Squid正向代理（编译安装）

tps://www.aliyun.com/product/cas?source=5176.11533457&userCode=kv73ipbs&type=copy

https://www.aliyun.com/product/cas?source=5176.11533457&userCode=kv73ipbs&type=copy

https://www.aliyun.com/product/cas?source=5176.11533457&userCode=kv73ipbs&type=copyhttps://www.aliyun.com/product/cas?source=5176.11533457&userCode=kv73ipbs&type=copy

编译安装

版本为squid-3.5.27

系统为Centos6.5

依赖环境

yum install -y perl gcc*autoconf automake make sudo wget libxml2-devel libcap-devel libtool-ltdl-devel

解压

[root@uu ~]# mkdir /application

[root@uu ~]# cd /application/

[root@uu application]# rz

[root@uu application]# tar zxvf squid-3.5..tar.gz

关于软连接

　　编译软件时指定版本号（/appiication/app1.1.1），访问时希望去掉版本号(/application/app,)，可以设置软链接到编译的路径。 所有程序都访问软链接文件(/application/app,)，当软件升级高版本后，只需删除链接文件重建到高版本路径的软链接接口(/application/app,)。

做软连接

[root@uu application]# ln -s squid-3.5.27 squid

编译

./configure --prefix=/application/squid --disable-loadable-modules --enable-gnuregex --enable-icmp --enable-linux-netfilter --enable-err-language="zh-cn" --enable-default-err-language="zh-cn" --enable-kill-parent-hack --enable-cache-digests --enable-dlmalloc--enable-poll --enable-async-io= --enable-arp-acl--mandir=/usr/share/man/ --with-large-files --with-fd= --with-large-files --enable-arp-acl

注释

--enable-arp-acl

通过IP地址来识别用户很不可靠，比IP地址更好的是网卡的MAC物理地址。要在Squid中使用MAC地址识别，

配置文件中加入：

acl advance arp 00:01:02:1f:2c:3e 00:01:02:3c:1a:8b ...

验证

echo $?

PS

Squid本身会被安装到/application/sbin下
Squid的cache目录默认为/application/squid/cache
Squid的log目录默认为/application/squid/logs
squid的配置文件目录默认为/application/etc/squid

编译安装的注释

l  --enable-async-io=

这个主要是设置async模式来运行squid，我的理解是设置用线程来运行squid，如果服务器配置很不错，有1G以上内存，cpu使用SMP的方式的话可以考虑设成160或者更高。如果服务器比较糟糕就根据实际情况设了。另外此项还另cache文件支持aufs。80这个值是根据160的配置情况自己确定的。

l  --enable-epoll LINUX2.

内核中提高I/O性能的新方法。

l  --enable-poll

应启用Poll()函数而不是select()函数，通常而言poll(轮询)比 select要好，但configure(脚本程序)已知Poll在某些平台下失效, 若你认为你比configure编译配置脚本程序要聪明的话，可以用这个选项启用Poll。总之就是用这个可以提升性能就是啦。没有看得很明白，但是我自己感觉是不是epoll更先进一点。反正我用epoll取代了poll。

epoll是Linux内核为处理大批量句柄而作了改进的poll，是Linux下多路复用IO接口select/poll的增强版本，它能显著减少程序在大量并发连接中只有少量活跃的情况下的系统CPU利用率。

l  --disable-internal-dns

Squid代理服务器在程序内部实现DNS解析，不会检查/etc/hosts文件，直接根据/etc/resolv.conf中的DNS服务器。我的实践：、配置参数中dns_children 必须要依赖于disable-internal-dns。、默认是检查/etc/hosts文件的。默认值是hosts_file /etc/hosts。如果要不检查，必须显示指定hosts_file none。

l  --with_filedescriptors=

增加并发是同时打开文件的文件描述符数量，默认是1024，一般不够。会在cache_log中形成WARNING: your cache is running out of the filedescriptors!的警告信息。另外我的实践：必须在配置文件中显示指定max_filedescriptors ，前后两个值并不一定要相等，前面是编译时设定的最大值，后面配置文件中的值不大于该值即可。

l  --enable-kill-parent-hack

关掉suqid的时候，要不要连同父进程一起关掉，这个当然要啦。当然要，就要吧。以前发生过关闭SQUID不正常，无法删除pid文件什么的，可能是和这个选项有关。（.7也支持本选项）

l  --enable-underscore

在3.0里不再需要也不再支持这个安装选项（.7也不支持了）。在配置文件中有allow_underscore

这个选项。默认是允许域名中支持下划线了。

l  --enable-err-language="zh-cn" --enable-default-err-language="zh-cn"

原来是--enable-err-language="Simplify_Chinese" --enable-default-err-language="Simplify_Chinese"

安装

注意

squid 3.1.5以后版本，默认编译时，会出现如下错误，可以禁用eCAP(--disable-loadable-modules)

>     ../libltdl/libltdl/lt_error.h::: error: libltdl/lt_system.h: No such file or directory
>     make[]: *** [LoadableModule.o] Error
>     make[]: Leaving directory `/application/src/squid/squid-3.1./src’
>     make[]: *** [all-recursive] Error
>     make[]: Leaving directory `/application/src/squid/squid-3.1./src’
>     make[]: *** [all] Error
>     make[]: Leaving directory `/application/src/squid/squid-3.1./src’
>     make: *** [all-recursive] Error 

或者：

In file included from LoadableModule.cc::

../libltdl/ltdl.h:: 错误：‘LT_DLSYM_CONST’没有命名一个类型

LoadableModule.cc: In constructor ‘LoadableModule::LoadableModule(const String&)’:

LoadableModule.cc:: 错误：‘lt__PROGRAM__LTX_preloaded_symbols’在此作用域中尚未声明

make[]: *** [LoadableModule.o] 错误 

make[]: Leaving directory `/application/squid-3.5./src'

make[]: *** [all-recursive] 错误 

make[]: Leaving directory `/application/squid-3.5./src'

make[]: *** [all] 错误 

make[]: Leaving directory `/application/squid-3.5./src'

make: *** [all-recursive] 错误 

如果你用的是centos系统的最小化安装，可能没有安装c语言编译器，需要手动安装，如安装过程中出现以下错误：

-bash: make: command not found

这是因为没有安装编译器，用以下命令安装：yum install gcc* gcc-*。安装后，再次make就可以了

make

[root@uu squid-3.5.]##make

sed " s%@DEFAULT_ERROR_DIR@%%g; s%@DEFAULT_MIME_TABLE@%%g; s%@""PACKAGE_STRING""@%Squid Web Proxy 3.5.27%g; s%@SYSCONFDIR@%/application/squid/etc%g; " < ./cachemgr.cgi..in > cachemgr.cgi.

make[]: Leaving directory `/application/squid-3.5./tools'

make[]: Leaving directory `/application/squid-3.5./tools'

Making all in test-suite

make[]: Entering directory `/application/squid-3.5./test-suite'

make[]: Nothing to be done for `all'.

make[]: Leaving directory `/application/squid-3.5./test-suite'

make[]: Entering directory `/application/squid-3.5.'

make[]: Nothing to be done for `all-am'.

make[]: Leaving directory `/application/squid-3.5.'

[root@uu squid-3.5.]# echo $?

make install

[root@uu squid-3.5.]# make install

make[]: Leaving directory `/application/squid-3.5./tools'

make[]: Leaving directory `/application/squid-3.5./tools'

make[]: Leaving directory `/application/squid-3.5./tools'

Making install in test-suite

make[]: Entering directory `/application/squid-3.5./test-suite'

make[]: Entering directory `/application/squid-3.5./test-suite'

make[]: Nothing to be done for `install-exec-am'.

make[]: Nothing to be done for `install-data-am'.

make[]: Leaving directory `/application/squid-3.5./test-suite'

make[]: Leaving directory `/application/squid-3.5./test-suite'

make[]: Entering directory `/application/squid-3.5.'

make[]: Entering directory `/application/squid-3.5.'

make[]: Nothing to be done for `install-exec-am'.

make[]: Nothing to be done for `install-data-am'.

make[]: Leaving directory `/application/squid-3.5.'

make[]: Leaving directory `/application/squid-3.5.'

[root@uu squid-3.5.]# echo $?    

到此为止，squid3.5.5已经安装到/application/squid目录下了，运行

配置文件

>/application/squid/etc/squid.conf

vim /application/squid/etc/squid.conf

[root@uu etc]# cat squid.conf

http_port 

cache_mem  MB　

maximum_object_size  MB 　　

minimum_object_size  KB 　　

maximum_object_size_in_memory  KB

cache_dir aufs /application/squid/var/cache/squid      

cache_mem  MB 　

cache_log /application/squid/var/logs/cache.log 　　

#logfile_rotate 　　

#cache_swap_high 　　

#cache_swap_low 　

request_entities off

#ident_timeout  seconds ＃设置squid等待用户认证请求的时间。缺省值为10秒。［–enable-ident-lookups］

cache_effective_user nobody

cache_effective_group nobody

httpd_suppress_version_string on

#acl manager proto cache_object

#acl localhost src 127.0.0.1/ ::

#acl to_localhost dst 127.0.0.0/ 0.0.0.0/ ::

acl localnet src 10.0.0.0/

acl SSL_ports port 

acl Safe_ports port          

acl Safe_ports port         

acl CONNECT method CONNECT

acl http proto HTTP

acl good_domain dstdomain yyt.etcsd.com

http_access allow manager localhost

http_access allow http good_domain

http_access deny http !good_domain

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow all

coredump_dir /application/squid/var/cache/squid

refresh_pattern ^ftp:               %     

refresh_pattern ^gopher:            %      

refresh_pattern -i (/cgi-bin/|\?)      %      

refresh_pattern .                      %     

visible_hostname pstation

cache_mgr @.com

错误提示

去掉manager和127.0.0.1的行

UPGRADE: ACL 'manager' is now a built-in ACL. Remove it from your config file.

// ::| Processing: acl localhost src 127.0.0.1/ ::

// ::| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'

// ::| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable

// ::| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'

// ::| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'

// ::| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable

// ::| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'

// ::| WARNING: (B) '::1' is a subnetwork of (A) '::1'

// ::| WARNING: because of this '::1' is ignored to keep splay tree searching predictable

// ::| WARNING: You should probably remove '::1' from the ACL named 'localhost'

// ::| WARNING: (B) '::1' is a subnetwork of (A) '::1'

// ::| WARNING: because of this '::1' is ignored to keep splay tree searching predictable

// ::| WARNING: You should probably remove '::1' from the ACL named 'localhost'

// ::| Processing: acl to_localhost dst 127.0.0.0/ 0.0.0.0/ ::

// ::| WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) '127.0.0.0/8'

// ::| WARNING: because of this '127.0.0.0/8' is ignored to keep splay tree searching predictable

// ::| WARNING: You should probably remove '127.0.0.0/8' from the ACL named 'to_localhost'

// ::| WARNING: (B) '0.0.0.0' is a subnetwork of (A) '0.0.0.0'

// ::| WARNING: because of this '0.0.0.0' is ignored to keep splay tree searching predictable

// ::| WARNING: You should probably remove '0.0.0.0' from the ACL named 'to_localhost'

// ::| WARNING: (B) '0.0.0.0' is a subnetwork of (A) '0.0.0.0'

// ::| WARNING: because of this '0.0.0.0' is ignored to keep splay tree searching predictable

// ::| WARNING: You should probably remove '0.0.0.0' from the ACL named 'to_localhost'

// ::| WARNING: (B) '::1' is a subnetwork of (A) '::1'

// ::| WARNING: because of this '::1' is ignored to keep splay tree searching predictable

// ::| WARNING: You should probably remove '::1' from the ACL named 'to_localhost'

// ::| WARNING: (B) '::1' is a subnetwork of (A) '::1'

// ::| WARNING: because of this '::1' is ignored to keep splay tree searching predictable

// ::| WARNING: You should probably remove '::1' from the ACL named 'to_localhost'

启动

/application/squid/sbin/squid -z

/application/squid/sbin/squid -k parse  测试配置文件

/application/squid/sbin/squid -k reconfigure  重新配置文件

/application/squid/sbin/squid -k shutdown  关闭squid

/application/squid/sbin/squid -s 开启squid 后台

/application/squid/sbin/squid -N -d1 前台开启squid

/application/squid/sbin/squid -k interrupt  关闭squid（更高crr优先级，直接关闭squid）

/application/squid/sbin/squid -k kill  关闭squid（最高优先级，直接杀死squid进程）

netstat -ntpl

检测squid端口是否已经启动：
[root@uu ~]# netstat -tunpl | grep :

不重起，只装入新的配置文件：
[root@rh73 ~]# /etc/rc.d/init.d/squid reload

问题处理

安装好了以后，系统中新建了一个用户squid

cat /etc/passwd|grep squid
cat /etc/group|grep 65534

如果没有的话，手动添加

添加用户

[root@uu
application]# useradd squid -s /sbin/nologin -M

问题处理

、root@uu etc]# /application/squid/sbin/squid -k parse

报错的话：

WARNING: Cannot write log file: /application/squid/var/logs/cache.log

/application/squid/var/logs/cache.log: Permission denied

         messages will be sent to 'stderr'

、[root@uu etc]# /application/squid/sbin/squid -z 初始化配置

// :: kid1| Current Directory is /application/squid/etc

// :: kid1| Creating missing swap directories

FATAL: Failed to make swap directory /var/spool/squid: () Permission denied

解决：

chown -R nobody /application/squid/var/cache/
chown -R nobody /application/squid/var/logs/

一般出现的问题是squid对安装缓存的目录权限不够则开启适当的权限即可,

然后查看是否可以启动，最后停留在一行不动 则表示启动成功用Ctrl+c终止 如果显示正常启动的正确信息 则现在可以启动Squid了

###下面这条是目录搞错了，配置文件参数应当是：coredump_dir /application/squid/var/cache/squid

// :: kid1| cannot change current directory to /var/spool/squid: () No such file or directory

优化-----标记符

[root@uu etc]# pwd

/application/squid/etc

加入开机启动

[root@uu etc]# echo "/application/squid/sbin/squid start " >>/etc/rc.local

定期清理swap.state内无效数据

squid -k rotate -f /path/to/squid/conf_file

vi /etc/crontab

     *  *   *       root    squid -k rotate -f /application/squid/etc/squid.conf

当squid应用运行了一段时间之后，cache_dir对应的swap.state文件就会变得越来越大，里面的无效接口数据越来越多，这可能影响squid的响应时间，因此需要使用squid清理swap.state里面的无效数据，减少swap.state的大小。

环境变量

添加PATH环境变量(临时)，可用：

[root@uu]#

export PATH="/application/squid/sbin:$PATH"

export PATH="/application/squid/bin:$PATH"

永久添加环境变量(影响所有用户)

在文档最后，添加（两种方法）

、# vim /etc/profile

export PATH="/application/squid/sbin:$PATH"

保存，退出，

、echo export PATH="/application/squid/sbin:$PATH" >> /etc/profile

echo export PATH="/application/squid/bin:$PATH" >> /etc/profile

然后运行：

#source /etc/profile

不报错则成功。                                                                                        

[root@uu etc]# source /etc/profile

[root@uu etc]# echo $PATH        

/application/squid/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

试试吧

killall squid

squid -k parse

squid -z

squid start

netstat -tunpl | grep :3128

配置认证

　　默认时，Squid本身不带任何认证程序，但是可以通过外部认证程序来实现用户认证。一般有以下的认证程序：LDAP认证、SMB认证、基于mysql的认证、基于sock5的密码认证和基于Radius的认证。下面介绍常用的ncsa实现的认证，ncsa是Squid源代码包自带的认证程序，但是需要使用到apache的htpasswd来生成密码文件。或者使用 apt-get/yum install http-tools的方式安装此工具

NCSA方式。

加入认证配置

auth_param basic program /application/squid/helpers/basic_auth/NCSA/basic_ncsa_auth /opt/squid/etc/passwd

auth_param basic realm hello

auth_param basic credentialsttl  hours

auth_param basic casesensitive on

auth_param basic children 

acl alloweduser proxy_auth REQUIRE

http_access allow alloweduser              #一定要放在所有http_access前面，否则不生效

完整版配置（注意顺序）

[root@uu etc]# cat squid.conf

http_port 

cache_mem  MB　

maximum_object_size  MB 　　

minimum_object_size  KB 　　

maximum_object_size_in_memory  KB

cache_dir aufs /application/squid/var/cache/squid      

cache_mem  MB 　

cache_log /application/squid/var/logs/cache.log 　　

#logfile_rotate 　　

#cache_swap_high 　　

#cache_swap_low 　

vary_ignore_expire on

collapsed_forwarding on

request_entities off

ident_timeout  seconds ＃设置squid等待用户认证请求的时间。缺省值为10秒。［–enable-ident-lookups］

cache_effective_user nobody

cache_effective_group nobody

httpd_suppress_version_string on

#acl manager proto cache_object

#acl localhost src 127.0.0.1/ ::

#acl to_localhost dst 127.0.0.0/ 0.0.0.0/ ::

#acl localnet src 10.0.0.0/

acl SSL_ports port 

acl Safe_ports port          

acl Safe_ports port         

acl CONNECT method CONNECT

acl http proto HTTP

acl good_domain dstdomain yyt.etcsd.com

auth_param basic program /application/squid/helpers/basic_auth/NCSA/basic_ncsa_auth /opt/squid/etc/passwd

auth_param basic realm hello

auth_param basic credentialsttl  hours

auth_param basic casesensitive on

auth_param basic children 

acl alloweduser proxy_auth REQUIRE

acl authorizedip src "/application/squid/authorizedip.txt"

#http_access allow manager localhost

http_access allow http good_domain

http_access deny http !good_domain

http_access allow alloweduser

http_access allow authorizedip

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

#http_access allow all

http_access deny all

coredump_dir /application/squid/var/cache/squid

refresh_pattern ^ftp:               %     

refresh_pattern ^gopher:            %      

refresh_pattern -i (/cgi-bin/|\?)      %      

refresh_pattern .                      %     

visible_hostname pstation

cache_mgr @.com

########################################################

注释

auth_param basic program /usr/lib/squid/ncsa_auth /opt/squid/etc/passwd

#定义了认证方式为basic，认证程序的路径和认证程度需要读取的帐户文件

auth_param basic children 

#此选项定义了认证程序的进程为5个

auth_param basic credentialsttl  hours

#定义了认证程序的时间为2小时，如果2小时过后用户还需要使用squid,则必须重新输入帐户和密码

auth_param basic realm Please input account

#定义了用户的登录时显示的领域内容，类似于Apache的用户认证

auth_param basic casesensitive off

#指定是否区分用户名大小写，on为区分，off为不区分。

acl auth_user proxy_auth REQUIRED

# 强制要求用户验证

http_access allow auth_user

#普通用户需要认证才能访问internet，允许经过认证的用户访问。

#名称和相对位置不对会报错

#// ::| /application/squid/etc/squid.conf: unrecognized: 'authenticate_program'

#// ::| Processing: authenticate_program realm hello

#// ::| /application/squid/etc/squid.conf: unrecognized: 'authenticate_program'

#// ::| Processing: acl alloweduser proxy_auth REQUIRED

#// ::| Can't use proxy auth because no authentication schemes are fully configured.

#FATAL: ERROR: Invalid ACL: acl alloweduser proxy_auth REQUIRED

创建密码文件

htpasswd是Apache的密码生成器，没有 Apache的话需要先安装，yum install httpd -y即可。

[root@uu opt]# mkdir /opt/squid/etc -p

[root@uu opt]# cd /opt/squid/etc

[root@uu etc]# touch passwd

[root@uu etc]# htpasswd -bc /opt/squid/etc/passwd test test

Adding password for user test