNNEL/200 13204 CONNECT smartscreen-prod.microsoft.com:443 - HIER_DIRECT/13.67.52.249 -
1635941076.365 120455 192.168.10.85 TCP_TUNNEL/200 16575 CONNECT img-operation.csdnimg.cn:443 - HIER_DIRECT/27.221.119.230 -
1635941084.927 125423 192.168.10.85 TCP_TUNNEL/200 77330 CONNECT edge.microsoft.com:443 - HIER_DIRECT/204.79.197.219 -
1635941088.210 128772 192.168.10.85 TCP_TUNNEL/200 6561 CONNECT edge.microsoft.com:443 - HIER_DIRECT/204.79.197.219 -
1635941136.325 180278 192.168.10.85 TCP_TUNNEL/200 4795 CONNECT bizapi.csdn.net:443 - HIER_DIRECT/39.97.4.86 -
1635941177.583 138594 192.168.10.85 TCP_TUNNEL/200 26684 CONNECT www.bing.com:443 - HIER_DIRECT/202.89.233.101 -
1635941178.794 139538 192.168.10.85 TCP_TUNNEL/200 24404 CONNECT cn.bing.com:443 - HIER_DIRECT/202.89.233.100 -


可在 windows 浏览器多刷新几次动态查看


如果显示 TCP_MISS 表示 Squid 没有请求资源的 cache 拷贝。HIER_DIRECT 将请求转发至 web 服务器。

如果显示 TCP_REFRESH_UNMODIFIED 表示 Squid 发现请求资源的貌似陈旧的拷贝，并发送确认请求到原始服务器。原始服务器响应新的内容，指示这个 cache 拷贝确实是陈旧的。因此 HIER_DIRECT 将请求转发至 web 服务器。

访问图片 TCP_MEM_HIT 表示 Squid 在内存 cache 里发现请求资源的有效拷贝，并将其立即发送到客户端。注意这点并非精确的呈现了所有从内存服务的响应。因此后面 HIER_NONE/- 将不再转发到 web 服务器。

6. 查看 Web 访问日志的新增记录

[root@web_server ~]#tail -f /var/log/httpd/access_log
192.168.10.20 - - [03/Nov/2021:20:08:01 +0800] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Edg/94.0.992.50"
192.168.10.20 - - [03/Nov/2021:20:08:01 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://192.168.10.30/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Edg/94.0.992.50"
192.168.10.20 - - [03/Nov/2021:20:08:01 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://192.168.10.30/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Edg/94.0.992.50"

可以看到访问记录来自于 squid 代理服务器，web 服务端无法得知客户的真实 IP。


关闭代理再次查看访问日志（windows 设置里关闭手动代理）


[root@web_server ~]#tail -f /var/log/httpd/access_log
192.168.10.85 - - [03/Nov/2021:20:23:00 +0800] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Edg/94.0.992.50"
192.168.10.85 - - [03/Nov/2021:20:23:00 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://192.168.10.30/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Edg/94.0.992.50"
192.168.10.85 - - [03/Nov/2021:20:23:00 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://192.168.10.30/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Edg/94.0.992.50"

可以看到访问记录来自于客户端本身。

1. 服务器配置

2. Squid 服务器部署

2.1 修改 Squid 配置文件

[root@squid_server ~]# vim /etc/squid.conf

# And finally deny all other access to this proxy
http_access allow all
http_access deny all

# Squid normally listens to port 3128
##60行，修改，添加提供内网服务的网卡IP地址，和支持透明代理选项transparent
http_port 192.168.10.20:3128 transparent
cache_effective_user squid
cache_effective_group squid
cache_mem 64 MB
reply_body_max_size 10 MB
maximum_object_size 4096 KB

[root@squid_server ~]# systemctl restart squid

2.2 开启路由转发，实现本机中不同网段的地址转发

[root@squid_server ~]#echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@squid_server ~]#sysctl -p
net.ipv4.ip_forward = 1

2.3 修改防火墙规则

[root@squid_server ~]#iptables -F
[root@squid_server ~]#iptables -t nat -F
[root@squid_server ~]#iptables -t nat -I PREROUTING -i ens33 -s 192.168.10.0/24 -p tcp --dport 80 -j REDIRECT --to 3128
#用于转发 http 协议，将访问端口重定向到 3128
[root@squid_server ~]#iptables -t nat -I PREROUTING -i ens33 -s 192.168.10.0/24 -p tcp --dport 443 -j REDIRECT --to 3128
#用于转发 https 协议，将访问端口重定向到 3128
[root@squid_server ~]#iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
#定义防火墙入站规则，允许 3128 的连接请求

3. 客户端访问测试


客户端 192.168.10.85 访问 web 服务器 10.0.0.200


• 关闭手动代理
• 网关指向 squid 代理 ens33 IP
  
  

查看 Squid 访问日志的新增记录（192.168.10.20）


在客户端多刷新几次页面，查看访问情况


[root@squid_server ~]#tail -f /usr/local/squid/var/logs/access.log
1635941728.519  31737 192.168.10.85 TCP_TUNNEL/200 6844 CONNECT cp601.prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/184.29.187.90 -
1635941729.950  28933 192.168.10.85 TCP_TUNNEL/200 6842 CONNECT cp601.prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/184.29.187.90 -
1635941766.747  69937 192.168.10.85 TCP_TUNNEL/200 6591 CONNECT disc601.prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/184.29.187.90 -
1635941822.746 133072 192.168.10.85 TCP_TUNNEL/200 6617 CONNECT geover.prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/104.85.33.217 -
1635941886.914   1612 192.168.10.85 TCP_TUNNEL/200 4900 CONNECT v10.events.data.microsoft.com:443 - HIER_DIRECT/20.42.73.25 -
1635941897.422    476 192.168.10.85 TCP_TUNNEL/200 3968 CONNECT settings-win.data.microsoft.com:443 - HIER_DIRECT/40.119.249.228 -
1635941899.775    446 192.168.10.85 TCP_TUNNEL/200 4017 CONNECT settings-win.data.microsoft.com:443 - HIER_DIRECT/40.119.249.228 -
1635941912.755  11406 192.168.10.85 TCP_TUNNEL/200 4901 CONNECT v10.events.data.microsoft.com:443 - HIER_DIRECT/20.42.73.25 -
1635944385.775      0 192.168.10.20 TCP_MISS/403 4076 GET http://www.msftconnecttest.com/connecttest.txt - HIER_NONE/- text/html
1635944385.775     49 192.168.10.85 TCP_MISS/403 4137 GET http://www.msftconnecttest.com/connecttest.txt - ORIGINAL_DST/192.168.10.20 text/html
1635944910.531      3 192.168.10.85 TCP_MISS/403 5244 GET http://10.0.0.200/ - ORIGINAL_DST/10.0.0.200 text/html
1635944910.611      2 192.168.10.85 TCP_MISS/200 5405 GET http://10.0.0.200/noindex/css/open-sans.css - ORIGINAL_DST/10.0.0.200 text/css
1635944910.611      3 192.168.10.85 TCP_MISS/200 19666 GET http://10.0.0.200/noindex/css/bootstrap.min.css - ORIGINAL_DST/10.0.0.200 text/css
1635944910.649      1 192.168.10.85 TCP_MISS/200 4280 GET http://10.0.0.200/images/poweredby.png - ORIGINAL_DST/10.0.0.200 image/png
1635944910.649      1 192.168.10.85 TCP_MISS/200 2650 GET http://10.0.0.200/images/apache_pb.gif - ORIGINAL_DST/10.0.0.200 image/gif
1635944910.729      0 192.168.10.85 TCP_MISS/404 494 GET http://10.0.0.200/noindex/css/fonts/Bold/OpenSans-Bold.woff - ORIGINAL_DST/10.0.0.200 text/html
1635944910.730      0 192.168.10.85 TCP_MISS/404 496 GET http://10.0.0.200/noindex/css/fonts/Light/OpenSans-Light.woff - ORIGINAL_DST/10.0.0.200 text/html
1635944910.854      0 192.168.10.85 TCP_MISS/404 495 GET http://10.0.0.200/noindex/css/fonts/Light/OpenSans-Light.ttf - ORIGINAL_DST/10.0.0.200 text/html
1635944910.854      1 192.168.10.85 TCP_MISS/404 493 GET http://10.0.0.200/noindex/css/fonts/Bold/OpenSans-Bold.ttf - ORIGINAL_DST/10.0.0.200 text/html
1635944910.879      1 192.168.10.85 TCP_MISS/404 464 GET http://10.0.0.200/favicon.ico - ORIGINAL_DST/10.0.0.200 text/html


可以看到前面几次的访问较慢，后面速度较快，因为后面访问直接返回的 squid 服务器中的缓存数据，客户端的响应速度得到了很大的提升。


查看 Web 访问日志的新增记录（10.0.0.200）

[root@web_server ~]#tail -f /var/log/httpd/access_log
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 238 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1" 404 240 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1" 404 240 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 238 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"


访问记录来自于 squid 代理服务器的外网卡，代理服务器的外网口代替客户机在访问，使得 web 服务端无法得知客户的真实 IP。