Linux透明代理使用注意事项
时间:2006-03-28 来源:wenzk
出于某些原因,需要记录用户的web访问日志,所以采用Squid来记入80端口的访问日志,另外Squid还有cache功能。
首先编译Squid的一些注意事项,比如设置ulimit等设置省略
修改启动脚本,启动前设置ulimit参数。
squid.conf文件的修改:
===========================================
--- squid.conf.default 2006-03-28 08:43:48.000000000 +0800
+++ squid.conf 2006-03-28 18:09:49.000000000 +0800
@@ -51,6 +51,7 @@
# 这里不能只监听127.0.0.1:3128
#Default:
# http_port 3128
+http_port 3128
# TAG: https_port
# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
@@ -107,6 +108,7 @@
#
#Default:
# icp_port 3130
+icp_port 0
# TAG: htcp_port
# Note: This option is only available if Squid is rebuilt with the
@@ -479,6 +481,7 @@
#
#Default:
# cache_mem 8 MB
+cache_mem 128 MB
# TAG: cache_swap_low (percent, 0-100)
# TAG: cache_swap_high (percent, 0-100)
@@ -529,6 +532,7 @@
#
#Default:
# maximum_object_size_in_memory 8 KB
+maximum_object_size_in_memory 20 KB
# TAG: ipcache_size (number of entries)
# TAG: ipcache_low (percent)
@@ -693,7 +697,7 @@
# (hard coded at 1 MB).
#
#Default:
-# cache_dir ufs /var/spool/squid 100 16 256
+cache_dir ufs /var/spool/squid 256 16 256
# TAG: cache_access_log
# Logs the client request activity. Contains an entry for
@@ -709,6 +713,7 @@
#
#Default:
# cache_log /var/log/squid/cache.log
+cache_log /dev/null
# TAG: cache_store_log
# Logs the activities of the storage manager. Shows which
@@ -719,6 +724,7 @@
#
#Default:
# cache_store_log /var/log/squid/store.log
+cache_store_log none
# TAG: cache_swap_log
# Location for the cache "swap.state" file. This log file holds
@@ -856,6 +862,7 @@
#
#Default:
# ftp_user Squid@
+ftp_user [email protected]
# TAG: ftp_list_width
# Sets the width of ftp listings. This should be set to fit in
@@ -1942,8 +1949,8 @@
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
-#acl our_networks src 192.168.1.0/24 192.168.2.0/24
-#http_access allow our_networks
+acl our_networks src 10.0.0.0/8
+http_access allow our_networks
# And finally deny all other access to this proxy
http_access allow localhost
@@ -2290,6 +2297,8 @@
# 看看注释,这个是必须打开的
#Default:
# httpd_accel_port 80
+httpd_accel_host virtual
+httpd_accel_port 80
# TAG: httpd_accel_single_host on|off
# If you are running Squid as an accelerator and have a single backend
@@ -2308,6 +2317,7 @@
#
#Default:
# httpd_accel_single_host off
+httpd_accel_single_host off
# TAG: httpd_accel_with_proxy on|off
# If you want to use Squid as both a local httpd accelerator
@@ -2319,6 +2329,7 @@
#
#Default:
# httpd_accel_with_proxy off
+httpd_accel_with_proxy off
# TAG: httpd_accel_uses_host_header on|off
# HTTP/1.1 requests include a Host: header which is basically the
@@ -2339,6 +2350,7 @@
# 这个也是必须打开的
#Default:
# httpd_accel_uses_host_header off
+httpd_accel_uses_host_header on
# TAG: httpd_accel_no_pmtu_disc on|off
# In many setups of transparently intercepting proxies Path-MTU
@@ -2491,6 +2503,7 @@
# 为了不让某些网站知道某些用户使用代理访问,所以关闭
#Default:
# forwarded_for on
+forwarded_for off
# TAG: log_icp_queries on|off
# If set, ICP queries are logged to access.log. You may wish
==================================================================
Iptables的配置:
iptables -t nat -A PREROUTING -s 10.0.0.0/8 -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -A INPUT -s 10.0.0.0/8 -i eth1 -p tcp -m tcp --dport 3128 -j ACCEPT
注意INPUT里头的设置
首先编译Squid的一些注意事项,比如设置ulimit等设置省略
修改启动脚本,启动前设置ulimit参数。
squid.conf文件的修改:
===========================================
--- squid.conf.default 2006-03-28 08:43:48.000000000 +0800
+++ squid.conf 2006-03-28 18:09:49.000000000 +0800
@@ -51,6 +51,7 @@
# 这里不能只监听127.0.0.1:3128
#Default:
# http_port 3128
+http_port 3128
# TAG: https_port
# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
@@ -107,6 +108,7 @@
#
#Default:
# icp_port 3130
+icp_port 0
# TAG: htcp_port
# Note: This option is only available if Squid is rebuilt with the
@@ -479,6 +481,7 @@
#
#Default:
# cache_mem 8 MB
+cache_mem 128 MB
# TAG: cache_swap_low (percent, 0-100)
# TAG: cache_swap_high (percent, 0-100)
@@ -529,6 +532,7 @@
#
#Default:
# maximum_object_size_in_memory 8 KB
+maximum_object_size_in_memory 20 KB
# TAG: ipcache_size (number of entries)
# TAG: ipcache_low (percent)
@@ -693,7 +697,7 @@
# (hard coded at 1 MB).
#
#Default:
-# cache_dir ufs /var/spool/squid 100 16 256
+cache_dir ufs /var/spool/squid 256 16 256
# TAG: cache_access_log
# Logs the client request activity. Contains an entry for
@@ -709,6 +713,7 @@
#
#Default:
# cache_log /var/log/squid/cache.log
+cache_log /dev/null
# TAG: cache_store_log
# Logs the activities of the storage manager. Shows which
@@ -719,6 +724,7 @@
#
#Default:
# cache_store_log /var/log/squid/store.log
+cache_store_log none
# TAG: cache_swap_log
# Location for the cache "swap.state" file. This log file holds
@@ -856,6 +862,7 @@
#
#Default:
# ftp_user Squid@
+ftp_user [email protected]
# TAG: ftp_list_width
# Sets the width of ftp listings. This should be set to fit in
@@ -1942,8 +1949,8 @@
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
-#acl our_networks src 192.168.1.0/24 192.168.2.0/24
-#http_access allow our_networks
+acl our_networks src 10.0.0.0/8
+http_access allow our_networks
# And finally deny all other access to this proxy
http_access allow localhost
@@ -2290,6 +2297,8 @@
# 看看注释,这个是必须打开的
#Default:
# httpd_accel_port 80
+httpd_accel_host virtual
+httpd_accel_port 80
# TAG: httpd_accel_single_host on|off
# If you are running Squid as an accelerator and have a single backend
@@ -2308,6 +2317,7 @@
#
#Default:
# httpd_accel_single_host off
+httpd_accel_single_host off
# TAG: httpd_accel_with_proxy on|off
# If you want to use Squid as both a local httpd accelerator
@@ -2319,6 +2329,7 @@
#
#Default:
# httpd_accel_with_proxy off
+httpd_accel_with_proxy off
# TAG: httpd_accel_uses_host_header on|off
# HTTP/1.1 requests include a Host: header which is basically the
@@ -2339,6 +2350,7 @@
# 这个也是必须打开的
#Default:
# httpd_accel_uses_host_header off
+httpd_accel_uses_host_header on
# TAG: httpd_accel_no_pmtu_disc on|off
# In many setups of transparently intercepting proxies Path-MTU
@@ -2491,6 +2503,7 @@
# 为了不让某些网站知道某些用户使用代理访问,所以关闭
#Default:
# forwarded_for on
+forwarded_for off
# TAG: log_icp_queries on|off
# If set, ICP queries are logged to access.log. You may wish
==================================================================
Iptables的配置:
iptables -t nat -A PREROUTING -s 10.0.0.0/8 -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -A INPUT -s 10.0.0.0/8 -i eth1 -p tcp -m tcp --dport 3128 -j ACCEPT
注意INPUT里头的设置
相关阅读 更多 +
