![nixsky[www.nixsky.com]](/templets/images/toplogo.gif)
二级上网代理服务器,用的很少,不过有时你想控制局域网中一小部分的机器的上网,就用的上。前两天架设了一台二级代理,写个笔记。
如下图, 一级和二级代理服务器都使用FreeBSD6.2Release+Squid2.6,一级代理直接和外网线路连接,用户通过设置相应的网段IP和代理服务器(IE上设置)进行上网。一级代理服务器后面的交换上的用户直接设置21段的IP再加上在IE上设置192.168.21.254及端口3128进行上网;二级代理后面的用户就要设置11段的IP加上192.168.11.254及端口3128进行上网。
============================================
一、一级代理服务器的架设
说明:
操作系统:FreeBSD6.2Release
代理软件:Squid2.6STABLE16
外网卡:em0 -> 218.90.159.xxx (默认网关为上一级ISP提供)
内网卡:em1 -> 192.168.21.254
1、FreeBSD的安装及优化
(2)配置rc.conf
hostname="one.www.com"
defaultrouter="218.90.159.xxx"
ifconfig_em0=”inet 218.90.159.xxx netmask 255.255.255.xxx”//外网IP
ifconfig_em1=”inet 192.168.21.254 netmask 255.255.255.0″ //内网IP
sendmail_enable=”NONE”
inetd_enable=”YES”
linux_enable=”YES”
sshd_enable=”YES”
usbd_enable=”YES”
(3)配置内核:
newproxy# cd /usr/src/sys/i386/conf
newproxy# cp GENERIC funpower
newproxy# ee funpower
修改内核配置文件,将不需要的选项(如网卡)之类的前面打#,然后按esc并按a保存退出,再执行:
newproxy# /usr/sbin/config funpower
newproxy# cd ../compile/funpower
newproxy# make cleandepend
newproxy# make depend
newproxy# make
newproxy# make install
2、squid的安装
(1)安装perl
newproxy# cd /usr/ports/lang/perl5
newproxy# make install
(2)下载并安装squid
从http://www.squid-cache.org/Versions/v2/2.6/下载squid-2.6.STABLE16.tar.gz并通过FTP放置服务器目录中/home/funpower,然后开始解压安装:
newproxy# cd /home/funpower
newproxy# tar zxvf squid-2.6.STABLE16.tar.gz
newproxy# cd squid-2.6.STABLE16
newproxy# ./configure –prefix=/usr/local/squid
newproxy# make
newproxy# make install
(3)配置squid.conf
newproxy# cd /usr/local/squid/etc
newproxy# ee squid.conf
内容如下:
acl web src 192.168.21.0/24
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow web
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache_mem 64 MB
cache_dir ufs /usr/local/squid/cache 7000 16 256
access_log /dev/null
cache_log /dev/null
cache_store_log none
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mgr webmaster@www.com
cache_effective_user squid
cache_effective_group squid
visible_hostname one.www.com
(4)创建用户及缓存等:
newproxy# pw groupadd squid
newproxy# pw adduser squid -g squid -s /nonexistent
newproxy# mkdir /usr/local/squid/cache
newproxy# chown -R squid /usr/local/squid/cache
newproxy# chgrp -R squid /usr/local/squid/cache
newproxy# chown -R squid /usr/local/squid/var/logs
newproxy# chgrp -R squid /usr/local/squid/var/logs
newproxy# /usr/local/squid/sbin/squid -z
newproxy#cd /usr/local/squid/sbin
newproxy# ./squid
newproxy# ee /etc/rc.local
加入如下一行:
/usr/local/squid/sbin/squid
保存退出。
这样一级代理就设置完成,按照下图设置后就能联网络了。
============================================
二、二级代理服务器的架设
下来架设本文的着重点——二级代理,所使用的软件都一样,也是FreeBSD6.2Release+Squid2.6,而且安装FreeBSD的步骤和一级代理的也一样(只有内、外网卡的IP及网关不一样),唯独在配置Squid时配置文件有些不同,具体如下:
说明:
操作系统:FreeBSD6.2Release
代理软件:Squid2.6STABLE16
外网卡:xl0 -> 192.168.21.250 (这里的默认网关就应该是一级代理服务器的内网卡地址,为192.168.21.254)
内网卡:xl1 -> 192.168.11.254
1、安装FreeBSD
安装的具体步骤和上面一级代理的方法一样,只是在配置rc.conf时的IP不一样,如下:
hostname="two.www.com"
defaultrouter=”192.168.21.254″ //一级代理的内网卡地址
ifconfig_xl0=”inet 192.168.21.250 netmask 255.255.255.0″ //外网IP
ifconfig_xl1=”inet 192.168.11.254 netmask 255.255.255.0″//内网IP
sendmail_enable=”NONE”
inetd_enable=”YES”
linux_enable=”YES”
sshd_enable=”YES”
usbd_enable=”YES”
2、安装Squid2.6
同样,安装方法和上面一级代理的一样,只是在配置squid的配置文件squid.conf不一样。增加了两行内容,如下:
acl web src 192.168.11.0/24
cache_peer 192.168.21.254 parent 3128 3130 proxy-only//定义父代理(也就是上一级代理)的IP及上网端口3128
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow web
never_direct allow all//所有请求转发至父代理上
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache_mem 64 MB
cache_dir ufs /usr/local/squid/cache 7000 16 256
access_log /dev/null
cache_log /dev/null
cache_store_log none
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mgr webmaster@www.com
cache_effective_user squid
cache_effective_group squid
visible_hostname two.jscpu.com
这样二级代理也架设完成,按照如下的设置二级代理服务器后的用户应该就也可以上网了。
总结:架设二级代理时,个人感觉最重要的还是要搞清楚一、二级代理四块网卡的IP,至于架设方法,和一级代理没啥区别,最主要的是squid.conf中增加了二行内容 。
Power by nixsky Copyright 2004-2008