Squid反向代理加速缓存+负载均衡实验架构
2012-02-12 13:59
676 查看
实验环境:
公司有两台web服务器,运行同一套网站,读取同一台mysql数据库。
两台web服务器的主机名如下:
test1.com 192.168.1.119
test2.com 192.168.1.120
squid服务器ip:192.168.1.123
DNS: 192.168.9.254
实验思路:DNS将www.fb.com解析给squid服务器,squid轮询web主机返回其中一台作应答,并提供缓冲加速的服务!
注意:在次试验中,针对https的部分有点问题,需要负载均衡设备做一些设置!另外,两台web服务器部分网站目录的同步问题,已解决可以才从NFS挂载目录的方式来实现!
一、基础配置
A、更新
1、更换更新源(服务器位于国内做此操作)
sed -i "s/mirror.centos.org/centos/mirrors.centos.91.com/g" /etc/yum.repos.d/CentOS-Base.repo
sed -i "s/^mirrorlist/#mirrorlist/g" /etc/yum.repos.d/CentOS-Base.repo
sed -i "s/^#baseurl/baseurl/g" /etc/yum.repos.d/CentOS-Base.repo
2、更新
yum clean all
yum -y update
[sepatator]
B、优化
1、增加以下内容到/etc/sysctl.conf末尾
kernel.core_uses_pid = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_sack = 0
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.ip_local_port_range = 1024 65536
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_retries2 = 5
fs.file-max = 655360
net.core.somaxconn = 4096
执行:
sysctl -p
使之生效
2、加大可允许打开的文件句柄数
echo "* soft nofile 65536" >>/etc/security/limits.conf
echo "* hard nofile 65536" >>/etc/security/limits.conf
3、时间校对
yum -y install ntp
service ntpd restart
service ntpd stop
echo "#time update" >> /etc/crontab
echo "0 23 * * * root /usr/sbin/ntpdate time.windows.com" >> /etc/crontab
C、硬盘分区挂载
查看硬盘
fdisk -l
根据实际物理机器是否硬raid及硬盘数量做不同的raid及分区情况
因为这里是做cache,不建议使用软raid
二、squid的编译安装配置
1、squid的安装
安装gcc等工具包
yum install gcc gcc+ gcc-c++ gcc-g77 autoconf automake ncurses-devel flex openssl-devel mod_ssl make
cd /home/soft
tar zxvf squid-3.1.16.tar.gz
cd squid-3.1.16
./configure --prefix=/usr/local/squid --enable-gnuregex --enable-dlmalloc --with-pthreads --enable-ssl --enable-stacktrace --enable-removal-policies=heap,lru --enable-delay-pools --enable-kill-parent-hack --enable-snmp --enable-icmp --enable-err-language=simplify_Chinese --enable-default-err-languages=Simplify_Chinese --enable-cahce-digests --disable-ident-lookups --with-filedescriptors=65536 --enable-underscore --enable-large-cache-files --with-large-files --enable-storeio=aufs,diskd,ufs --enable-linux-netfilter --enable-async-io=160 --enable-cachemgr
make
make install
cd /usr/local/squid
2、生成证书并申请新证书
openssl genrsa -des3 -out *.squid.key 1024
openssl req -new -key *.squid.key -out *.squid.csrc
这是需要生成正式证书使用的,如果只是需要未认证的证书,可使用以下命令生成:
openssl req -utf8 -new -key *.squid.key -out *.squid.csr
这里生成的证书不要使用密码,貌似squid不能使用密码,我第一次使用了密码能正常启动,但会提示未认证,让我搞了好久的时间。
3、squid配置
mkdir /data/cache1
mkdir /data/cache2
mkdir /data/cachelog
chown squid /data/cache*
把服务商提供的证书放到/data/key/目录下,包括中级根证书,证书,公钥三个文件。
修改squid.conf文件内容:
------------------------------------------------------------------------------
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
# acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
# acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.9.0/24 # RFC1918 possible internal network
# acl localnet src fc00::/7 # RFC 4193 local private network range
# acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
# http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
# http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
# cache_dir ufs /usr/local/squid/var/cache 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
##---------------------------------------
# host and cache port setting
##----------------------------------------
# 主机名(3.0加入配置),无此项无法启动
visible_hostname squid
cache_mgr jason.kou@factorybuy.com
# 设置运行squid用户,一般不能以root运行
cache_effective_user squid
cache_effective_group squid
cachemgr_passwd password all
client_persistent_connections off
server_persistent_connections on
half_closed_clients off
# 设定squid为accel加速模式,vhost必须要加.否则将无法将主机头转发至后端服务器,
# 访问时就会出现无法找到主机头的错误
http_port 80 accel vhost vport
# 添加443端口之后可能导致IE浏览器无法正常访问https页面,未测试
http_port 443 accel vhost vport
# https_port 443 cert=/data/squid.csr key=/data/squid.key defaultsite=www.fb.com
# https_port 443 cert=/usr/local/squid/data/cert.pem /usr/local/squid/data/key.pem
##----------------------------------------
# cache directory setting
##----------------------------------------
# 缓存目录8192M,其中一级目录16个,二级256个(每个一级下16个二级)
cache_dir ufs /usr/local/squid/data/cache 8192 16 256
max_open_disk_fds 0
##-----------------------------------------
# cache storage setting
##-----------------------------------------
# 大于此容量的对象将不会被保存在磁盘上,默认大小是4M,如果squid服务器用于缓冲flash等大型文件,
# 建议将此值变大.否则过大的文件在下次重>启后将需要重新获取
maximum_object_size_in_memory 4 MB
minimum_object_size 0 KB
maximum_object_size 4 MB
# 缓存内容大小控制,当cache目录被占用到95%时,内容将被清空20%
cache_swap_high 95
cache_swap_low 80
# 替换机制(lru叫做“最近不常用的单元”unit一般就是常说object, 也就是当cache
# 中的内容比如内存或硬盘达到上限时就需要进行数据的换进和换出工作)
memory_replacement_policy lru
cache_replacement_policy lru
##------------------------------------------
# cache time out setting
##------------------------------------------
forward_timeout 20 seconds
connect_timeout 15 seconds
read_timeout 3 minutes
request_timeout 1 minutes
persistent_request_timeout 15 seconds
client_lifetime 15 minutes
shutdown_lifetime 5 seconds
negative_ttl 10 seconds
##---------------------------------------------
# cache log setting
##---------------------------------------------
emulate_httpd_log on
logformat squid %ts.%tu %tr %>a %Ss/%>Hs %<st %rm %ru %un %Sh/%<A %mt
access_log /usr/local/squid/data/logs/access_log.log common
cache_log /usr/local/squid/data/logs/cache.log
cache_store_log /usr/local/squid/data/logs/store.log
cache_swap_log /usr/local/squid/data/logs/cache_swap.log
mime_table /usr/local/squid/etc/mime.conf
# 错误信息目录
error_directory /usr/local/squid/share/errors/en-us/
pid_filename /usr/local/squid/data/squid.pid
# 不记录store.log
# cache_store_log none
##--------------------------------------------
# vhost setting
##--------------------------------------------
# 定义不同的父节点,将节点设为no-query以及originserver说明这些节点是实际服务器
cache_peer test1.com parent 80 0 no-query no-digest originserver name=test1 round-robin
cache_peer test2.com parent 80 0 no-query no-digest originserver name=test2 round-robin
# 设定不同域名转发到不同的cache_peer上,如果没有这项.不同域名的域名可能被分发到同一台服务器上.
cache_peer_domain test1 www.fb.com
cache_peer_domain test2 www.fb.com
# 允许客户端所有请求(这里可以设置拦截url,格式如下面两行缓存设置)
http_access allow all
# 设置不缓存url类型(空格隔开
acl QUERY urlpath_regex .php .jsp .asp .pl .cgi
cache deny QUERY
---------------------------------------------------------------------
hosts_file /etc/hosts
4、启动
/usr/local/squid/sbin/squid -z 生成缓存目录
/usr/local/squid/sbin/squid -s
netstat -na |grep 443
netstat -na |grep 80
看端口监听是否启动了
如果OK,那么squid配置完毕,这里不做squid配置的一些讲解,因为我本人也不是非常熟悉!
三、双机高可用
一些关于squid调试的命令:
1,初始化你在 squid.conf 里配置的 cache 目录
#squid/sbin/squid -z
如果有错误提示,请检查你的 cache目录的权限。
2,对你的squid.conf 排错,即验证 squid.conf 的 语法和配置。
#squid/sbin/squid -k parse
如果squid.conf 有语法或配置错误,这里会返回提示你,如果没有返回,恭喜,可以尝试启动squid。
3,在前台启动squid,并输出启动过程。
#/usr/local/squid/sbin/squid -N -d1
如果有到 ready to server reques,恭喜,启动成功。
然后 ctrl + c,停止squid,并以后台运行的方式启动它。
4,启动squid在后台运行。
#squid/sbin/squid -s
这时候可以 ps -A 来查看系统进程,可以看到俩个 squid 进程。
5,停止 squid
#squid/sbin/squid -k shutdown
这个不用解释吧。
6,重引导修改过的 squid.conf
#squid/sbin/squid -k reconfigure
当你发现你的配置有不尽你意的时候,可以随时修改squid.conf,然后别忘记对你的 squid.conf排错,
然后再执行此指令,即可让squid重新按照你的 squid.conf 来运行。
7,把squid添加到系统启动项
编辑 /etc/rc.d/rc.local
添加如下行: /usr/local/squid/sbin/squid -s
再来点其他的。
1,修改cache 缓存目录的权限。
#chown -R squid:squid /home/cache
我的cache缓存目录是 /home/cache,squid执行用户和用户组是 squid,squid。
2,修改squid 日志目录的权限
#chown -R squid:squid /usr/local/squid/data/logs
这一步并不是适合每一个使用squid的用户.意为让squid有权限在该目录进行写操作 。
例如生成 access.log cache.log store.log
3,查看你的日志文档。
#more /usr/local/squid/var/logs/access.log | grep TCP_MEM_HIT
该指令可以看到在squid运行过程中,有那些文件被squid缓存到内存中,并返回给访问用户。
#more /usr/local/squid/var/logs/access.log | grep TCP_HIT
该指令可以看到在squid运行过程中,有那些文件被squid缓存到cache目录中,并返回给访问用户。
#more /usr/local/squid/var/logs/access.log | grep TCP_MISS
该指令可以看到在squid运行过程中,有那些文件没有被squid缓存,而是现重原始服务器获取并返回给访问用户。
关掉不必要的服务
echo 'alias vi="vim" alias grep="grep --color"' >> /etc/profile
echo -e "* soft nofile 65536* hard nofile 65536" > /etc/security/limits.conf
chkconfig --level 0123456 NetworkManager off
chkconfig --level 0123456 NetworkManagerDispatcher off
chkconfig --level 0123456 anacron off
chkconfig --level 0123456 atd off
chkconfig --level 0123456 auditd off
chkconfig --level 0123456 autofs off
chkconfig --level 0123456 avahi-daemon off
chkconfig --level 0123456 avahi-dnsconfd off
chkconfig --level 0123456 bluetooth off
chkconfig --level 0123456 capi off
chkconfig --level 0123456 centcore off
chkconfig --level 0123456 centstorage off
chkconfig --level 0123456 conman off
chkconfig --level 0123456 cups off
chkconfig --level 0123456 dc_client off
chkconfig --level 0123456 dc_server off
chkconfig --level 0123456 dhcdbd off
chkconfig --level 0123456 dovecot off
chkconfig --level 0123456 dund off
chkconfig --level 0123456 firstboot off
chkconfig --level 0123456 gpm off
chkconfig --level 0123456 hidd off
chkconfig --level 0123456 hplip off
chkconfig --level 0123456 httpd off
chkconfig --level 0123456 innd off
chkconfig --level 0123456 ip6tables off
chkconfig --level 0123456 ipmi off
chkconfig --level 0123456 irda off
chkconfig --level 0123456 irqbalance off
chkconfig --level 0123456 isdn off
chkconfig --level 0123456 kdump off
chkconfig --level 0123456 kudzu off
chkconfig --level 0123456 ldap off
chkconfig --level 0123456 lisa off
chkconfig --level 0123456 mdmonitor off
chkconfig --level 0123456 mdmpd off
chkconfig --level 0123456 microcode_ctl off
chkconfig --level 0123456 multipathd off
chkconfig --level 0123456 nagios off
chkconfig --level 0123456 named off
chkconfig --level 0123456 netconsole off
chkconfig --level 0123456 netfs off
chkconfig --level 0123456 netplugd off
chkconfig --level 0123456 nfs off
chkconfig --level 0123456 nfslock off
chkconfig --level 0123456 nscd off
chkconfig --level 0123456 ntpd off
chkconfig --level 0123456 oddjobd off
chkconfig --level 0123456 pand off
chkconfig --level 0123456 pcscd off
chkconfig --level 0123456 portmap off
chkconfig --level 0123456 postgresql off
chkconfig --level 0123456 psacct off
chkconfig --level 0123456 rdisc off
chkconfig --level 0123456 readahead_later off
chkconfig --level 0123456 restorecond off
chkconfig --level 0123456 rpcgssd off
chkconfig --level 0123456 rpcidmapd off
chkconfig --level 0123456 rpcsvcgssd off
chkconfig --level 0123456 rwhod off
chkconfig --level 0123456 saslauthd off
chkconfig --level 0123456 setroubleshoot off
chkconfig --level 0123456 smb off
chkconfig --level 0123456 snmpd off
chkconfig --level 0123456 snmptrapd off
chkconfig --level 0123456 spamassassin off
chkconfig --level 0123456 sysstat off
chkconfig --level 0123456 tux off
chkconfig --level 0123456 vncserver off
chkconfig --level 0123456 vsftpd off
chkconfig --level 0123456 wdaemon off
chkconfig --level 0123456 winbind off
chkconfig --level 0123456 wpa_supplicant off
chkconfig --level 0123456 xfs off
chkconfig --level 0123456 xinetd off
chkconfig --level 0123456 ypbind off
chkconfig --level 0123456 yum-updatesd off
chkconfig --level 0123456 acpid off
chkconfig --level 0123456 iptables off
service NetworkManager stop
service NetworkManagerDispatcher stop
service anacron stop
service atd stop
service auditd stop
service autofs stop
service avahi-daemon stop
service avahi-dnsconfd stop
service bluetooth stop
service capi stop
service centcore stop
service centstorage stop
service conman stop
service cups stop
service dc_client stop
service dc_server stop
service dhcdbd stop
service dovecot stop
service dund stop
service firstboot stop
service gpm stop
service hidd stop
service hplip stop
service httpd stop
service innd stop
service ip6tables stop
service ipmi stop
service irda stop
service irqbalance stop
service isdn stop
service kdump stop
service kudzu stop
service ldap stop
service lisa stop
service mdmonitor stop
service mdmpd stop
service microcode_ctl stop
service multipathd stop
service nagios stop
service named stop
service netconsole stop
service netfs stop
service netplugd stop
service nfs stop
service nfslock stop
service nscd stop
service ntpd stop
service oddjobd stop
service pand stop
service pcscd stop
service portmap stop
service postgresql stop
service psacct stop
service rdisc stop
service readahead_later stop
service restorecond stop
service rpcgssd stop
service rpcidmapd stop
service rpcsvcgssd stop
service rwhod stop
service saslauthd stop
service setroubleshoot stop
service smb stop
service snmpd stop
service snmptrapd stop
service spamassassin stop
service sysstat stop
service tux stop
service vncserver stop
service vsftpd stop
service wdaemon stop
service winbind stop
service wpa_supplicant stop
service xfs stop
service xinetd stop
service ypbind stop
service yum-updatesd stop
service acpid stop
service nfslock stop
chkconfig nfslock off
service portmap stop
chkconfig portmap off
service iptables stop
chkconfig iptables off
service sendmail stop
chkconfig sendmail off
service cups stop
chkconfig cups off
chkconfig --list | grep :on
本文出自 “Centi.Linux” 博客,请务必保留此出处http://centilinux.blog.51cto.com/1454781/777899
公司有两台web服务器,运行同一套网站,读取同一台mysql数据库。
两台web服务器的主机名如下:
test1.com 192.168.1.119
test2.com 192.168.1.120
squid服务器ip:192.168.1.123
DNS: 192.168.9.254
实验思路:DNS将www.fb.com解析给squid服务器,squid轮询web主机返回其中一台作应答,并提供缓冲加速的服务!
注意:在次试验中,针对https的部分有点问题,需要负载均衡设备做一些设置!另外,两台web服务器部分网站目录的同步问题,已解决可以才从NFS挂载目录的方式来实现!
一、基础配置
A、更新
1、更换更新源(服务器位于国内做此操作)
sed -i "s/mirror.centos.org/centos/mirrors.centos.91.com/g" /etc/yum.repos.d/CentOS-Base.repo
sed -i "s/^mirrorlist/#mirrorlist/g" /etc/yum.repos.d/CentOS-Base.repo
sed -i "s/^#baseurl/baseurl/g" /etc/yum.repos.d/CentOS-Base.repo
2、更新
yum clean all
yum -y update
[sepatator]
B、优化
1、增加以下内容到/etc/sysctl.conf末尾
kernel.core_uses_pid = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_sack = 0
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.ip_local_port_range = 1024 65536
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_retries2 = 5
fs.file-max = 655360
net.core.somaxconn = 4096
执行:
sysctl -p
使之生效
2、加大可允许打开的文件句柄数
echo "* soft nofile 65536" >>/etc/security/limits.conf
echo "* hard nofile 65536" >>/etc/security/limits.conf
3、时间校对
yum -y install ntp
service ntpd restart
service ntpd stop
echo "#time update" >> /etc/crontab
echo "0 23 * * * root /usr/sbin/ntpdate time.windows.com" >> /etc/crontab
C、硬盘分区挂载
查看硬盘
fdisk -l
根据实际物理机器是否硬raid及硬盘数量做不同的raid及分区情况
因为这里是做cache,不建议使用软raid
二、squid的编译安装配置
1、squid的安装
安装gcc等工具包
yum install gcc gcc+ gcc-c++ gcc-g77 autoconf automake ncurses-devel flex openssl-devel mod_ssl make
cd /home/soft
tar zxvf squid-3.1.16.tar.gz
cd squid-3.1.16
./configure --prefix=/usr/local/squid --enable-gnuregex --enable-dlmalloc --with-pthreads --enable-ssl --enable-stacktrace --enable-removal-policies=heap,lru --enable-delay-pools --enable-kill-parent-hack --enable-snmp --enable-icmp --enable-err-language=simplify_Chinese --enable-default-err-languages=Simplify_Chinese --enable-cahce-digests --disable-ident-lookups --with-filedescriptors=65536 --enable-underscore --enable-large-cache-files --with-large-files --enable-storeio=aufs,diskd,ufs --enable-linux-netfilter --enable-async-io=160 --enable-cachemgr
make
make install
cd /usr/local/squid
2、生成证书并申请新证书
openssl genrsa -des3 -out *.squid.key 1024
openssl req -new -key *.squid.key -out *.squid.csrc
这是需要生成正式证书使用的,如果只是需要未认证的证书,可使用以下命令生成:
openssl req -utf8 -new -key *.squid.key -out *.squid.csr
这里生成的证书不要使用密码,貌似squid不能使用密码,我第一次使用了密码能正常启动,但会提示未认证,让我搞了好久的时间。
3、squid配置
mkdir /data/cache1
mkdir /data/cache2
mkdir /data/cachelog
chown squid /data/cache*
把服务商提供的证书放到/data/key/目录下,包括中级根证书,证书,公钥三个文件。
修改squid.conf文件内容:
------------------------------------------------------------------------------
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
# acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
# acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.9.0/24 # RFC1918 possible internal network
# acl localnet src fc00::/7 # RFC 4193 local private network range
# acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
# http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
# http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
# cache_dir ufs /usr/local/squid/var/cache 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
##---------------------------------------
# host and cache port setting
##----------------------------------------
# 主机名(3.0加入配置),无此项无法启动
visible_hostname squid
cache_mgr jason.kou@factorybuy.com
# 设置运行squid用户,一般不能以root运行
cache_effective_user squid
cache_effective_group squid
cachemgr_passwd password all
client_persistent_connections off
server_persistent_connections on
half_closed_clients off
# 设定squid为accel加速模式,vhost必须要加.否则将无法将主机头转发至后端服务器,
# 访问时就会出现无法找到主机头的错误
http_port 80 accel vhost vport
# 添加443端口之后可能导致IE浏览器无法正常访问https页面,未测试
http_port 443 accel vhost vport
# https_port 443 cert=/data/squid.csr key=/data/squid.key defaultsite=www.fb.com
# https_port 443 cert=/usr/local/squid/data/cert.pem /usr/local/squid/data/key.pem
##----------------------------------------
# cache directory setting
##----------------------------------------
# 缓存目录8192M,其中一级目录16个,二级256个(每个一级下16个二级)
cache_dir ufs /usr/local/squid/data/cache 8192 16 256
max_open_disk_fds 0
##-----------------------------------------
# cache storage setting
##-----------------------------------------
# 大于此容量的对象将不会被保存在磁盘上,默认大小是4M,如果squid服务器用于缓冲flash等大型文件,
# 建议将此值变大.否则过大的文件在下次重>启后将需要重新获取
maximum_object_size_in_memory 4 MB
minimum_object_size 0 KB
maximum_object_size 4 MB
# 缓存内容大小控制,当cache目录被占用到95%时,内容将被清空20%
cache_swap_high 95
cache_swap_low 80
# 替换机制(lru叫做“最近不常用的单元”unit一般就是常说object, 也就是当cache
# 中的内容比如内存或硬盘达到上限时就需要进行数据的换进和换出工作)
memory_replacement_policy lru
cache_replacement_policy lru
##------------------------------------------
# cache time out setting
##------------------------------------------
forward_timeout 20 seconds
connect_timeout 15 seconds
read_timeout 3 minutes
request_timeout 1 minutes
persistent_request_timeout 15 seconds
client_lifetime 15 minutes
shutdown_lifetime 5 seconds
negative_ttl 10 seconds
##---------------------------------------------
# cache log setting
##---------------------------------------------
emulate_httpd_log on
logformat squid %ts.%tu %tr %>a %Ss/%>Hs %<st %rm %ru %un %Sh/%<A %mt
access_log /usr/local/squid/data/logs/access_log.log common
cache_log /usr/local/squid/data/logs/cache.log
cache_store_log /usr/local/squid/data/logs/store.log
cache_swap_log /usr/local/squid/data/logs/cache_swap.log
mime_table /usr/local/squid/etc/mime.conf
# 错误信息目录
error_directory /usr/local/squid/share/errors/en-us/
pid_filename /usr/local/squid/data/squid.pid
# 不记录store.log
# cache_store_log none
##--------------------------------------------
# vhost setting
##--------------------------------------------
# 定义不同的父节点,将节点设为no-query以及originserver说明这些节点是实际服务器
cache_peer test1.com parent 80 0 no-query no-digest originserver name=test1 round-robin
cache_peer test2.com parent 80 0 no-query no-digest originserver name=test2 round-robin
# 设定不同域名转发到不同的cache_peer上,如果没有这项.不同域名的域名可能被分发到同一台服务器上.
cache_peer_domain test1 www.fb.com
cache_peer_domain test2 www.fb.com
# 允许客户端所有请求(这里可以设置拦截url,格式如下面两行缓存设置)
http_access allow all
# 设置不缓存url类型(空格隔开
acl QUERY urlpath_regex .php .jsp .asp .pl .cgi
cache deny QUERY
---------------------------------------------------------------------
hosts_file /etc/hosts
4、启动
/usr/local/squid/sbin/squid -z 生成缓存目录
/usr/local/squid/sbin/squid -s
netstat -na |grep 443
netstat -na |grep 80
看端口监听是否启动了
如果OK,那么squid配置完毕,这里不做squid配置的一些讲解,因为我本人也不是非常熟悉!
三、双机高可用
一些关于squid调试的命令:
1,初始化你在 squid.conf 里配置的 cache 目录
#squid/sbin/squid -z
如果有错误提示,请检查你的 cache目录的权限。
2,对你的squid.conf 排错,即验证 squid.conf 的 语法和配置。
#squid/sbin/squid -k parse
如果squid.conf 有语法或配置错误,这里会返回提示你,如果没有返回,恭喜,可以尝试启动squid。
3,在前台启动squid,并输出启动过程。
#/usr/local/squid/sbin/squid -N -d1
如果有到 ready to server reques,恭喜,启动成功。
然后 ctrl + c,停止squid,并以后台运行的方式启动它。
4,启动squid在后台运行。
#squid/sbin/squid -s
这时候可以 ps -A 来查看系统进程,可以看到俩个 squid 进程。
5,停止 squid
#squid/sbin/squid -k shutdown
这个不用解释吧。
6,重引导修改过的 squid.conf
#squid/sbin/squid -k reconfigure
当你发现你的配置有不尽你意的时候,可以随时修改squid.conf,然后别忘记对你的 squid.conf排错,
然后再执行此指令,即可让squid重新按照你的 squid.conf 来运行。
7,把squid添加到系统启动项
编辑 /etc/rc.d/rc.local
添加如下行: /usr/local/squid/sbin/squid -s
再来点其他的。
1,修改cache 缓存目录的权限。
#chown -R squid:squid /home/cache
我的cache缓存目录是 /home/cache,squid执行用户和用户组是 squid,squid。
2,修改squid 日志目录的权限
#chown -R squid:squid /usr/local/squid/data/logs
这一步并不是适合每一个使用squid的用户.意为让squid有权限在该目录进行写操作 。
例如生成 access.log cache.log store.log
3,查看你的日志文档。
#more /usr/local/squid/var/logs/access.log | grep TCP_MEM_HIT
该指令可以看到在squid运行过程中,有那些文件被squid缓存到内存中,并返回给访问用户。
#more /usr/local/squid/var/logs/access.log | grep TCP_HIT
该指令可以看到在squid运行过程中,有那些文件被squid缓存到cache目录中,并返回给访问用户。
#more /usr/local/squid/var/logs/access.log | grep TCP_MISS
该指令可以看到在squid运行过程中,有那些文件没有被squid缓存,而是现重原始服务器获取并返回给访问用户。
关掉不必要的服务
echo 'alias vi="vim" alias grep="grep --color"' >> /etc/profile
echo -e "* soft nofile 65536* hard nofile 65536" > /etc/security/limits.conf
chkconfig --level 0123456 NetworkManager off
chkconfig --level 0123456 NetworkManagerDispatcher off
chkconfig --level 0123456 anacron off
chkconfig --level 0123456 atd off
chkconfig --level 0123456 auditd off
chkconfig --level 0123456 autofs off
chkconfig --level 0123456 avahi-daemon off
chkconfig --level 0123456 avahi-dnsconfd off
chkconfig --level 0123456 bluetooth off
chkconfig --level 0123456 capi off
chkconfig --level 0123456 centcore off
chkconfig --level 0123456 centstorage off
chkconfig --level 0123456 conman off
chkconfig --level 0123456 cups off
chkconfig --level 0123456 dc_client off
chkconfig --level 0123456 dc_server off
chkconfig --level 0123456 dhcdbd off
chkconfig --level 0123456 dovecot off
chkconfig --level 0123456 dund off
chkconfig --level 0123456 firstboot off
chkconfig --level 0123456 gpm off
chkconfig --level 0123456 hidd off
chkconfig --level 0123456 hplip off
chkconfig --level 0123456 httpd off
chkconfig --level 0123456 innd off
chkconfig --level 0123456 ip6tables off
chkconfig --level 0123456 ipmi off
chkconfig --level 0123456 irda off
chkconfig --level 0123456 irqbalance off
chkconfig --level 0123456 isdn off
chkconfig --level 0123456 kdump off
chkconfig --level 0123456 kudzu off
chkconfig --level 0123456 ldap off
chkconfig --level 0123456 lisa off
chkconfig --level 0123456 mdmonitor off
chkconfig --level 0123456 mdmpd off
chkconfig --level 0123456 microcode_ctl off
chkconfig --level 0123456 multipathd off
chkconfig --level 0123456 nagios off
chkconfig --level 0123456 named off
chkconfig --level 0123456 netconsole off
chkconfig --level 0123456 netfs off
chkconfig --level 0123456 netplugd off
chkconfig --level 0123456 nfs off
chkconfig --level 0123456 nfslock off
chkconfig --level 0123456 nscd off
chkconfig --level 0123456 ntpd off
chkconfig --level 0123456 oddjobd off
chkconfig --level 0123456 pand off
chkconfig --level 0123456 pcscd off
chkconfig --level 0123456 portmap off
chkconfig --level 0123456 postgresql off
chkconfig --level 0123456 psacct off
chkconfig --level 0123456 rdisc off
chkconfig --level 0123456 readahead_later off
chkconfig --level 0123456 restorecond off
chkconfig --level 0123456 rpcgssd off
chkconfig --level 0123456 rpcidmapd off
chkconfig --level 0123456 rpcsvcgssd off
chkconfig --level 0123456 rwhod off
chkconfig --level 0123456 saslauthd off
chkconfig --level 0123456 setroubleshoot off
chkconfig --level 0123456 smb off
chkconfig --level 0123456 snmpd off
chkconfig --level 0123456 snmptrapd off
chkconfig --level 0123456 spamassassin off
chkconfig --level 0123456 sysstat off
chkconfig --level 0123456 tux off
chkconfig --level 0123456 vncserver off
chkconfig --level 0123456 vsftpd off
chkconfig --level 0123456 wdaemon off
chkconfig --level 0123456 winbind off
chkconfig --level 0123456 wpa_supplicant off
chkconfig --level 0123456 xfs off
chkconfig --level 0123456 xinetd off
chkconfig --level 0123456 ypbind off
chkconfig --level 0123456 yum-updatesd off
chkconfig --level 0123456 acpid off
chkconfig --level 0123456 iptables off
service NetworkManager stop
service NetworkManagerDispatcher stop
service anacron stop
service atd stop
service auditd stop
service autofs stop
service avahi-daemon stop
service avahi-dnsconfd stop
service bluetooth stop
service capi stop
service centcore stop
service centstorage stop
service conman stop
service cups stop
service dc_client stop
service dc_server stop
service dhcdbd stop
service dovecot stop
service dund stop
service firstboot stop
service gpm stop
service hidd stop
service hplip stop
service httpd stop
service innd stop
service ip6tables stop
service ipmi stop
service irda stop
service irqbalance stop
service isdn stop
service kdump stop
service kudzu stop
service ldap stop
service lisa stop
service mdmonitor stop
service mdmpd stop
service microcode_ctl stop
service multipathd stop
service nagios stop
service named stop
service netconsole stop
service netfs stop
service netplugd stop
service nfs stop
service nfslock stop
service nscd stop
service ntpd stop
service oddjobd stop
service pand stop
service pcscd stop
service portmap stop
service postgresql stop
service psacct stop
service rdisc stop
service readahead_later stop
service restorecond stop
service rpcgssd stop
service rpcidmapd stop
service rpcsvcgssd stop
service rwhod stop
service saslauthd stop
service setroubleshoot stop
service smb stop
service snmpd stop
service snmptrapd stop
service spamassassin stop
service sysstat stop
service tux stop
service vncserver stop
service vsftpd stop
service wdaemon stop
service winbind stop
service wpa_supplicant stop
service xfs stop
service xinetd stop
service ypbind stop
service yum-updatesd stop
service acpid stop
service nfslock stop
chkconfig nfslock off
service portmap stop
chkconfig portmap off
service iptables stop
chkconfig iptables off
service sendmail stop
chkconfig sendmail off
service cups stop
chkconfig cups off
chkconfig --list | grep :on
本文出自 “Centi.Linux” 博客,请务必保留此出处http://centilinux.blog.51cto.com/1454781/777899
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Squid反向代理的缓存(加速)服务器配置笔记
- Nginx服务搭建负载均衡,反向代理,缓存加速,访问分布式文件系统高可用
- 基于反向代理的Web缓存加速现代理服务器方案 附squid性能测试
- Squid2.6反向代理实现多个Web缓存加速
- nginx对压缩,负载均衡,反向代理,缓存参数忧化
- Nginx 反向代理、负载均衡、页面缓存、URL重写及读写分离详解
- Nginx 反向代理、负载均衡、页面缓存、URL重写及读写分离详解(二)
- Nginx 反向代理、负载均衡、页面缓存、URL重写及读写分离详解
- squid-2.6之Web反向代理加速实做/防盗链/防盗用/防爬虫
- Nginx 反向代理、负载均衡、页面缓存、URL重写及读写分离详解
- squid 2.6之Web反向代理加速实做/防盗链/防盗用/防爬虫
- Nginx 反向代理、负载均衡、页面缓存、URL重写及读写分离详解
- Nginx 反向代理、负载均衡、页面缓存、URL重写及读写分离详解
- Nginx 反向代理、负载均衡、页面缓存、URL重写及读写分离详解
- 持多核smp squid3.2 缓存反向代理【ok】~
- Squid+MRTG实现完善的缓存代理和http服务加速代理
- Nginx 反向代理、负载均衡、页面缓存、URL重写及读写分离详解
- Nginx 反向代理、负载均衡、页面缓存、URL重写及读写分离详解
- Nginx 反向代理、负载均衡、页面缓存、URL重写及读写分离详解
- Nginx入门级简介,包括安装,基本使用,负载均衡,动静分离,反向代理,缓存应用等功能。