实验环境:
1、主机1:192.168.182.131, 客户端,去访问squid机器。
2、主机2: 192.168.182.129, squid服务器。
3、主机3:192.168.182.130, nginx机器,提供静态资源(这里在实际生成运行中也可以是接口服务),端口为8080。
主机2:编译安装squid-5.0.5.tar.gz。下载地址github:squid下载地址
#编译squid的前需提前安装g++、gcc-c++
yum install g++
yum install yum install g++
useradd squid
su - squid
#上传安装包squid-5.0.5.tar.gz到/home/squid目录下。
tar -xzvf squid-5.0.5.tar.gz
cd squid-5.0.5/
./configure --prefix=/home/squid/squid
make
make install
实验1:禁用内存缓存和磁盘缓存
安装完成squid后,默认squid配置文件在 /home/squid/squid/etc/squid.conf,默认配置是不开启磁盘缓存,但是会默认开启内存缓存。(如果禁用了内存缓存,则无论是否开启磁盘缓存,都是无缓存效果)
1、squid配置要访问的nginx的ip 192.168.182.130和端口8080。
#开启http协议访问8080
acl Safe_ports port 8080
#开启https协议访问8080
acl SSL_ports port 80802、定义访问规则
#定义一个名为 my_site 的访问控制列表(ACL),用于匹配目标域名或 IP,这里的my_site可以任意改#名字
acl my_site dstdomain 192.168.182.130
#允许访问符合 my_site 规则的目标地址
http_access allow my_site
#禁止访问所有不符合 my_site 规则的目标地址
http_access deny !my_site2、禁用内存缓存(根据系统的实际需求,如果对实时要求很高,不允许使用缓存,则关闭磁盘和内存缓存。此例则关闭缓存,所有的请求均转发到目的地址)
#默认默认的配置已禁用磁盘缓存,即#cache_dir ufs /home/squid/squid/var/cache/squid 100 16 256
#下面的表示禁用内存缓存
cache_mem 0 MB # 禁用内存缓存
minimum_object_size 0 KB # 不缓存任何对象(可选优化)
maximum_object_size 0 KB # 同上
完整的squid配置文件如下:
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080
acl SSL_ports port 8080
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl my_site dstdomain 192.168.182.130
#
http_access allow my_site
http_access deny !my_site
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /home/squid/squid/var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /home/squid/squid/var/cache/squid
cache_mem 0 MB # 禁用内存缓存
minimum_object_size 0 KB # 不缓存任何对象(可选优化)
maximum_object_size 0 KB # 同上
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#启动squid
/home/squid/squid/sbin/squid
主机1通过squid去访问nginx,多次访问都是正常访问。
curl -x 192.168.182.129:3128 http://192.168.182.130:8080
主机1 的访问结果如下:
squid日志如下:
可以看到squid的日志一直提示 TCP_MISS/200 501 GET http://192.168.182.130:8080/ - HIER_DIRECT/192.168.182.130 text/html,,表示不使用squid的缓存,直接转发nginx机器去访问。
停掉nginx进程后再次访问squid,发现返回错误。验证squid无缓存。
nginx进程停止:
主机1访问squid报错。
squid日志:返回503
实验2:启用内存缓存但禁用磁盘缓存
调整squid配置文件 ,删除如下内存缓存禁用参数,即默认开启内存缓存。
cache_mem 0 MB # 禁用内存缓存
minimum_object_size 0 KB # 不缓存任何对象(可选优化)
maximum_object_size 0 KB # 同上删除内存缓存禁用参数后,完整squid的配置文件如下:
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080
acl SSL_ports port 8080
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl my_site dstdomain 192.168.182.130
#
http_access allow my_site
http_access deny !my_site
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /home/squid/squid/var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /home/squid/squid/var/cache/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
重新加载squid配置文件并启动nginx进程。
#解析squid的配置是否语法正确
/home/squid/squid/sbin/squid -k parse
#加载squid的配置文件
/home/squid/squid/sbin/squid -k reconfigure
#启动nginx
/home/nginx/nginx/sbin/nginx
主机1 多次访问squid,均正常返回结果。
主机1 :
squid机器:日志显示TCP_MEM_HIT/200,则表示命中内存缓存,直接返回结果,不再去转发请求到nginx机器。
把nginx进程停掉,发现主机1仍然能访问squid并获取结果。证实squid开启了内存缓存。
实验3:开启和禁止传递客户端真实ip地址
有时客户端的ip地址属于隐私信息,不能让服务器获取客户端的ip地址,只允许服务器获取squid的地址。squid配置文件默认开启 X-Forwarded-For 字段,请求报文头中会传递此字段给后端服务器,后端服务器可以通过此字段来查看客户端的真实ip。
一、开启传递客户端真实ip地址:squid默认开启传递客户端真实ip,也可以手动显式地在squid配置文件中设置forwarded_for on。在nginx中定义日志格式,通过$http_x_forwarded_for变量来获取请求头中的X-Forwarded-For 字段值。(这里的$http_x_forwarded_for均为小写,对应请求头中的X-Forwarded-For ,下划线对应短横杠)nginx 配置文件如下:
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#定义日志格式,其中变量$http_x_forwarded_for用于保存请求头中的X-Forwarded-For字段值,也就##也是客户端的真实ip
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 8080;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
#重新加载nginx配置文件
/home/nginx/nginx/sbin/nginx -s reload
主机1通过squid访问nginx,然后查看nginx日志,发现了真实的客户端ip,即主机1的ip地址。结果如下:
主机1结果:
nginx日志:通过查看nginx日志发现了主机1的客户端ip,证实forwarded_for on为默认配置。
二、禁止客户端ip传递
设置
forwarded_for offsquid 配置文件如下:
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080
acl SSL_ports port 8080
#禁止传递客户端ip地址
forwarded_for off
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl my_site dstdomain 192.168.182.130
#
http_access allow my_site
http_access deny !my_site
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /home/squid/squid/var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /home/squid/squid/var/cache/squid
#
cache_mem 0 MB # 禁用内存缓存
minimum_object_size 0 KB # 不缓存任何对象(可选优化)
maximum_object_size 0 KB # 同
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
重新加载squid
/home/squid/squid/sbin/squid -k parse
/home/squid/squid/sbin/squid -k reconfigure
主机1再次通过squid访问nginx,然后查看nginx日志,发现nginx日志中未记录主机1的ip,说明squid未传递客户端的ip地址,forwarded_for off参数生效。
