Squid 安装配置指南

红色的部分是手工输入的命令,绿色的是文件的配置.

 

1.安装linux系统,选择自定义安装,选择开发工具包,webSERVER服务,去掉squid，安装的时候把SELINUX选成DISABLE

 

你也可以不用做以下的步骤,用我提供的脚本安装一下的一些配置!!!把setup.tar.bz2拷贝到

/root目录下,然后用

tar –jxvf setup.tar.bz2

cd ./setup

sh ./setup

这三个命令就可以完成下面的配置了.安装完毕后系统会重新启动,启动后进入系统,配置ipmacfile文件(ip与mac地址绑定文件)和初始化你用户和密码(具体请看服务器使用说明)

 

 

2.下载源代码并解压

 

cd /usr/src

wget -c http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE14.tar.gz

tar -zxvf squid-2.5.STABLE14.tar.gz

 

 

3.安装Squid Proxy Server

 

cd /usr/src/squid-2.5.STABLE14

 

./configure --prefix=/usr/local/squid --sysconfdir=/etc/squid --bindir=/usr/bin --sbindir=/usr/sbin --mandir=/usr/share/man --enable-gnuregex --enable-carp --enable-async-io=80 --enable-removal-policies=heap,lru --enable-icmp --enable-delay-pools --enable-useragent-log --enable-referer-log --enable-kill-parent-hack --enable-snmp --enable-arp-acl --enable-htcp --enable-cache-digests --enable-default-err-language=Simplify_Chinese --enable-err-languages="Simplify_Chinese" --enable-poll --enable-linux-netfilter --disable-ident-lookups --enable-underscores --enable-auth="basic" --enable-basic-auth-helpers="NCSA" --enable-external-acl-helpers="ip_user" --enable-x-accelerator-vary

 

make && make install

 

 

4.设置squid.conf

 

cd

mv /etc/squid/squid.conf /etc/squid/squid.conf.bak

vi /etc/squid/squid.conf  #在按下i键

==============================/etc/squid/squid.conf=========================

http_port 100.100.100.1:808

cache_mem 64 MB

dns_nameservers 202.98.0.68 202.98.5.68

visible_hostname 100.100.100.1

cache_mgr murong@ccds.gov.cn

cache_dir aufs /usr/local/squid/var/cache 25000 16 256

error_directory /usr/local/squid/share/errors/Simplify_Chinese

emulate_httpd_log on

cache_store_log none

logfile_rotate 1

hierarchy_stoplist cgi-bin ?

hierarchy_stoplist -i ^https:\\ ?

acl QUERY urlpath_regex -i cgi-bin \? \.asp \.php \.jsp \.cgi

acl denyssl urlpath_regex -i ^https:\\

no_cache deny QUERY

no_cache deny denyssl

auth_param basic program /usr/local/squid/libexec/ncsa_auth /etc/squid/passwd.sq

auth_param basic children 10

auth_param basic realm proxy.linuxserver.com

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

refresh_pattern ^ftp:             1440       20% 10080

refresh_pattern ^gopher: 1440       0%  1440

refresh_pattern .            0     20% 4320

acl all src 0.0.0.0/0.0.0.0

acl OverConnLimit maxconn 5

acl auth_user proxy_auth REQUIRED

#acl macaddress arp 00:16:36:05:a6:54

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563

acl Safe_ports port 80           # http

acl Safe_ports port 21           # ftp

acl Safe_ports port 443 563   # https, snews

acl Safe_ports port 70           # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535    # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

http_access allow auth_user

http_access deny OverConnLimit

#http_access allow macaddress

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny all

http_reply_access allow all

icp_access allow all

coredump_dir /usr/local/squid/var/cache

===============================脚本结束================================

 

 

5.初始化cache目录和启动squid

 

cd

htpasswd -cb /etc/squid/passwd.sq proxy proxy

chmod 666 /etc/squid/passwd.sq

mkdir -p /usr/local/squid/var/cache

cd /usr/local/squid/var

chown -R nobody.nobody cache logs

squid -z

squid start

squid -k parse        #检查配置是否有错误,没有任何输出,证明配置基本是正确的!!!

squid -zX               #可以加一个X参数,看看初始化具体的项目.  

如果因为DNS无法启动squid,可以用下面的命令启动squid

squid -D

 

 

6.安装squid密码修改工具

 

修改/etc/httpd/conf/httpd.conf的内容,把"AddDefaultCharset" 设置成 GB2312,是WEB显示中文.

cd /usr/src

vi /var/www/html/index.html

 

============================/var/www/html/index.html=======================<a href="../cgi-bin/chpasswd.cgi">请单击这里修改您的用户密码</a>

===================================配置结束============================

 

wget -c http://jaist.dl.sourceforge.net/sourceforge/orsochpasswd/chpasswd-2.2.3.tar.gz

wget -c http://sarg.sourceforge.net/htoi.patch

tar -zxvf chpasswd-2.2.3.tar.gz

cd /usr/src/chpasswd-2.2.3

patch -p0 < ../htoi.patch

./configure --enable-language=Chinese --enable-cgidir=/var/www/cgi-bin

make && make install

vi /usr/local/etc/chpasswd/chpasswd.conf

 

=================/usr/local/etc/chpasswd/chpasswd.conf=========================

password_file /etc/squid/passwd.sq

=================================脚本结束==============================

 

 

7.防火墙设置及IP地址与MAC地址绑定

 

touch /usr /sbin/firewall

chmod u+x /usr/sbin/firewall

vi /usr/sbin/firewall

 

===============================/usr/sbin/firewall===========================

#!/bin/sh

 

UPLINK="eth0"

LANLINK="eth1"

INTERFACES="lo eth0 eth1"

 

case "$@" in

start)

echo -n "Starting firewall..."

iptables -F

iptables -X

iptables -Z

iptables -t nat -F

iptables -t nat -X

iptables -t nat -Z

iptables -t mangle -F

iptables -t mangle -X

iptables -t mangle -Z

iptables -P INPUT DROP

 

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

 

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 

#enable public access to certain services

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -i ! ${UPLINK} -m state --state NEW -j ACCEPT

iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset

 

while read ipaddr macaddr

do

iptables -A INPUT -s ${ipaddr} -m mac --mac-source ${macaddr} -j ACCEPT

done < /etc/ipmacfile

 

#enable system-log

#iptables -A INPUT -j LOG --log-prefix "bad input:"

#iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable

 

#explicitly disable ECN

if [ -e /proc/sys/net/ipv4/tcp_ecn ]

then

echo 0 > /proc/sys/net/ipv4/tcp_ecn

fi

 

#disable spoofing on all interfaces

for x in ${INTERFACES}

do

echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter

done

 

echo "OK!"

exit 0

;;

stop)

echo -n "Stopping firewall..."

iptables -F

iptables -X

iptables -Z

iptables -t nat -F

iptables -t nat -X

iptables -t nat -Z

iptables -t mangle -F

iptables -t mangle -X

iptables -t mangle -Z

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -t nat -P POSTROUTING ACCEPT

iptables -t nat -P PREROUTING ACCEPT

iptables -t nat -P OUTPUT ACCEPT

echo "OK!"

exit 0

;;

restart)

$0 stop

$0 start

 

;;

show)

clear

echo ">------------------------------------------------------"

iptables -nvL

echo ">------------------------------------------------------"

iptables -t nat -nvL

exit 0

;;

*)

echo "Usage: $0 {start|stop|restart|show}"

exit 1

esac

=================================脚本结束==============================

注:

建立IP地址与MAC地址对应关系表

touch /etc/ipmacfile

vi /etc/ipmacfile

ipmacfile文件格式

100.100.100.100 00:16:36:05:a6:54

100.100.100.101 00:16:36:05:a6:53