Posts Tagged ‘squid’
Squid 配置Https服务(SSL)
九月 23rd, 2011 | 
Author:
手上有几个闲置的SSL证书,决定利用起来。
然而我的前端服务器是基于SQUID的。所以就要涉及到Squid+SSL的配置了。
第一步:生成SSL证书请求:
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out myserver.csr
执行上述命令。然后根据提示输入相关信息。
具体步骤见:http://yangbo.name/archives/882.html
myserver.key 是生成的私匙,这个要自己保留!因为要配置到Squid上面的。
myserver.csr 是生成的证书请求文件,就用这个文件去申请证书。。。
第二步:配置SQUID的SSL信息。
Posted in 
Tags: 
squid FATAL: Received Segment Violation…dying.
昨天晚上在升级3台SQUID服务器的时候,偷了一下懒。
将Server1上面的Squid3.1.5 的安装文件打包,同步到其他的几台Squid服务器上面。准备用这个源文件编译安装。
结果在其他几台Squid服务器上安装完成后,都不能够正常运行………
结果查看logs目录下面的cache.log。
发现Squid在启动的过程中报下列错误:
squid FATAL: Received Segment Violation...dying.
unrecognized: ‘https_port’
在配置Openssl+Squid的时候,Squid报下列错误。
cache_cf.cc(381) parseOneConfigFile: squid.conf:102 unrecognized: 'https_port'
但是我同样地配置在squid/2.6.STABLE21上能够正常工作。但是在3.1上面就报上面的错误了。于是开始翻墙GOOGLE了。
原来是我在编译3.1的时候没有添加—enable-ssl而导致的这个问题。
重新编译后,问题解决。
squid防盗链配置
该文转自:http://blog.sina.com.cn/s/blog_62d80b5e0100fm06.html (老小的博客)
做网站的,谁愿意自己辛辛苦苦的成果就被别人轻松转载,如果是文字的,一般也就禁鼠标右键,再没什么好办法(当然,名人好打官司另说),但如果是图片,影音的文件,大可以利用http协议的header信息进行控制,这就是大多数web服务器日志要记录的referer。
有一测试客户,就要求CDN方配合做防盗链。
公司自然有规范,直接ctrl+c、ctrl+v就搞定。但这些句子,还是值得细细研究一下的。
相关语句如下:
SARG 配置说明文档
NAME
SYNOPSIS
DESCRIPTION
OPTIONS
FILES
SEE ALSO
AUTHOR
NAME
sarg − Squid Analysis Report Generator
SYNOPSIS
sarg [options] logfile…
DESCRIPTION
sarg is a logfile parser and analyzer for the Squid Web Proxy Cache, which can be found at http://www.squid-cache.org/. This manual page documents briefly the sarg command. More information is available at http://sarg.sourceforge.net/. This manual page was originally written for the Debian distribution because the author didn’t include one in favor of documentation in the GNU Info format; see below.
sarg is a tool that allows you to view "where" your users are going to on the Internet. sarg generates reports in HTML, with fields such as: users, IP Addresses, bytes, sites, and times. These HTML files can appear in your web server’s directory for browsing by users or administrators. You may also have sarg email the reports to the Squid Cache administrator.
sarg can read squid or Microsoft ISA access logs. Optionally, it can complement the reports with the log of a Squid filter/redirector such as squidGuard (http://www.squidguard.org/).
Installation of the sarg log analyzer:
1) Download the packeg to "/usr/local/src" directory
cd /usr/local/src
wget -nd http://downloads.sourceforge.net/project/sarg/sarg/sarg-2.2.3.1/sarg-2.2.3.1.tar.gz
2) Untar the packeg by following command
tar -xvzf sarg-2.2.3.1.tar.gz
3) Compile the sarg package
cd sarg-2.2.3.1
./configure
make
make install
4) Edit configuration file as shown bellow
vi /usr/local/sarg/sarg.conf
# TAG: access_log file
# Where is the access.log file
# sarg -l file
#
access_log /opt/safesquid/safesquid/logs/access/access.log
# TAG: title
# Especify the title for html page.
#
#title "Squid User Access Reports"
title "Safesquid User Access Reports"
# TAG: output_dir
# The reports will be saved in that directory
# sarg -o dir
output_dir /var/www/html/sarg
5) Make output directory for sarg report
mkdir /var/www/html/sarg
All report are genrated in this directory
6) To Generate the logreport, simply run the command
sarg
7) To generate the log report by the cron job you can make entry in "/etc/crontab" file
00 23 * * * root /usr/bin/sarg
It will generate the log report every day at 11.00 P.M
You can also see all command line switches by following command
sarg -h
9) Example To genrate report by manually :->
# If you want log report of the 10/11/2007 date you can give the command
sarg -d 10/11/2007 (dd/mm/yyyy)
# If you want log report from 10/11/2007 to 10/12/2007 then run this command
sarg -d 10/11/2007-10/12/2007 (dd/mm/yyyy-dd/mm/yyyy)
10) To view the log report generated by sarg start httpd serverice
/etc/init.d/httpd start
And browes url "http://ip_of_linux box/sarg" eg.
http://10.0.0.1/sarg
Squid 透明代理优化
主要记录下用Squid 做正向代理(透明代理)时的优化设置,一切尚在调试中所以下面的优化方式都是正确的。
内核调整
/etc/sysctl.conf 下面添加
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established =900 net.ipv4.icmp_echo_ignore_all = 0 net.ipv4.conf.all.proxy_arp = 1 net.ipv4.tcp_synack_retries = 3 net.ipv4.ip_conntrack_max = 81920 net.ipv4.tcp_fin_timeout = 5 net.ipv4.tcp_keepalive_time = 1200 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.ip_local_port_range = 1024 65000 net.ipv4.tcp_max_syn_backlog = 8192 net.ipv4.tcp_max_tw_buckets = 5000
使设置生效
IPtables+Squid 在linux下实现透明代理。
squid 有一个最重要的设置 http_port 8080 transparent 透明代理的关键就是transparent!!!
然后在Iptables里面打开对8080的访问,再在NAT表中,重定向80端口的请求到8080
Linux:CentOS
Linux bogon 2.6.18-128.1.14.el5 #1 SMP Wed Jun 17 06:40:54 EDT 2009 i686 i686 i386 GNU/Linux
Iptables:iptables v1.3.5
Squid:
Squid Cache: Version 2.6.STABLE21
configure options: ‘–build=i686-redhat-linux-gnu’ ‘–host=i686-redhat-linux-gnu’ ‘–target=i386-redhat-linux-gnu’ ‘–program-prefix=’ ‘–prefix=/usr’ ‘–exec-prefix=/usr’ ‘–bindir=/usr/bin’ ‘–sbindir=/usr/sbin’ ‘–sysconfdir=/etc’ ‘–includedir=/usr/include’ ‘–libdir=/usr/lib’ ‘–libexecdir=/usr/libexec’ ‘–sharedstatedir=/usr/com’ ‘–mandir=/usr/share/man’ ‘–infodir=/usr/share/info’ ‘–exec_prefix=/usr’ ‘–bindir=/usr/sbin’ ‘–libexecdir=/usr/lib/squid’ ‘–localstatedir=/var’ ‘–datadir=/usr/share’ ‘–sysconfdir=/etc/squid’ ‘–enable-epoll’ ‘–enable-snmp’ ‘–enable-removal-policies=heap,lru’ ‘–enable-storeio=aufs,coss,diskd,null,ufs’ ‘–enable-ssl’ ‘–with-openssl=/usr/kerberos’ ‘–enable-delay-pools’ ‘–enable-linux-netfilter’ ‘–with-pthreads’ ‘–enable-ntlm-auth-helpers=SMB,fakeauth’ ‘–enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group’ ‘–enable-auth=basic,digest,ntlm’ ‘–enable-digest-auth-helpers=password’ ‘–with-winbind-auth-challenge’ ‘–enable-useragent-log’ ‘–enable-referer-log’ ‘–disable-dependency-tracking’ ‘–enable-cachemgr-hostname=localhost’ ‘–enable-underscores’ ‘–enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL’ ‘–enable-cache-digests’ ‘–enable-ident-lookups’ ‘–with-large-files’ ‘–enable-follow-x-forwarded-for’ ‘–enable-wccpv2′ ‘–enable-fd-config’ ‘–with-maxfd=16384′ ‘build_alias=i686-redhat-linux-gnu’ ‘host_alias=i686-redhat-linux-gnu’ ‘target_alias=i386-redhat-linux-gnu’ ‘CFLAGS=-D_FORTIFY_SOURCE=2 -fPIE -Os -g -pipe -fsigned-char’ ‘LDFLAGS=-pie’
DHCP+PPPOE+Squid+SNAT
利用Dchpd+NAT+Squid+PPPOE实现内网完全
1.DHCP配置
2.SQUID配置 (http://blog.ghitr.com/index.php/archives/325)
3.NAT配置(暂无,明天加上)
4.PPPOE配置(暂无,明天加上)
因本机无DHCPD,所以需要安装
http://rpmfind.net/linux/rpm2html/search.php?query=dhcpd
的这上面找到
[ad#ad_article_2]
Read the rest of this entry »
