CentOS 6.7 下 Squid 代理服务器 的 安装与配置

GFW 封锁了 HTTP/Socks5 代理，HTTP 代理是关键词过滤，Socks5 代理则是封锁协议。不过某些特殊的低端口并没有这么处理，已知的有 21，25。

20端口已经被封杀，21端口目前会被限速400Kbps，换算后约合50KB/S，建议使用25端口，不限速。

一、系统环境

操作系统：CentOS release 6.7 (Final)

Squid版本：squid-3.1.10-20.el6_5.3.x86_64

SELINUX=disabled

HTTP Service: stoped

二、安装Squid服务

2.1 检查squid软件是否安装

# rpm -qa|grep squid

2.2 如果未安装，则使用yum 方式安装

# yum -y install squid

2.3 设置开机自启动

# chkconfig squid on  //自动运行squid服务
# squid -z //建立缓存目录

2.4 配置squid，修改或增加红色部分

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/ ::
acl to_localhost dst 127.0.0.0/ 0.0.0.0/ ::

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/    # RFC1918 possible internal network
acl localnet src 172.16.0.0/    # RFC1918 possible internal network
acl localnet src 192.168.0.0/    # RFC1918 possible internal network
acl localnet src fc00::/       # RFC  local private network range
acl localnet src fe80::/      # RFC  link-local (directly plugged) machines

acl SSL_ports port
acl Safe_ports port         # http
acl Safe_ports port         # ftp
acl Safe_ports port         # https
acl Safe_ports port         # gopher
acl Safe_ports port         # wais
acl Safe_ports port -    # unregistered ports
acl Safe_ports port         # http-mgmt
acl Safe_ports port         # gss-http
acl Safe_ports port         # filemaker
acl Safe_ports port         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
#http_access deny all
http_access allow all

# Squid normally listens to port
http_port 191.101.9.188:25 transparent

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 5000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:            %
refresh_pattern ^gopher:        %
refresh_pattern -i (/cgi-bin/|\?)     %
refresh_pattern .            %    

strip_query_terms off
visible_hostname 191.101.9.188
cache_mgr xxxxx@qq.com
cache_store_log none
cache_access_log none
cache_mem 512 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 128 MB
maximum_object_size_in_memory 128 MB
dns_nameservers 8.8.8.8 8.8.4.4
client_lifetime 1 minutes
half_closed_clients off
fqdncache_size 65535
ipcache_size 65535
ipcache_low 90
ipcache_high 95

三、配置防火墙

开放25端口

# iptables -I INPUT -p tcp --dport  -j ACCEPT

# service iptables save

或编辑 vi /etc/sysconfig/iptables

# Completed on Thu May  ::
# Generated by iptables-save v1.4.7 on Thu May  ::
*filter
:INPUT ACCEPT [:]
:FORWARD ACCEPT [:]
:OUTPUT ACCEPT [:]
-A INPUT -p tcp -m state --state NEW -m tcp --dport  -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
COMMIT
# Completed on Thu May  :: 

重启 service iptables restart

ps：

http://bbs.itzmx.com/thread-8815-1-1.html

http://www.cnblogs.com/mchina/p/3812190.html

http://blog.163.com/na_llong/blog/static/1135416092013714104354316/