Chinaunix
标题:
高速透明代理
[打印本页]
作者:
Hobit
时间:
2007-10-11 17:06
标题:
高速透明代理
硬件配置:
845G
intel Celeron 1.7G
DDR_I 1G
QUANTUM FIREBALL 10G
网络配置
10M网通光纤58.253.*.*
|
------------- fb + pf(nat) ------
| | |
dmz(10.0.0.0/8) vlan(192.168.0.0/16) other(172.16.0.0/16)
下面总共大概1000个点,同时在线平均300人。pf上把80端口的对外访问都转发到squid(10.0.0.50),其他端口做nat,从而实现网页的透明代理。
准备:mini安装fb62,更新ports。
一、安装Squid
使用squid24的版本,port默认安装。
二、配置内存文件系统
squid的cache如果保存在硬盘上的话,我的“火球”顶不住,硬盘的读写很频繁。所以使用内存文件系统。
# mdmfs -M -s 600m -O time -o noatime -p 0700 -v 2 -w squid:squid md0 /usr/local/squid/cache
我的Ram是1G,这里给了600M做cache,其他参数都是针对squid默认安装的。
为了开机自动加载,在/etc/fstab中加入如下一行:
/dev/md0 /usr/local/squid/cache mfs rw,-s600m 2 0
三、配置squid
# ee /usr/local/etc/squid/squid.conf
==========================================
cache_store_log none
cache_access_log /dev/null
#cache_log /dev/null
#cache_store_log /usr/local/squid/logs/store.log
#cache_access_log /usr/local/squid/logs/access.log
cache_log /usr/local/squid/logs/cache.log
emulate_httpd_log on
pid_filename /usr/local/squid/logs/squid.pid
cache_effective_user squid
cache_effective_group squid
visible_hostname proxy.XXXXXXXXXXX.com
cache_mgr
zy5451@163.com
http_port 3128
udp_incoming_address 10.0.0.50
cache_dir ufs /usr/local/squid/cache 512 16 256 //512表示硬盘cache的大小
cache_mem 64 MB // 内存canche大小
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
half_closed_clients off
cache_swap_high 90%
cache_swap_low 80%
maximum_object_size 1024 KB
icon_directory /usr/local/etc/squid/icons
error_directory /usr/local/etc/squid/errors/Simplify_Chinese
refresh_pattern -i .html 1440 90% 129600 reload-into-ims
refresh_pattern -i .shtml 1440 90% 129600 reload-into-ims
refresh_pattern -i .hml 1440 90% 129600 reload-into-ims
refresh_pattern -i .gif 1440 90% 129600 reload-into-ims
refresh_pattern -i .swf 1440 90% 129600 reload-into-ims
refresh_pattern -i .jpg 1440 90% 129600 reload-into-ims
refresh_pattern -i .png 1440 90% 129600 reload-into-ims
refresh_pattern -i .bmp 1440 90% 129600 reload-into-ims
refresh_pattern -i .js 1440 90% 129600 reload-into-ims
# users
acl lan src 192.168.2.20-192.168.2.250/32
acl lan src 192.168.3.20-192.168.3.200/32
acl lan src 192.168.4.20-192.168.4.200/32
acl lan src 192.168.5.26-192.168.5.200/32
acl lan src 192.168.6.20-192.168.6.200/32
acl boss src 192.168.5.9/32 192.168.5.10/32
acl boss src 192.168.5.20-192.168.5.25/32
acl boss src 192.168.3.250/32
acl pcroom src 172.16.0.0/16
acl all src 0.0.0.0/0.0.0.0
# websites
acl teach_web dst 10.0.1.10-10.0.1.15/32
acl mail_web dstdomain .163.com
acl lan_web dst 10.0.0.11/32
acl search_web dstdomain .google.com .google.cn .baidu.com
acl ebusiness_web dstdomain .paipai.com .ebay.com .ebay.com.cn .eachnet.com .taobao.com .dangdang.com .alibaba.com .alibaba.com.cn
acl qq_web dstdomain .qq.com .tencent.com
# times
acl teach_time time MTWHF 8:30-12:00 14:40-16:20 //星期一到星期五
# options
acl deniedfile urlpath_regex -i \.swf$ \.swf\? \.swf\?1
acl deniedfile urlpath_regex -i \.rm$ \.rmvb$ \.mpg$ \.mpeg$ \.avi$ \.mov$
acl deniedfile urlpath_regex -i \.mp3$ \.ape$ \.midi$ \.mid$
acl deniedfile urlpath_regex -i \.youku\.com\/player$
acl OverConnLimit maxconn 100 //单个IP的最大连接数
# rule actions
http_access allow boss
http_access deny deniedfile lan
http_reply_access deny deniedfile lan
#http_access deny OverConnLimit lan //不限制连接数
http_access allow lan
http_access allow teach_time teach_web pcroom
http_access allow teach_time search_web pcroom
http_access allow teach_time mail_web pcroom
http_access allow teach_time ebusiness_web pcroom
http_access allow teach_time lan_web pcroom
http_access deny teach_time pcroom
http_access allow pcroom
http_access deny all
========================================================
三、扫尾
squid自启动
在/etc/rc.conf中加上 squid_enable="YES"
squid在第一次启动之前要先建立硬盘cache的分类子目录,但是本例中的硬盘cache使用的是内存,需要每次开机自动运行,因此可以新建/etc/rc.local(此文件默认不存在),加入一行:
/usr/local/sbin/squid -z
这一句是建立硬盘cache的分类子目录。
呵呵,大功告成,reboot。
本文来自ChinaUnix博客,如果查看原文请点:
http://blog.chinaunix.net/u/9803/showart_398777.html
欢迎光临 Chinaunix (http://bbs.chinaunix.net/)
Powered by Discuz! X3.2