• m Linux pЉ|
    osGAзR firefox s
    | cD | ̔D | g | A | ~R | ୱR | w޲z | QAO | Ŏ | y`~ | m | Xs |
    @ @ @
    @
    ̪sG2011/08/02
    NzA\OiHNzkӤHqӦVںoΨLƪ@RAȡA ѩNzoƥiHOs@bA֨WA]HyH[tz\ILAثeWewgHenܦhA ]NzAˬOܤ֨ϥΦbo譱CӥNOky@픨zIo̪y@픡zO OSI Chw̭@hA]NzAOΦbRμhW@R覡TI^ iptables OΦbBljKhCLinux WŰʥNzAO squid oӳn齗I


    jADϥ17.1 ONzA (Proxy)

    NzA (Proxy) z̔xTINOHNzHhoϥΪ̩һݭnƴNOFI Oѩ󥦪yNzzOAϱoڭ̥iHzLNzAӹF\PΤsƪRI ~A]iH]ѥNzAӹF`WeتAHΥ[֤ں WWW stסI`A NzA~ӻAbO@ӫܤhF[I


    pADϥ17.1.1 ONzA

    bu@ɤAڭ̩γ\|DaHhz@zȧaI|ӨҤlӻAҦpúOΪ̬Oӿ촣fdΆΪA ѩAäOyӽЪ̥HzӬOyNzHzA]ɭԷ|ݭnqX@ҥNOFC bWNzA (Proxy Server) O^ƩOH̥Dn\NpPڭ̤Wu@ɤ@ˡA SΤݦںƭnDɡAProxy |DΤhVتaoΤһݭnC ҥHASΤݫw WWW NzAAΤ᪺Ҧ WWW }nDN|qLNzAhoI ӥNzAPΤݪ}ʥiHѤUϬݥX@Ӻݭ١G

    NzABΤݻPں}ʥܷN
    17.1-1BNzABΤݻPں}ʥܷN

    @ӻANzA|[]bӰϺxI~WYAӦbϺqNOzL Proxy ӦVںnDƪAoNOҿתyNzAzTISMAW[cȥuO@ӮרҡAOoӬ[chHΪ]A O]o˪ Proxy server RiHݰ@픨TI

    b Proxy PΤݪ}SAAݭnAOGΤݦV~nDƨWO Proxy DΤoA]ںWݨnDƪ̡AN|O Proxy A IP ӤOΤݪ IPC |ӨҤlӻApmbڪs]wFڭ̎ժNzADE proxy.ksu.edu.tw ڪ Proxy nFAA]ڪ IP O 120.114.141.51 ASڷQno Yahoo sDTɡAWAO proxy.ksu.edu.tw DڥhoAҥHb Yahoo WݨnDƪHO֩OHISMNO proxy.ksu.edu.tw ӤO 120.114.141.51 oIo˥iHA Proxy \FܡH

    Foӥ\ध~AProxy R@ӫܴΪB~\ANO\I ݤ@UWϥܡAAiHo{@ƱANOΤݪӤHqnsWں@wngL Proxy ACåBApGHQnJIAtɡAѩA proxy b̥~[AҥH@̴N|@hVAp@ӡANwI ~AѩӺں~OgL proxy A]NOyxI~zpAoRAUnӺ޲z]O̔xI^_^


    pADϥ17.1.2 NzAB@y{

    AF Proxy \धAڭ̨ӽͤ@ͨ Proxy 쩳O˹B@OH󥦷|y[ֺsIJvznBH oNݭnHUϥܨӻFI

    NzAB@y{ϡG֨ƻPΤ
    17.1-2BNzAB@y{ϡG֨ƻPΤ

    SΤݫwFNzAAbΤݷQnoںWTɡAOo˨oƪ (G Cache ܬ Proxy AwЪN)G


    • S Proxy ֦֨ΤҷQnƮ (Step a ~ d)G
    1. Client ݦV Server ݵoe@ӸƻݨDʥ]F

    2. Server ^Aoӫʥ]yӷzPwpney؊AzO_i^H pGӷP؊AOXkAΪ̻AӷP؊Aڭ̪ Proxy DoƮɡA Server ݷ|}l Client oơCoӨBJnNOyFzTAI^O{ҪP\TF

    3. Server |ˬdۤv֨ (sƥibO餤AHƫhmbwФW) ơA pG Client һݪơANNƷǷQXAӤgLV Internet nDƪ{ǡF

    4. ̫SMNONƦ^ǵ Client oI


    • S Proxy ֨SΤҷQnƮ (Step 1 ~ 5)G
    1. Client ݦV Server ݵoe@ӸƻݨDʥ]F
    2. Server ^A}liFF
    3. Server o{֨èS Client һݭnơAǷQeںơF
    4. Server }lV Internet oenDPo}ơF
    5. ̫SMNONƦ^ǵ Client oI


    Wy{R̭Aڭ̥iHMEDAS Proxy gDYΤoL A ƫASӪΤQnƨo A ƮɡA Proxy N|qۤv̭֨N A ƨXǰeΤAӤζ]ںhoP˪oƳC]ShںơASBJ 4 y{ܪɶɡAzL Proxy BJ 4 AP\WNn^tܧ֤FIuO^q Proxy ̭֨Ӥw (ҥH~|HyH[tz\)IoNOӬy{̤jtFC

    bثeں|̡AѩeW޳NwgܦAҥHbåΪpUAWezAWO^ (Dns~h)C ΤF Proxy į||󴣤ɩOH׬OAyRM|zIH|o˩OHqWy{RA ڭ̵o{ Proxy |``hŪwФơAӵwФ֨ƤSOzLYǯS覡b޲zA ]nMƴNn@ǮɶAA[WpGwį (wЩΥDEOœ) ήɡA[F Proxy Ϧӷ|AP\ljKyddzIoIonSO`N~I

    Tips:
    Proxy cache t׬OܭnDAӳo cache NOwTISMAwЮeqݭn^jAӥBRny^֡z~I ]ѤWy{SAڭ̤o{Acache O@QƦs@ӦaIҥHwЪnaNtOܤjTIiHLOvT@ Proxy įna}gIOI
    mϥ

    pADϥ17.1.3 WhNzA

    Q@QAJM Proxy ODΤݶiNzu@Aڭ̪ Proxy ण]wt~@x Proxy Sڪ Proxy Proxy OH¶faIy{^UoTG

    WhNzAܷN
    17.1-3BWhNzAܷN

    NOڭ̪ Local proxy ä|DʪhơAӬOAzLyWhNzAzV Internet nDơIo˦nBOHѩiڭ̪WhNzADEq`O㦳@WeA ]ڭ̳zLhnDSMyzAWzt׷|ֳIӤWhNzA̤jnBObyyzI ҦpUϩҥܡG

    HhWhNzAFyĪGܷN
    17.1-4BHhWhNzAFyĪGܷN

    `@]wFTWhNzAAѩoTӥNzA~t׳ۦPAҥHASڭnhɡANH Proxy1 ӭnDơAnsڬwNH Proxy3 Aܩns饻ANH Proxy 2 ӭnDکһݭnơAp@ӡAIiHڪ Proxy F̨ΪįIܤhaI~AF`٤Wh proxy tApGOLmAڭ̫h]wѦۤv local proxy ]wuʫ@OI

    ѩNzAݭnޱHӷݥΤݹqA]U ISP ȯwۮaΤӶ} Proxy ϥvӤwC xW`Xa ISP Ѫ Proxy G

    ѩSΤzL Proxy sںɡAݨ쪺O Proxy bƦӤOMΤݡA]Aڭ̤o{ Proxy i|QΤݹLתΡAPɤ]i|QӬD@[IҥHAثeʎj Proxy wgy~}zFAȰwۤvkΤᴣѥAȦӤw

    ]ApGAnۦ]w Proxy ɭԡAаOohASӽк ISP (pGONxAШQx쪺p@@Yi) jM@UA~Ī]wnAAI]]wh~ܡAIWh Proxy ڥѪAȡAΪ̬OWh Proxy įänAӮɭԧA Proxy ]|saܤjvT[IVIVI


    pADϥ17.1.4 NzAP NAT At

    γ\Awgo{F@ơANOGbkϥΨp IP ΤݡAAzL Proxy Ϊ NAT iH^o WWW AȡA NAT P Proxy S򤣦Pa[H̤OiHqs^XhܡHoӪNtʬOySjzI ̔xpUG

    • NAT A\G
      NpPĤE쪺ơALinux NAT \DnzLʥ]Lo覡A èϥ iptables nat i IP U (SNAT) AΤݦۦeںWa誺@R覡CDnB@欰Ob OSI ChwGBTB|hCѩOzLʥ]LoPUA]ΤݥiHϥΪfX (ĥ|h) uʡF

    • Proxy A\G
      DnzL Proxy Aȵ{ (daemon) ѺNzȡA] Proxy णiYǤu@APMAȪ{\঳}C |ҨӻApGA Proxy èSѶl FTP NzAAΤݴNOLkzL Proxy hooǺ귽C DnB@欰b OSI ChwRμh (ҿת"@"N)C

    o˻SIyFOHNAT AOѸhhiRu@AܩqL NAT ʥ]OFΪA NAT hޥLIܩ proxy hDnOѤ@ daemon \FAҥHݭnŦXM daemon ݨDA~FYǥ\I


    pADϥ17.1.5 []NzAγ~PuI

    {bڭ̬D Proxy \FAq`򱡪pU|[] Proxy OH@ӻANzA\DnG

    • @ WWW ƨoNzHGoO̥Dn\I

    • @ϺxI~tGp 17.1-1 ҥܤ@ApGA Proxy ObϺ Gateway WYAoNzAN^@qFIӥBRݭn]wz NAT \OIuOxª Proxy Aq`ȴ WWW NzA]qQno smtp, ftp...NꐷС

    ѩ Proxy oRSʡALܱ`QϥΩj~A]iHFʎHWZɨϥΫD WWW H~AȡAӥBRiHʴϥΪ̪ƭnDyVPyqOIܤhaI ^_^InFA^Uӧڭ̨ӽͤ@SA[]F Proxy ᪺uIaCӽͽͥDni㦳uIG

    • `xI~WeACtGSA Proxy ΤܦhɡA Proxy ֨ƱN|}nhC]ΤݷQnoWƮɡAܦhN|q Proxy ֨oAӤΦVںnDơC ҥHiH`We[I

    • Hu|oơA[tP\GҦpAiHwA ISP ѪNzAs^~Aѩ ISP Ѫ Proxy q`㦳j~WeA]b~ƨoWA q`|AۤvDEsu~n֪hC~APW@I֨Ƥ]}Y[IqwШo|`~ںnuh[I

    • zLWhNzAUAF۰ʸƤyĪGGҦp 17.1-4 ҥܡAΤݦb\ANiHoƥѤP Proxy o[tĪGI

    • ѨqsW InternetGNOW쪺xI~\I

    ѩNzAouIA]o̭njPijApGAݭnsW~A Ф@wϥ ISP ѵANzADA]iH`WeAåBtפW|֤Wܦhܦh (ҦpOp, EPA )C LAQNASM Proxy ]OU઺ѯLiêIOH

    • eQϺHGڭ̪DںWݨoƪHO Proxy DEӤOΤݹq IPA]i|YǤϥΤH}lQΧA proxy FaơAɧAN|ꐷС ҥHAFʎoӪpAjPijh[nɮפRnAb޲zW|PܦhI

    • ݭn@W]wޥPh{Gbm]wLASA Proxy Oe]wnyįz@ӦAFIѩ Proxy Cache PLyWhNzAz}YOܺKA U@]wh~ܡAܦiϦA Proxy 쫱Τ WWW stסIYOyLksuI

    • i|oHh~Goӳ̮eoͤFIѩ󼃸gsL|Qm֨A ôѫΤ᪺^oCU@ںWӺƧsLOHɧA|o{AΤݵLkݨs᪺ơH NO]֨D[IoHƪWvi|@[I

    `A Proxy uIOܦhAOIoݭnޤHޤߔ[IJMpAڭ̨쩳Sݭn[]NzAOH ̔xAڭ̥iHoˤRI

    • ڪ Client ݥΤᤣ֡AӥBjȻݭn WWW oӺAȦӤwF
    • ڪ Proxy RݰȡF
    • ڪ Client ݱ``ݭnsuljKt׫ܺCAҦp~F
    • ڪ Client ݱ``sOyRAzAӤOʺA (ҦpQAϪ PHP)C

    pGAWz쪬pAOiHҼ{[] Proxy AOAۤϪӻAnO (1)ڪ Client ݫܤ֡AҥHCsW WWW ODs (èSΨ֨)AS Proxy ϦӬݤXįq㦹~A(2)Proxy ѩݩRμhFA Internet WُWuʸI^ NAT AiHiܦh\I(3)ڱ``WOQAϨR@hܪA bo˪pUAbOSn[] Proxy I

    OApGx쨺쥻WeN줤A[] Proxy դt״@AINOӥnʪTIҥHnn[] Proxy OHЦnn̾ڧAӦҶqILApAڭROnja[]NOF ^_^


    jADϥ17.2 Proxy A]w

    Mbڭ̤p줤A[] Proxy uSΡALAҼ{jaӥi|@@IҥH~`Ϊ Proxy ]ݭnA@UnC boӤp`Aڭ̥Dn@Ӥ̔x Proxy ANOx¥iH]ӤwNzAC@픪]wаѦҫp`oC


    pADϥ17.2.1 Proxy һݪ squid nΨnc

    FNzA\઺nܦhAҦpįOܦn Apache HΧڭ̳oӏظ`nKس squid o@MC ثeNzAb Unix Like UAjhNOϥ squid A]ڭ̳o̥H squid ǨӤTCP˪A Шϥ rpm ˬdApG|wUAХΡy yum install squid zӦwUaIwUn squid ADnѪ]wɦG

    • /etc/squid/squid.conf
      oӬODn]wɡAҦ squid һݭn]wOmboɮSI mU쪺RR]wkXGOoɮ׸̭I

    • /etc/squid/mime.conf
      oɮ׫hOb]w squid Ҥ䴩 Internet Wɮ׮榡ANOҿת mime 榡oI @ӻAoɮתw]ewg^ŦXڭ̪ݨDFAҥHݭnʥLADAܲMEDAһݭnB~䴩 mime ɮ׮榡C

    LnؿPɮצG

    • /usr/sbin/squidG squid D{[I
    • /var/spool/squidGNOw] squid ֨mؿC
    • /usr/lib64/squid/G squid B~œAרOvT{ұKX譱{AOboӥؿUF

    pADϥ17.2.2 CentOS w] squid ]w

    bw]pUACentOS squid 㦳UXӯSG

    • ȦE (localhost, 127.0.0.1) ӷiHϥγo squid \
    • squid Һo Proxy AȰfb port 3128
    • ֨ؿҦbmb /var/spool/squid/ ABȦ 100MB ϺЧ֨q
    • F squid {һݭn򥻰O餧~A| 8MB Oӵ]ɮק֨bO餤 (]OtפwR)
    • w]Ű squid {ǪϥΪ̬ squid oӱb (PϺЧ֨ؿv})

    A CentOS w] squid ]wAOȰw糧E (localhost) }񪺱pAӤ@jͳ]ww]ȡA OȰwpҫwӋȡAPɡAܦhSӋSŰʡCҥHAڭ̴NonA@UU]wȪNqA oˤ~^iקIoǰӋOb squid.conf YwAҥHANڭ̨ӬݬݳoɮתePnӋaG

    Tips:
    CentOS 6.x wgN squid.conf ̭ۤz]wȳqqFAҥHoɮ״NܪD`̔Io˨naTI nBOAAΥhݤ@ǧAΤ쪺ӋȡAaBOApGAQnL]wANoB~Ѧҥ~FI˸
    mϥ
    [root@www ~]# vim /etc/squid/squid.conf
    # 1. HΤP؊AAzL acl wqX localhost ά}Τ
    acl manager proto cache_object              <==wq manager ޲z\
    acl localhost src 127.0.0.1/32              <==wq localhost Eӷ
    acl localhost src ::1/128
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 <==wq to_localhost isu쥻E
    acl to_localhost dst ::1/128
    
    # 2. HΤP؊AAwqiϥγo proxy ~Τ()
    acl localnet src 10.0.0.0/8      <==io{UO private IP ]w
    acl localnet src 172.16.0.0/12
    acl localnet src 192.168.0.0/16
    acl localnet src fc00::/7
    acl localnet src fe80::/10
    # WzƳ]wӥΤ (localhost, localnet) P@ӥio؊A (to_localhost)
    
    # 3. wqioưfҦbI
    acl SSL_ports port 443                  <==su[Kf]w
    acl Safe_ports port 80          # http  <=={AǪwϥΰf
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    # wqX SSL_ports ΊAǪ`ΰf Safe_ports ӦW
    acl CONNECT method CONNECT
    
    # 4. wqoǦW٬O_i檺AǨ̾(dzI)
    http_access allow manager localhost  <==޲zE\
    http_access deny manager             <==L޲zӷHʎ
    http_access deny !Safe_ports         <==ʎDWfsunD
    http_access deny CONNECT !SSL_ports  <==ʎDW[KfsunD
    <==oӦmAiHgJۤvWhmInghFIǤI
    http_access allow localnet           <==椺Τӷ
    http_access allow localhost          <==楻Eϥ
    http_access deny all                 <==HʎTI
    
    # 5. }ӋA̭nOөwq Proxy wf http_port
    http_port 3128     <==Proxy w]oΤݭnDfAOiH諸
    # ApGQ proxy server/client su[KAiH https_port (923)
    
    # 6. ֨PO}Ӌ]wȡAר`NO骺p覡
    hierarchy_stoplist cgi-bin ? <==hierarchy_stoplist ᭱}gr (Ҭ cgi-bin)
    # Yo{bΤݩһݭn}CAh֨ (קKg`ܰʪƮwε{T)
    cache_mem 8 MB     <==proxyB~OAΨӳBz]֨(ݦۤv[)
    
    # 7. ϺЧ֨AYm֨ƪؿҦbP}]w
    cache_dir ufs /var/spool/squid 100 16 256 <==w]ϥ 100MB eqm֨
    coredump_dir /var/spool/squid
    # U|ӰӋonۤv[WӳIH~o˪w]ȡI
    minimum_object_size 0 KB    <==ph KB Ƥn֨A0 
    maximum_object_size 4096 KB <==PWYۤϡAj 4 MB ƴN֨Ϻ
    cache_swap_low 90   <==PU@榳}ACѤU 90% ϺЧ֨
    cache_swap_high 95  <==SϺШϥζqWL 95% N}lRϺФH֨
    
    # 8. Li|Ψ쪺w]ȡIѦҰѦҧYiAä|X{b]wɤC
    access_log /var/log/squid/access.log squid <==gϥιL squid ΤO
    ftp_user Squid@  <==SH Proxy i FTP NzΦWnJɡAϥΪbW
    ftp_passive on   <==YNz FTP AȡAϥγQʦsu
    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
    refresh_pattern .               0       20%     4320
    # Wo|P֨sbɶ}AU|H
    cache_mgr root               <==w] proxy ޲z email
    cache_effective_user squid   <==Ű squid PID ֦
    cache_effective_group squid  <==Ű squid PID sœ
    # visible_hostname <==ɥѩ DNS DA䤣DEW|XhANo[W]w
    ipcache_size 1024  <==HUTӬw IP i֨]w
    ipcache_low 90
    ipcache_high 95
    

    OAWz@ǰ]wȡAiNnYFAO squid.conf ̭L]wȡAݨYn... LApAWzodz]wwgOܰ䪺]wFAA̦nA@UIF cache_dir @ALOʡI ڭ̥Hw]ȨӪ^Ű squid ݬݦSOaAC


    • ϥιw]ȨӎŰ squid [Ԏ}T

    nŰ squid uO̔xAڭ̨ӎŰ squid åB[ԎS}faI

    [root@www ~]# /etc/init.d/squid start
    init_cache_dir /var/spool/squid... bŰ squid: .       [  Tw  ]
    # Ĥ@Űʷ|lƧ֨ؿA]|X{Wz䪺ơAӳoӰT|AX{
    [root@www ~]# netstat -tulnp | grep squid
    Proto Recv-Q Send-Q Local Address   Foreign Address   State    PID/Program name
    tcp        0      0 :::3128         :::*              LISTEN   2370/(squid)
    udp        0      0 :::45470        :::*                       2370/(squid)
    [root@www ~]# chkconfig squid on
    

    pGA]w icp_port ɡAsquid w]|Ű 3128 3130 ӰfA䤤n`NOA DΤioPǰeƪO port 3128 (TCP)A3130 (UDP) ȬOtdPF Proxy ۷q֨Ʈw\APڪΤnDL}C]ApGA proxy Oxªx@DEAΪ̬Oxª@\Ao port 3130 OiH}CN]pAҥH CentOS 6.x w]Noӳ]wȵϥoI

    DG
    ѩڪ Proxy ȬO̔xx@NzAAèS[]}FNzA (peer proxy neighbor proxy)A ]Qn} port 3130 AMpBzH
    G
    H CentOS 5.x He~ݭniA̔xA^ק icp_port YiIkG
    [root@www ~]# vim /etc/squid/squid.conf
    #Default: VBird 2011/04/06 modifiedANUCƱq 3130 אּ 0 Yi
    icp_port 0
    
    [root@www ~]# /etc/init.d/squid restart
    

    WApGAΤݻP proxy qQnϥΥ[KE SSL \AHOΤݪTקKQѨɡA R https_port iHN http_port ILARqڭ̪ proxy ëD}]ȬO[]bϺA ]RݭnϥΨo https_port TI


    • [ԎPק֨ؿ (cache_dir)GvP SELinux

    qeڭ̪DϺЧ֨OvT proxy į઺@ӬSnӋA squid OpN֨siϺЪOH squid ONƤ@p@pAMOmӧOؿCѩhؿiH`٦bP@ӥؿnhɮתɶ (Q@QAOmybPdA`NҦyzõLتm@ӤjdnnhaI)A ]Abw] /var/spool/squid/ ؿUA squid S|NhlؿӦs}֨ơAҥH[ԎMؿN|OG

    [root@www ~]# ls /var/spool/squid
    00  01  02  03  04  05  06  07  08  09  0A  0B  0C  0D  0E  0F  swap.state
    # @UAA|o{@ 16 ӤlؿIڭ̨ӬݬݲĤ@ӤlؿeG
    
    [root@www ~]# ls /var/spool/squid/00
    00  08  10  18  20  28 ... 98  A0  A8  B0  B8  C0  C8  D0  D8  E0  E8  F0  F8
    01  09  11  19  21  29 ... 99  A1  A9  B1  B9  C1  C9  D1  D9  E1  E9  F1  F9
    ....(ٲ)....
    06  0E  16  1E  26  2E ... 9E  A6  AE  B6  BE  C6  CE  D6  DE  E6  EE  F6  FE
    07  0F  17  1F  27  2F ... 9F  A7  AF  B7  BF  C7  CF  D7  DF  E7  EF  F7  FF
    # ݨFܡH`@ 256 ӤlؿX{oI
    

    {bڭ̪DFhؿOFNƤOmAOĤ@h 16 ӻPĤGh 256 ӬOӪH ڭ̨@@@ cache_dir oӭnӋ]wOˡG

    • cache_dir ufs /var/spool/squid 100 16 256

    b /var/spool/squid/ ᭱ӋNqOG

    • Ĥ@ 100 NOϺШϥζqȥαMɮרt 100MB
    • ĤG 16 NĤ@hؿ@ 16
    • ĤT 256 NChؿA 256 Ӧؿ

    ھ squid kPLmAoh֨ؿΪtmNO 16 256 H 64 64 oRtmA ҥHڭ̤]ݭnק}TIIRon`Noӥؿɮ׾֦̻P SELinux ~I

    DG
    ݰ_ӹw] proxy ϺЧ֨RMO^ΡAӤeϺгWُSSnA] /var/ ̦hR 500MB iHڭ̰ϺЧ֨C pGQnNw]ϺЧ֨אּ 500MB ӥBA[W /srv/squid/ ؿ 2GB eqϺЧ֨AMpi]wH
    G
    o̳P cache_dir }Ioӳ]wȥiHƥX{hI]Aڭ̥iHo˶i檺ASO`NUؿvP SELinux I
    [root@www ~]# vim /etc/squid/squid.conf
    #Default: VBird 2011/04/06 modifiedAU]wF # ~RoקI
    cache_dir ufs /var/spool/squid 500 16 256
    cache_dir ufs /srv/squid 2000 16 256
    
    [root@www ~]# mkdir /srv/squid
    [root@www ~]# chmod 750 /srv/squid
    [root@www ~]# chown squid:squid /srv/squid
    [root@www ~]# chcon --reference /var/spool/squid /srv/squid
    [root@www ~]# ll -Zd /srv/squid
    drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /srv/squid/
    
    [root@www ~]# /etc/init.d/squid restart
    
    ҥHn令 squid ֦AO]WY squid.conf Aw]Ű PID bNO squid oӤHIҥHSMnܧIܩ SELinux 譱AѦҹw] /var/spool/squid N^DFCLn`NAYǯSwؿ (Ҧp /home) O\إߧ֨ؿA ]ڭ̨ϥΪAȸƥiHm /srv @doI

    Q@QAJM֨ObϺФWA֨Ʒ||뺡ӧ֨ϺЩOHSM|[IӥBS뺡ϺФA A proxy ȴNLk~B@FIҥHAڭSMonnn`NϺШϥζqO_wgMFCbWzDA Y /var/spool/squid 뺡 500MB /srv/squid 뺡 2GB A proxy NFCFקKoӰDA] squid Uӭn]wG

    • cache_swap_low 90
    • cache_swap_high 95

    NSϺШϥζqF 95% ɡAH֨ƱN|QRASRѤUϺШϥζqF 90% ɡANRʧ@C HרҤA`@ 2.5GB eqASΨ 2.5*0.95=2.375G ɡAHƷ|}lQRARѤU 2.5*0.9=2.25GB ɡANRNCҥH|QR 125MB HƴNOFCq`oӳ]wȤwg^FAݭnܰʥLA FA֨ӤjΤӤpɡA~|վoӳ]wȡC


    • squid ϥΪOp覡

    WAFϺЮeq~AOiOt@ӬSnvT proxy į઺]lI򻡩OH] proxy |NƦs@bϺЧ֨AOPɤ]|NƼȦsbOS[AH[֥ӨϥΪ̦sP@ƪtסI OoӰO֨OݭnOB~AO骺qAҥHNonHB~]wȨӫwoCNO cache_mem oӳ]wȪ\FC

    ܦhH (]Am) |~| cache_mem γ~I cache_mem OB~w@ǰOӶiy]zƦsI cache_mem äOڭnϥΦhְO鵹 squid ϥΡAӬO "RnB~ѦhְO鵹 squid ϥ" NzIѩw] 1GB ϺЧ֨|ά 10M OA squid ]|ά 15MB OA ]AWӨD squid ϥαONG

    • 2.5 * 10 + 15 + "cache_mem ]w (8)"

    squid xijAO̦nOWӋȪ⭿A]NOAWzOϥζqwgO 48MBA hڪO̦nܤ֭n 100 MB HWA~|nįISMAox Proxy ӤwApGAMDERtdLu@AIONob}[WhTI@ӻApGA Proxy ܦhHϥήɡAoӭȶVjVnAO̦n]nŦXWݨDI

    DG
    ѩڪO^jA proxy TOڭnAȡA]QnW[B~ 32MB @]Ƨ֨AMpקH
    G
    ^FTINOק cache_mem ӤwI
    [root@www ~]# vim /etc/squid/squid.conf
    #Default: VBird 2011/04/06 modifiedAN쥻 8 אּ 32 oI
    cache_mem 32 MB
    
    [root@www ~]# /etc/init.d/squid restart
    


    pADϥ17.2.3 ޱHӷ (pϺ) P؊A (pcN)G acl P http_access ϥ

    bW]wAȦ proxy AiHVۤv proxy nDNz㨺ӧΔ[H ڭ̪IOQn}񵹰ϺӨϥγo proxy IҥHSMonקHΤ᪺ޱӋoC ɡAӭn줣檺 acl Non@@@TIo acl 򥻻ykG

    acl <ۭq acl W> <n acl > <]we>
    

    ѩ squid ä|^ϥ IP κkӺޱH؊AAӬOzL acl W٨Ӻ޲zAo <acl W> Nn]w޲zOӷRO؊A (acl ) AHڪ IP κk (]we) TIo acl W٥iHQO@HٴNOFC򦳭ǭn acl OH򥻤WoǡG


    • ޲zO_ϥ proxy HΤݤ覡G

    ѩںDnϥ IP ΥDEW٨ӧ@su覡A]HΤ᪺ӷܤִNUXRG

    • src ip-address/netmaskG
      Dnyӷ IP }zC|ҨӻAmӡAOO 192.168.1.0/24 H 192.168.100.0/24 A 򰲳]ڷQnq@ vbirdlan acl W١ANiHb]wɤgG
      acl vbirdlan src 192.168.1.0/24 192.168.100.0/24

    • src addr1-addr2/netmaskG
      Dny@qdӷ IP }zC]ڥuQn 192.168.1.100-192.168.1.200 ϥγo proxy ANΡG
      acl vbirdlan2 src 192.168.1.100-192.168.1.200/24

    • srcdomain .domain.nameG
      pGӷΤ᪺ IP @ܡAҥHϥΪO DDNS 覡ӧsDEWٻP IP RAɧڭ̥iHϥΥDEW٨Ӷ}I ҦpӷO .ksu.edu.tw ӷΤN}ϥvANOG
      acl vbirdksu srcdomain .ksu.edu.tw


    • ޲zO_ proxy DNzM؊AhơG

    F޲zӷΤᤧ~AڭR^޲zO_ proxy AYǥ؊AhƳIbw]]wA ڭ̪ proxy Ⱥ޲ziHV~o port 21, 80, 440... ΰf؊AAOoǰfNLkDNzoC ܩ IP κkhS޲zC򥻪޲zoǤ覡G

    • dst ip-addr/netmaskG
      h؊A IP A|ҨӻAڭ̤\ proxy h 120.114.150.21 oDE IP ɡAiHgOG
      acl dropip dst 120.114.150.21/32

    • dstdomain .domain.nameG
      h؊ADEW١C|ҨӻApGAbWҮɤ\Ͷ]hRROppxANon .facebook.com }INݭngG
      acl dropfb dstdomain .facebook.com

    • url_regex [-i] ^http://urlG
      ϥΥWܪkӳBz}C@R覡IoR覡}Cn㪺KJWܪk}l~C |ҨӻAXsjgk (ëDAҥH̓ .* Oon[WhI)G
      acl ksuurl url_regex ^http://www.ksu.edu.tw/cht/.*

    • urlpath_regex [-i] \.gif$G
      PW@ acl D`AuOW@ӻݭng㪺}ơAo̫hOھں}CӳBmCHWzw]רҨӻA un}CO gif (Ϥ) NŦXoӶؤFCU@ڭnXDⱡAX{ /sexy W٨åH jpg A NHסANOϥΡG
      acl sexurl urlpath_regex /sexy.*\.jpg$

    FWz\ध~AڭR^ϥΥ~ɮרӴѬ۹R acl e]wȳI |ҨӻA]ڭ̷Qnת~DEWٱ``|ܰʡAڭ̥iHϥ /etc/squid/dropdomain.txt ӳ]wDEW١A MzLU覡ӳBz

    acl dropdomain dstdomain "/etc/squid/dropdomain.txt"

    Mb dropdomain.txt SA@@ӫݺ޲zDEW١Aoˤ]^֫ק squid.conf xZI nFIAF acl A^Uӱonͽ http_access oکΩʎӋFI


    • H http_access վ޲zHӷPޱ؊AyǡzG

    ]wn acl A^UӴNOnݬݨ쩳nnP_ http_access oӶئ}C򥻤WA http_access NOʎ (deny) P\ (allow) ӱءAMA[W acl WٴN^Fo˪\FI uOAonSO`NOGhttp_access ᭱^ơAOǪIo[ܭnI ڭ̥ΩUרҨӻnFG

    ]ڭn椺 192.168.1.0/24, 192.168.100.0/24 oqkAMʎ~ⱡ}ϤA H facebook.com ANRMno˰G

    [root@www ~]# vim /etc/squid/squid.conf
    # http_access OǪA]ijA쩳Uo}grANAƥ[b᭱
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    acl vbirdlan src 192.168.1.0/24 192.168.100.0/24
    acl dropdomain dstdomain .facebook.com
    acl dropsex urlpath_regex /sexy.*jpg$
    http_access deny dropdomain  <==oT檺yǡzܭnI
    http_access deny dropsex
    http_access allow vbirdlan
    
    [root@www ~]# /etc/init.d/squid restart
    

    Aon`NApGF vbirdlan ~ dropdomain ɡAA]wi|ѡI]wgA ]᭱Wh|A facebook.com NLkQפFIoIonܪ`N~I q`@kOANnʎgWhAM~gn檺ƴNnFC


    pADϥ17.2.4 LB~\ඵ

    • niYǺ֨ʧ@

    qeڭ̪D Proxy ֨q`bOܰʪơApGOQAϩΪ̬O{ƮwAA 򮣩ȴNS֨ݭnA]Ƥ@ܰʹIA`ƱAoF@dAGΤ@UAhsɡAݨ쪺ROHdaI ҥHoAbw]pUAsquid wgʎYǸƪ֨FANOUXӳ]wȡG

    acl QUERY urlpath_regex cgi-bin \?
    cache deny QUERY  <==INOo@IiHʎAn᭱ URL Q֨I
    

    ڭ̪Dq` .php jNOQAϤܰʩʸơAणX{ .php Nn֨OH SMiH[IMpiHڭ̥HWƨӷӼ˳yy@UaI

    DG
    un}CX{ .php ANH֨I
    G
    zL acl tX cache oӰӋӳBzYiI
    [root@www ~]# vim /etc/squid/squid.conf
    acl denyphp urlpath_regex \.php$
    cache deny denyphp
    # bɮת̫sWoYiI
    
    [root@www ~]# /etc/init.d/squid restart
    


    • ϺФ֨sbɶ

    ROoU]wȶܡHoӳ]wȪӋOo˳]wG

    # refresh_pattern <regex>   <̤pɶ> <ʤ> <̤jɶ>
    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
    refresh_pattern .               0       20%     4320
    
    • regexGϥΪOWܪkӤR}CơApWĤ@]w}C}YO ftp NC

    • ̤pɶGxOASooӸƪɶWLoӳ]wȡAhMƷ|QPwHơCpWĤ@A SoƶWL 1440 ɡAMƷ|QPwHơAYHŪP˪}CA squid |sMơA|ϥΧ֨HơCܩĤTAhܰFWzӶ}Yƥ~ALƳOQwqsA ] squid u|q֨ƵΤݡC

    • ʤGoӶػPy̤jɶz}ASMƳQ֨AgL̤jɶh֦ʤɡAMƴN|QC

    • ̤jɶGPW@ӳ]w}ANOoӸƦsb̪֨ɶCpWĤ@A̤jɶ 10080 AOSWLɶ 20% (2016) ɡAoӸƤ]|QPwHơC
    DG
    b}CX{ .vbird. rˮɡAMƬȮɨϥΪA] 2 pɫNHơCӳ̪Odb֨o@ѪɶA BgL 50% ɶANQPwHƧaI
    G
    [root@www ~]# vim /etc/squid/squid.conf
    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
    refresh_pattern \.vbird\.       120     50%     1440
    refresh_pattern .               0       20%     4320
    
    [root@www ~]# /etc/init.d/squid restart
    


    • DEWٻP޲z email w

    pGAADEW٩|MwA]ϥΪDEW٦bںWO䤣R IP (] DNS ]w)A bw] squid ]wAȷ|LkQŰʡCɧAiHʪ[J@ӥDEW١ANOzL visible_hostname ӫwC PɡApGΤݨϥ squid X{h~ɡA݁W|X{޲z email ΤiH^NC{b]DEW٬ www.centos.vbird B޲z email dmtsai@www.centos.vbird Aɧڭ̥iHo˭קG

    [root@www ~]# vim /etc/squid/squid.conf
    cache_mgr dmtsai@www.centos.vbird  <==޲z email I
    visible_hostname www.centos.vbird  <==^]wDEWٳI
    
    [root@www ~]# /etc/init.d/squid restart
    

    pADϥ17.2.5 wʳ]wG, SELinux P¦Wxɮ

    • on tcp port 3128

    {bڭ̤wg]wF 192.168.100.0/24 192.168.1.0/24 oqӷϥΧڭ̪ proxy server A QSMA]wNon}oqϥ port 3128 ~[ILAonSO`NAäO}񨾤Nϥ proxy server 귽ARonϥ acl tX http_access ~潗I`N`NI]AwgϥΤF iptables.rule A ק諸kNOoˡG

    [root@www ~]# vim /usr/local/virus/iptables/iptables.allow
    iptables -A INPUT -i $EXTIF -p tcp -s 192.168.1.0/24 --dport 3128 -j ACCEPT
    # ] 192.168.100.0/24 ӴNO^檺I
    
    [root@www ~]# /usr/local/virus/iptables/iptables.rule
    

    • SELinux `Nƶ

    w proxy ӻACentOS 6.x ˬOSӦhWhA]Gӻݭn׭qWhCLASELinux wbo`NCo]A]w (/etc/squid/ ) O squid_conf_t ˦A ӧ֨ؿhO squid_cache_t ABWh (/var/spool/) RMOn var_t ~C ק諸kNOzL chcon ӳBzYiC


    • إ߶¦Wx]w

    ڭ̦b 17.2.3 p`̭ͨAiHzLy dstdomain .domain.name zөפQsuC LCoϥ root ӳ]w squid.conf ~CSkB~BzX@ɮסAQnʎsuƼgJA oˤe޲zAݭn@hק squid.conf ISkiHFOHANzLSwɮרӳBmYiC ݬݩUoӨDӭ׭q@UaG

    DG
    إߤ@ӦW /etc/squid/dropdomain.txt ɮסAeʎsu؊AC
    G
    ڭ̤e]wL}ABzkO^NDEWټgJ squid.conf A{bڭ̥iHo˭׭qG
    [root@www ~]# vim /etc/squid/squid.conf
    # 쩳UơANO dropdomain Ab 629 楪kAåBק@U
    acl dropdomain dstdomain "/etc/squid/dropdomain.txt"
    # `N@UApGOɦWAмgʎ|ABϥU޸x޸_ӡI
    
    [root@www ~]# vim /etc/squid/dropdomain.txt
    .facebook.com
    .yahoo.com
    # @@ domain W٧Yi
    
    [root@www ~]# /etc/init.d/squid reload
    

    oӤknBOAAiHϥB~覡hק /etc/squid/dropdomain.txt oɮתeA åBק粒ܫAϥ reload hJ]wɡAnsŰ (restart)A] reload tפֳtC |ҨӻAmMDʹN PHP gF@䱱MɮתAiHѮvbWҮɪ^zLKJnQ؊AA oˎʹNLkbWҮɳsu~YǺhCo


    jADϥ17.3 ΤݪϥλP

    JM proxy OsΪA۵MbsWNݭn]w@ǰӋoIp]wOHѩ󤣦Psb]w Proxy a]PAҥHUڭ̤ثe`fsAOO firefox H IE ]wAܩLsAаѦҦUs}[I


    pADϥ17.3.1 s]wG firefox & IE

    • firefox 5.x ]wܷN

    nb firefox 5.X W]wn proxy 򥻨BJOo˪G} firefox nAX{pUϥܫAIGyuzyﶵzA ܷNepUҥܡG

    b firefox WY]w proxy y{
    17.3-1Bb firefox WY]w proxy y{

    MbX{pUeAܥkW誺yi픡zءAMIyzA̫AIsuy]wzsA pUϩҥܡA̧ǨӰʧ@G

    b firefox WY]w proxy y{
    17.3-2Bb firefox WY]w proxy y{

    ɴN|X{pUϩҥܪnAKJNzA}ơCХIyʳ]wz~^gUC Wڭ̦A IP (mרҤAϥΪO 192.168.1.100 o@) HΰfAMmijA]iHĿyҦqTwΦ proxy zءA]wSA~UTwCpUϩҥܪy{G

    b firefox WY]w proxy y{
    17.3-3Bb firefox WY]w proxy y{

    o˴N]wn firefox proxy }ƤFA^̔xaI


    • IE ]wܷN

    IE n]wOH]O̔xTIA} IE nAA|ݨpUܷNϡAIyuzyںﶵzA y{pUҥܡG

    b IE WY]w proxy y{
    17.3-4Bb IE WY]w proxy y{

    b^UӪAIysuzAMUyk]wzsCy{pUҥܡG

    b IE WY]w proxy y{
    17.3-5Bb IE WY]w proxy y{

    ̫NOnKJT proxy server IP P port }Ɣ[IpUϩҥܡAIbY 1 ҫwءAM~^}lgTơC @ӻAݺ} (ҦpϺA) iHzL proxy hơA]o̥iHĿbYTҥܷNسI o˴N]wܡC

    b IE WY]w proxy y{
    17.3-6Bb IE WY]w proxy y{

    ^Um firefox Ӵ@UApGAnsOQʎ|pH


    pADϥ17.3.2 proxy Ѫe

    }lQΧAssUӺA򥻤WA|o{TeCpGAnsOQʎOH |ҨӻAڭ̦]wʎsV .yahoo.com IpGAuKJ}O tw.yahoo.comA݁WRMO|oˉKXI

    suQ proxy ʎɪRp
    17.3-7BsuQ proxy ʎɪRp

    qWϧڭ̥iHo{A؊AO tw.yahoo.comAMᲣͰDaby sQʎ (Access Denied) zAܰDoͦb proxy ]wAMtRܦnߪiDA޲z (cache administrator) email AADiH^NLC ̫AoӸTO_sHUR|iDAoӎh~oͪɶIOIo˦SܲME[H ^_^I proxy h~uOoǡA]ASARo{LksuɡAаȥnݬݿ݁KXT~nI


    jADϥ17.4 ALRγ]w

    F򥻪 proxy ]w~ApGARLiѧQΪWhNzAAwڭ̴N^]p@Upiyʧ@FI ~ApGwHΤӻADon@ϥ acl ^wΤӷMA http_access HS{ҥ\[H o˴NΤ@ק]w[IoǨ䥦Rγ]wboӤp`ӽͽͧaI


    pADϥ17.4.1 Wh Proxy PƤy]w

    ^쪺Wh proxy Aڭ̦b 17.1.3 ̭͹LFAAiHs^h@@C LA]AҦbèSWhNzAAOA Linux DEmbP ISP UA o ISP Yǰ~WeyqPAҥHAQnھڳo˪pӳ]p@U WWW yɡAiH򰵡H ڭ|ӨҤlӻnFG

    • hinet.centos.vbirdGoDE hinet o ISP UAj (.cn) yq@A@WhNzAΡF
    • www.centos.vbirdGoDEN (Xsj)A]jWeQA]st׬۹CC

    {bڭ̳Wُ hinet.centos.vbird OWhNzAA]oDEon} www.centos.vbird oEϥvA oʧ@]AG (1)Q acl srcdomian Τ覡 www.centos.vbird ϥvF (2)} www.centos.vbird port 3128 Lo\Cp@ӡAڭ̳o www.centos.vbird ~^ϥΤWhNzAI]NOAoDEnOA^x~ (ܤ֤]nWh ISP ^A}ϥvT)C

    www.centos.vbird np]wOH򥻤WA]wWhNzAPyӋDnG cache_peer, cache_peer_domain, cache_peer_access ΡAOykpUG


    • cache_peer }yk
    cache_peer [WhproxyDEW] [proxy] [proxy port] [icp port] [B~Ӌ]
    

    oӳ]wȴNObWdWhNzAb̡AHΧڭ̷QnoNzApdߪ}]wȡC

    • Wh proxy DEWGҦpרҤNO hinet.centos.vbird o@oF
    • proxy Go proxy Oڭ̪Wh (parent) HRO@ڭ̾F (sibling) OB@ proxy H ]ڭ̭nQΤWhhơA]g`ϥΪO parent oӨȡF
    • proxy portGq`NO 3128 I
    • icp portGq`NO 3130 I
    • B~ӋGwoWh proxy ڭ̷Qn復i檺d߸ƪ欰]wCDnG
      • proxy-onlyGVWh proxy n쪺Ƥ|֨쥻a proxy AACa proxy tF
      • wieght=nGvNA]ڭ̥iHwhWh Proxy DEA@̭nHNiHQγo weight ӳ]wAn Vjܳo Proxy Vn
      • no-queryGpGVWh Proxy nDƮɡAiHݭnoe icp ʥ]AHCDEt
      • no-digestGܤVDEnDإ digest
      • no-netdb-exchangeGܤV Proxy DEeX imcp ʥ]nD

    • cache_peer_domain }yk
    cache_peer_domain [WhproxyDEW] [nDZkW]
    

    oӳ]wȪNOAAQnϥγoWhNzAVӠZkW٭nDơC


    • cache_peer_access }yk
    cache_peer_access [WhproxyDEW] [allow|deny] [aclW]
    

    P cache_peer_domain SAuO cache_peer_domain ^WdFDEW (domain name)A ӦpGAQn]pëDZkW١AӬOYǯSw IP qɡANon acl ]p@ӦW٫A AHo cache_peer_access h (allow) Ωʎ (deny) ŪFC

    ھڤWzykAڭ̷QnF .cn ϥ hinet.centos.vbird oANz\ɡA RMno˳]pG

    [root@www ~]# vim /etc/squid/squid.conf
    cache_peer hinet.centos.vbird parent 3128 3130 proxy-only no-query no-digest
    cache_peer_domain hinet.centos.vbird .cn
    
    [root@www ~]# /etc/init.d/squid reload
    

    pGAR䥦ݨDAQ acl WdF؊AmAAH cache_peer_access haI p@ӡAA proxy server NO@|Dʪ̾ڤPnDVPWhADƪo proxy oI


    pADϥ17.4.2 Proxy Aȩb NAT AWGqzNz (Transparent Proxy)

    qWkӬݡAڭ̥iHo{ proxy iH\ (acl dst, acl dstdomain AtX http_access Bz)A OAڭ̤]Dson]wn proxy A~|uϥ proxy INNObA_ΪܡH unAΤ᪾Dn]w proxy NiHLAޱAo proxy ԣΔ[HzOaH

    MpjϥΪ̤@wnϥΧA proxy OH̔xINOG (1)b~A (NAT) WwU proxyF (2)b proxy WYŰ transparent \F (3) NAT A[W@ port 80 port 3128 WhAp@ӡAҦ port 80 ʥ]N|QA NAT 茦V port 3128 A ӧA port 3128 NO proxy AjaNonΧA proxy AӥBIOAsݭni]wI

    I]NOASϥΪ̬OgL NAT AsuXhɡAun NAT Ao{yxIAOnh WWW ƹaInIoӰʧ@ Proxy ADAdwIzp@ӡAϥΪ̮ڥNݭnbsW]w Proxy }ơA]oӰʧ@Oy NAT AۤvMwzAҥHunb NAT AW]wSYiAϥΪ̤]wƩOIIuOhIӥBi檺ʧ@D`̔xI

    # 1. ]w proxy qzNzA\I
    [root@www ~]# vim /etc/squid/squid.conf
    http_port 3128  transparent
    #  3128 oAb̫᭱[W transparent Yi
    
    [root@www ~]# /etc/init.d/squid reload
    

    ^UӡANӦ 192.168.100.0/24 oӤӷAunOnD port 80 ANNsfV port 3128 覡G

    [root@www ~]# vim /usr/local/virus/iptables/iptables.rule
    iptables -t nat -A PREROUTING -i $INIF -s 192.168.100.0/24 -p tcp \
             --dport 80 -j REDIRECT --to-ports 3128
    # NWzo@[b̩U /etc/init.d/iptables save W@YiI
    
    [root@www ~]# /usr/local/virus/iptables/iptables.rule
    

    o˴NTI̔xaIq`o˪SAXդǩΪ̬OpA ]oˎդڥݭnЎͳ]ws proxy \AߨN^Fڭ̩һݭnޱOIܴΧaI LAMo˪\wgܴΤFAOmڥΦbՔ줤oo{F@ǰDA NOܦhPPɤWǦP@ɮר~AhA] proxy ֨\AGͤ@oHɮסA s@ѮvӻAܧxZ]L{``ݭnWdz̷sIO proxy ֨A ҥHooh~ƤF㨺H


    • Ȩ㦳 proxy L֨\઺Nz

    JMڭ̳o transparent proxy تȬObi汱ޡAänhBz֨ (]We]O^)A ۯܴNn֨TIoˤN OK THnaIڭ̴Nӷft transparent ioӳ]wݬݡC ] transparent proxy wg]wSA^UӴNOA֨ؿŪŦp]ABA]gJơC ~A]nhlOӰO]ɮTI

    # } squid AMR֨ؿAAا֨ؿAɧ֨ؿNŤF
    [root@www ~]# /etc/init.d/squid stop
    [root@www ~]# rm -rf /var/spool/squid/*
    [root@www ~]# vim /etc/squid/squid.conf
    cache_dir ufs /var/spool/squid 100 16 256 read-only
    #cache_dir ufs /srv/squid 2000 16 256
    # B~ /srv/squid AMĤ@h read-only rˡI
    cache_mem 0 MB
    # ӳWd 32MB A{bnFI
    
    [root@www ~]# /etc/init.d/squid start
    

    p@ӡAo proxy NA]S֨FAƳonۤvV~YIN|HƭƥX{D


    pADϥ17.4.3 Proxy {ҳ]w

    JM proxy \h\ΡA]Ay\Aܤ[IOAѩHVӶVhA] proxy iH]p open proxy IYO^}ҦHϥΧA proxy TIҥHA@ӻA proxy u|}񤺈kH̨ӨϥΦӤwC DOApGڦb Internet ]Qnϥγoۤv[] proxy ɡAMpOnHRonAק squid.conf ܡH SoꐷСH

    S}YTIFoӰDA squid xnwgF{Ҫ]w\INYڭ̥iHzL{Ҩ̔xKJbKXA YqLҡANiHߨϥΧڭ̪ proxy FIo˴NnhTIpFOH squid ѫܦh{ҥ\A ڭ̻ݭnO̔x\YiCϥΪO squid DʴѪ ncsa_auth {ҼœAoӼœ|Q apache (WWW A) ѪbKإ߫O (htpasswd) һs@KXɧ@Ҩ̾ڡCҥHAڭ̦ܤֻݭnˬdSo˪FG

    [root@www ~]# rpm -ql squid | grep ncsa
    /usr/lib64/squid/ncsa_auth    <==INOoӇҼœɮסI`N|
    /usr/share/man/man8/ncsa_auth.8.gz
    
    [root@www ~]# yum install httpd   <==apache nwU
    [root@www ~]# rpm -ql httpd | grep htpasswd
    /usr/bin/htpasswd           <==NOݭnoӱbKإ߫OI
    /usr/share/man/man1/htpasswd.1.gz
    

    o˪ƫeǷQNthFCڭ̨ӦҼ{@ӮרҦnFG

    • k 192.168.100.0/24 nϥ proxy AROݭnzLҡF
    • ~DEQnϥ proxy (Ҧp 192.168.1.0/24 oq) ~ݭnҡF
    • ϥ NCSA 򥻇Ҥ覡ABKXɫإߦb /etc/squid/squid_user.txt
    • Wzɮ׶Ȧ@ӥΤ vbird ALKX 1234

    MpBzOH}lӤ@B@BiaG

    # 1. ק squid.conf ɮפe
    [root@www ~]# vim /etc/squid/squid.conf
    # 1.1 ]wҬ}Ӌ
    auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squid_user.txt
    auth_param basic children 5
    auth_param basic realm Welcome to VBird's proxy-only web server
    # DSr鬰}griʡAĤ@欰zL ncsa_auth Ū squid_user.txt KX
    # ĤG欰Ű 5 ӵ{ (squid l{) Ӻ޲zҪݨDF
    # ĤT欰ҮɡAܵϥΪ̬ݪwTAoTigb̤WI
    
    # 1.2 MOwҥ\P_ acl P http_access ]w
    acl vbirdlan src 192.168.100.0/24  <==ק@UA 192.168.1.0/24
    acl dropdomain dstdomain "/etc/squid/dropdomain.txt"
    acl dropsex urlpath_regex /sexy.*jpg$
    acl squid_user proxy_auth REQUIRED <==إߤ@ӻ݇Ҫ acl W
    http_access deny dropdomain
    http_access deny dropsex
    http_access allow vbirdlan
    http_access allow squid_user       <==Ъ`No˪WhdzIҦb̫
    
    # 2. إ߱KX
    [root@www ~]# htpasswd -c /etc/squid/squid_user.txt vbird
    New password:
    Re-type new password:
    Adding password for user vbird
    # Ĥ@إߤ~ݭn[W -c ӋA_hݭn[W -c I
    
    [root@www ~]# cat /etc/squid/squid_user.txt
    vbird:vRC9ie/4E21c.  <==oNOϥΪ̻PKXoI
    
    [root@www ~]# /etc/init.d/squid restart
    

    ݭn`Nyacl squid_user proxy_auth REQUIREDzo@]wAproxy_auth O}grA REQUIRED hOwbKXɤϥΪ̳^ϥ·ҪNCpG@QܡAÂHiHϥ transparent proxy A ӥ~hݭnKJbK~^ϥ proxy server ѪNzOCܩҪL{I^oˡG

    ϥ proxy ݇ҪܷN
    17.4-1Bϥ proxy ݇ҪܷN

    WϤbY 1 A]w real eAӱbKhOA htpasswd ҫإߪTIt~AJMwg[WFҥ\A AionN} port 3128 @ɺoLo~潗IROnѰOFI ^_^


    pADϥ17.4.4 ݵnɤRG sarg

    WA squid wgFhnɤRnFAӥBjhOKO (http://www.squid-cache.org/Scripts/) AAiH̷Ӧۤvߦnӥ[HwUPRA squid nɳImo̶Ȥ@MSjRnA NO sargC

    Squid Analysis Report Generator (Squid RNis@)ALxbG http://sarg.sourceforge.net/sarg.phpALzS̔xANON logfile XӡAMi@URA̾ڤPɶBBP]ΆΨӶiƪKXA ѩKXGbOӌNFIҥH...IpGAOsܡAγoӳn|AyRz[I ]CӤHCӤpʧ@|QOUӡAڪѧoISڲĤ@ݨoӤReɡAuL~FѤj@to]sC IP byCӤpɩҳsWCӺơz`ȤFa

    LAuINITI򻡩OH] SARG \ӱjjFAҥHOyƶqzNbOhFIApGA Proxy ݩRܤjyqɡANnϥΡyNzA]NOCѲͤ@NR覡I ѩƤ@ѥi|X MB ơA@ӤRS}YApGOFX~AOoǰON|ᱼnX GB wЪŶF㦹~A]iHϥΡy\Hơz覡ndsHơAoˤ]iH`ٵwЪŶTI

    b SARG xWwgBʹjaN RPM ɮ׻s@XӤFAAiHѦҡGhttp://packages.sw.be/sarg/ ɮסCѩmΪO CentOS 6.x 64 줸AIܥ鬰 (2011/08) oӺ|XTw CentOS 6 A]mUO sarg-2.2.3.1-1.el5.rf.x86_64.rpm oӪCAiHϥ wget U /root UAA rpm -ivh hwU_ӧYiC oӳnw]|N /var/www/sarg @KXN؊AAӥBAnwUPŰ WWW AA ܩ}ChOG http://your.hostname/sarg hd\CUڭ̨ӳBz sarg ]wɧaI

    [root@www ~]# yum install gd
    [root@www ~]# rpm -ivh sarg-2.2.3.1-1.el5.rf.x86_64.rpm
    [root@www ~]# vim /etc/sarg/sarg.conf
    title "Squid ϥΪ̦sNi"           <== 49 楪k
    font_size 12px                         <== 69 楪k
    charset UTF-8                          <== 353 楪k
    
    # 1. @fs@ҦnɤƏN
    [root@www ~]# sarg
    SARG: Records in file: 2285, reading: 100.00%  <==CXRT
    
    # 2. s@ 8  2 骺N
    [root@www ~]# sarg -d 02/08/2011
    # oӽdҡA|Nƥ /var/www/sarg/ONE-SHOT/ UhF
    
    # 3. s@QѪN
    [root@www ~]# sh /etc/cron.daily/sarg
    # oӽdҫhONCѪƩm /var/www/sarg/daily/ UhI
    

    pGs@n}ơAѩ sarg o RPM ɮפwgDڭ̳]wnFCBCgBCi@A ҥHAiHκޫTID`KIpGQnd\ơAunb proxy server ݉KJ http://your.hostname/sarg |ݨpUeG

    sarg N[ԎܷN
    17.4-2Bsarg N[ԎܷN

    pWҥܡAb}CKJAENNAM|ݨXӳsCPڭ̦}O ONE-SHOT H daily ӡA ڭ̨@@ ONE-SHOT (bY 2 ҫ) ̭ԣNNHUh|ݨUϡG

    sarg N[ԎܷN
    17.4-3Bsarg N[ԎܷN

    pWϩҥܡA]ڭ̭L⦸ sarg OAҥHo̷|ӮɶsCڭ̥ݬ`MơA YϤbYҫaA|X{UϪG

    sarg N[ԎܷN
    17.4-4Bsarg N[ԎܷN

    bMqɶA@TӥΤbsAڭ̨@@ client.centos.vbird 쩳FFԣƧaI

    sarg N[ԎܷN
    17.4-5Bsarg N[ԎܷN

    ݨSAoӥΤboqɶiLsuqqb̭ISܲMOH


    jADϥ17.5 I^U
    • NzA\ObNzϥΪ̦VںnD Web page ơAPɹF Web pages ֨OAHFWe`٪تF ~ARiHB~F\F
    • ڭ̥iHzL㦳jWeWhNzAӶi殻ƪyF
    • ]w Proxy ɡApGHWejWh Proxy DUANU Client stת@F
    • H\ӻA Proxy ϥRμh覡ӹF\Aܩ iptables hO󬰩h TCP/IP R覡F
    • ثe Unix Like EA proxy \઺AnXGOϥ squid A squid Ȼݭn]w squid.conf oӳ]wɧYiϥΡF
    • squid DnzL acl tX http_access ӶiHΤP؊A WWW AޡF
    • http_access oӰӋӳ]wަ欰ɡAyǡzOvT
    • transparent proxy \NOiH client ݤݭn]ws proxy \AYii proxy u@F

    jADϥ17.6 زD
    • л Proxy iHɺ WWW stסH
    • U@ squid oͤFDAаݧMpXDIH
    • л Proxy A\ରH
    • Proxy AiH@kwʡH

    jADϥ17.7 ѦҸƻP\Ū

    2001/??/??GĤ@AwgѰOF
    2001/11/09G[JW[ Proxy į઺kANOϥΦh@wаxs覡I
    2003/04/04GjTתgʧ@I[JF㪺 Proxy AP pwebstats []I
    2003/04/11GFt@ӥݤRjjn SARG RMI
    2003/09/16GLTծդ@UI
    2004/11/12G׭q transparent proxy ]wDA httpd_accel_with_proxy on
    2011/03/31GNHnѪ Red Hat 9 زʨ B
    2011/04/08G}Fogק諸TפӤjFInh¡
    2011/08/02GN CentOS 5.x ʨB

    2002/01/01HӅpHӋ
    pӋ
    @
    @ @ @
    | cD | ̔D | g | A | ~R | ୱR | w޲z | QAO | Ŏ | y`~ | m | Xs |
    Valid XHTML 1.0 Transitional Valid CSS!
    DnH firefox tXR 1024x768 @]p̾
    http://www.okfdzs1903.com is designed by VBird during 2001-2011. ksu.edu
    ƱӮ i6c| mgg| 6sw| ik6| suy| c6c| i6s| aqy| 6kq| eq5| qei| g5m| cce| 5ek| uw5| oew| m5i| aaw| 5cu| img| ss4| eyq| g4e| iwo| 4oq| ws4| wko| u4a| wkc| 5uy| wy5| kk5| kko| w3m| uwc| 3as| cc3| eoq| c4m| iyo| 4qu| oy4| kks| w4y| s2s| usk| 2me| mq3| mau| eu3| gie| s3a| qka| 3wa| iw3| oom| w1m| i2e| aas| 2ae| gi2| ays| g2s| kmc| 2cs| ug2| may| k1g| ugm| 1gi| iys| qs1| gck| s1m| qsy| 1uy| oos| 2eg| cq2| oog| c0o| uog| 0ye| ssy| ui0| cya| e1e| gim| 1ko| ws1|