centos 7 下的squid与openstack下的cdn实例

cryboy2001 发表于 2014-09-12 09:21

本帖最后由 cryboy2001 于 2014-09-29 16:33 编辑

Contos 7 下最新squid设定

常用代理
透明代理
用户认证
强大的alc功能
Cdn介绍
Squid在cdn中的使用---反向代理
openstack下的cdn实例
bind实现view功能

环境
最小化安装contos7 ，关掉selinux，打开转发，防火墙就不关了，透明代理时要用到
两块网卡，ens6192.168.0.207与外网eth0：2.2.2.2
SELINUX=disabled
echo "1" > /proc/sys/net/ipv4/ip_forward
加装编译环境
yum -y install make gcc ccgcc+ gcc-c++
下载最新版squid
wget http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.7.tar.gz

tar -zxvf squid-3.4.7.tar.gz
cd squid-3.4.7/
./configure --prefix=/usr/local/squid
make all
make install
ls /usr/local/squid/ #查看一下
加用户与权限
adduser squid -d /dev/null -s /sbin/nologin
chown -R squid.squid squid
编辑配置文件
vi /usr/local/squid/etc/squid.conf

visible_hostname squid.test.com    #加主机名
pid_filename /var/run/squid.pid
cache_effective_user squid             #用户与组
cache_effective_group squid
#下面是定义与应用acl，功能很强大
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all                #最后一句拒绝其它所有
http_port 3128                         #端口
cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256          #cache放的地方
coredump_dir /usr/local/squid/var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
检查配置文件一下对不对
./squid -k parse
./squid-z       #初始化
运行
./squid

修改了配置后再运行
./squid -k reconfigure
加防火墙与以前的iptables不一样的
firewall-cmd --add-port=3128/tcp
客户端设置

成功的样子

access.log

透明代理

上面的代理要实现，要在客户端设置，为了方便不用在客户端设置，可以用透明代理
透明代理设置很简单，只在
把原来的
http_port 3128
改成 192.168.0.207是这台电脑的ip
http_port 192.168.0.207 3128transparent

关键是要改防火墙
firewall-cmd --zone=external --change-interface=eth0
firewall-cmd --zone=internal --change-interface=ens6
firewall-cmd --zone=internal --add-forward-port=port=80:proto=tcp:toaddr=192.168.0.207:toport=3128
firewall-cmd --zone=internal --list-all

客户端设置
不用设ie代理，只要把路由指向这台squid电脑就可以了，这可以通过dhcp设置。

cat var/logs/access.log

待续

cryboy2001 发表于 2014-09-12 15:54

用户认证

因为在上面没加认证模块所以要重新编译

cd squid-3.4.7/
./configure --enable-basic-auth-helpers="NCSA"
make
编译好了之后，不用现安装了，直接把要用的copy过去就可以了

cphelpers/basic_auth/NCSA/basic_ncsa_auth /usr/local/squid/bin/ncsa_auth
chown squid.squid ncsa_auth

修改配配

vi /usr/local/squid/etc/squid.conf

auth_param basic program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwd
acl authuser proxy_auth REQUIRED
http_access allow authuser
#加上以上三句，注意一定要加在
http_access deny all
这一句前面

把透明代理的改回来
#http_port 192.168.0.207 3128transparent
http_port 3128
把前面
#acl localnet src 192.168.0.0/24
注消掉

完成的squid.conf如下

visible_hostname squid.test.com
pid_filename /var/run/squid.pid
cache_effective_user squid
cache_effective_group squid
http_port 3128
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
auth_param basic program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwd
acl authuser proxy_auth REQUIRED
http_access allowauthuser
http_access deny all
cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
coredump_dir /usr/local/squid/var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

用htpasswd生成密码文件
htpasswd -c /usr/local/squid/etc/passwd test1
htpasswd /usr/local/squid/etc/passwd test2

重新生效squid配置

./squid -k reconfigure

直接访问出现

要向开始一样改代理

改好后再访问出现

用户认证就成功了。

cryboy2001 发表于 2014-09-12 16:32

acl功能

在前面的两个应用中已用到了acl功能，acl应用分两步
1、定义acl 组如
acl all src 0.0.0.0/0.0.0.0 #定义一个所有的ip组合，般用在最后一句

以下是定义名为localnet的acl组，对这个组作同样的操作
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

下面是定义端口
acl SSL_ports port 443#定义安全端口，不作这代理。

acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

2、应用acl组，用deny或者allow来做为动作

http_access deny !Safe_ports #加！号就是相反，拒绝不是以上定的Safe_ports组中的端口
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost

http_access deny all #拒绝所有其它来源

常用的acl
1、不让192.168.0.22通过代理上网
acl test1 src 192.168.0.22
http_access deny test1

2、允许192.168.1.0/24通过
acl test2 src 192.168.1.0/24
http_access deny test2

3、不允许访问一个服务器

acl test3 dst 2.2.2.2
http_access deny test3

4、只有上班时间这台电脑才可以上网
acl pc1 src 192.168.0.22
acl worktime time 8:00-17:00

http_access allow pc1 worktime

5、限制一台电脑上网的连接数
acl pc1 src 192.168.0.22
acl maxconn maxconn 10
http_access denypc1 maxconn

cryboy2001 发表于 2014-09-12 16:37

本帖最后由 cryboy2001 于 2014-09-15 13:58 编辑

cdn架构

一句话：通过智能dns，根据用户来源，就近访问，代理缓存服务器，以达到快速的目的，同时可以增加源站的安全与稳定。
代理缓存服务器就是反向代理源站的内容。

组成部分：源站、缓存服务器、智能dns、用户

cdn的性能指标：并发量、吞吐量、响应时间、丢包率、命中率
前四个指标与其它服务器一样，命中率：客户端访问时，在cache中有，不用到源站抓起，这叫命中，否则就是不命中。
命中率高说明cdn系统的缓存策略越好，给源站分担的压力越多。

缓存的对象：静态、动态、流媒体等多种

下面就一般缓存方法：

客户端----------缓存服务器--------------源站

用Squid做为缓存服务器

#cat /usr/local/squid/etc/squid.conf

visible_hostname squid.test.com
pid_filename /var/run/squid.pid
cache_effective_user squid
cache_effective_group squid
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
coredump_dir /usr/local/squid/var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

#主要就加了以下3句，

http_port 80 accel vhost vport             #启用80端口，要不然squid是侦听3128端口的
cache_peer 2.2.2.2parent 80 0             #cache中没命中的话就到上一级或源站
http_access allow all                            #允许所有连接要把之前的deny all 删除

使配置生效
#squid -k reconfigure

看看80端口谁在用
#lsof -i :80

是squidg正使用80端口

在客户端测试看看

查看日志

TCP_MISS 在cache中没找到，要连接到源站

TCP_MEM在cache中找到了，直接还回

当然以上只是最简单的测试，cdn的核心其实是智能dns，真正使用的cdn还包过各部分的集群，使用的最多的智能dns开源软件是bind view,有空做一个完整的cdn。

yestreenstars 发表于 2014-09-14 18:38

牛，学习了，先顶了再看

cryboy2001 发表于 2014-09-29 16:32

本帖最后由 cryboy2001 于 2014-09-29 16:37 编辑

用opentstack做cdn实验

架构

主机名与ip

一、源主机的安装

# #yum -y install httpd

产生一个测试页面

# cat /var/www/html/index.html
<html>
<body>
This is a test page!
</body>
</html>
#

打开防火墙

systemctl httpd.service start

systemctl start httpd.service

二、dns主机安装

安装bind

#yum -y install make gcc cc gcc+ gcc-c++ openssl openssl-devel perl
# wget ftp://ftp.isc.org/isc/bind9/9.10.1/bind-9.10.1.tar.gz
#tar zxvf bind-9.10.1.tar.gz
# cd bind-9.10.1

# ./configure --prefix=/usr/local/bind

#make && make install

制作配置文件

#/usr/local/bind/sbin/rndc-confgen >rndc.conf

#cat rndc.conf >rndc.key

#tail -n10 rndc.conf |head -n9 |sed -e s/#\ //g >named.conf

# cat etc/named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "mHcJqq5mIIkvwZMwr5I5hg==";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

logging {
channel query_log {
file "query.log" versions 3 size 20m;
severity info;
print-time yes;
print-category yes;
};
category queries {
query_log;
};
};

options {
directory "/usr/local/bind/var";
pid-file "named.pid";
listen-on port 53 {any;};
allow-query {any;};
};

view "squid1" {
match-clients { 10.0.10.0/24; 10.0.1.0/24; };
recursion yes;

zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "localhost.arpa";
};

zone "test.com" IN {
type master;
file "test1.com.zone";
allow-update {none;};
};

};

view "squid2" {
match-clients { 10.0.20.0/24;};
recursion yes;
zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "localhost.arpa";
};

zone "test.com" IN {
type master;
file "test2.com.zone";
allow-update {none;};
};

};

view "other" {
match-clients { 0.0.0.0/0;};
recursion yes;
zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "localhost.arpa";
};

zone "test.com" IN {
type master;
file "test.com.zone";
allow-update {none;};
};

};

相应目录下的zonefile

# ls var/test*
var/test1.com.zone var/test2.com.zone var/test.com.zone

# cat var/test*
$TTL 86400
@ IN SOA dns.test.com. hostmaster.test.com. (
20140930 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

@ IN NS dns.test.com.
dns IN A 10.0.1.18
www IN A 10.0.10.102
$TTL 86400
@ IN SOA dns.test.com. hostmaster.test.com. (
20140930 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

@ IN NS dns.test.com.
dns IN A 10.0.1.18
www IN A 10.0.20.101
$TTL 86400
@ IN SOA dns.test.com. hostmaster.test.com. (
20140930 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

@ IN NS dns.test.com.
dns IN A 10.0.1.18
www IN A 10.0.1.19
squid1 IN A 10.0.10.102
squid2 IN A 10.0.20.101

设客户端dns

xp1上的dns查询

xp2上的查询

其它电脑上的查询

通过以上的查询，确认dns view已成功配好了。

三、代理缓存安装

看前面的squid设置内容

#cat squid.conf

visible_hostname squid2.test.com

pid_filename /var/run/squid.pid

cache_effective_user squid

cache_effective_group squid

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

acl localnet src fc00::/7 # RFC 4193 local private network range

acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager

http_access deny manager

http_access allow localnet

http_access allow localhost

cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

coredump_dir /usr/local/squid/var/cache/squid

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 0 20% 4320

http_port 80 accel vhost vport

cache_peer 10.0.1.19 parent 80 0

http_access allow all

两台一样，除主机名外其它都是一样的

还有要打开80端口防火墙

四、客户机上试用

在客户机上的动作与日志

找一个不存在的网页

squid上的相关日志非常明显

加一台客户端，访问的是另一台squid

不存在的网页

日志很清楚

cu_shell 发表于 2014-10-02 01:53

高手，，，收藏学习，，版主这个squid配置教程支持 rhel5.x 版本吗？

action08 发表于 2014-10-02 12:37

shell@ubuntu:~$ uname -a
Linux ubuntu 3.2.0-69-generic #103-Ubuntu SMP Tue Sep 2 05:02:14 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
shell@ubuntu:~$

我的应该支持吧

cryboy2001 发表于 2014-10-06 11:10

回复 7# cu_shell

@action08

自己编译的，什么系统都支持，配置都差不多的，只是其它操作稍有不同，比如启动程序，防火墙等

reb00t 发表于 2014-10-23 01:38

版主v587，求拜师。

页: [1] 2

Chinaunix's Archiver

centos 7 下的squid与openstack下的cdn实例