squid代理与缓存(下)
6. squid代理模式案例
6.1 squid传统正向代理生产使用案例
6.1.1 squid传统正向代理两种方案
(1)普通代理服务器
(2)透明代理服务器
透明代理流程说明:
注意:
在实际使用中,通常将SQUID和防火墙放在同一台机器上,为了更清楚的向浏览者描述其工作流程,在以下的流程图中将防火墙和SQUID分开显示
6.1.2 squid透明代理案例说明
案例说明:
6.1.3 squid透明代理物理拓扑说明
6.1.4 squid透明代理实战配置
| 主机名 |外网卡(ens32) | 网卡模式 |内网卡(ens34) |网卡模式 | 网关IP |用途 |
| :--: | :--: | :--: | :--: | :--: |
| Squid| 192.168.200.13 |NAT8 |192.168.100.100 |NAT(仅主机) |无网关 | 透明代理,网关 |
| WebServer | 192.168.200.14 | NAT8| ||无网关 |Web服务器 |
| Client || |192.168.100.200| NAT(仅主机) |192.168.100.100| 内网客户端 |
(1) 配置squid透明代理需要加上如下编译参数,否则日志报错
--enable-linux-netfilter #激活透明代理对Linux的支持
--enable-linux-tproxy #激活真实的透明代理对网站的支持
(2) Squid做正向代理如何设置呢,我们以实例给大家解析:
#修改squid.conf,在squid监听端口后加transparent
[root@Squid-Server ~]# awk '/http_port/{print NR,$0}' /usr/local/squid/etc/squid.conf
25 http_port 3128
[root@Squid-Server ~]# sed -i '25 s#$# transparent#' /usr/local/squid/etc/squid.conf
[root@Squid-Server ~]# sed -n '25p' /usr/local/squid/etc/squid.conf
http_port 3128 transparent
(3) squid.conf添加如下代码:
[root@Squid-Server ~]# vim /usr/local/squid/etc/squid.conf
[root@Squid-Server ~]# tail -8 /usr/local/squid/etc/squid.conf
cache_mem 128 MB #内存缓存大小
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8192 KB #最大缓存对象大小
minimum_object_size 0 KB #最小缓存对象大小
maximum_object_size_in_memory 4096 KB
memory_replacement_policy lru #缓存算法
emulate_httpd_log on #日志
(4) 重启squid服务
[root@Squid-Server ~]# /usr/local/squid/sbin/squid -k shutdown
2019/08/13 14:01:53| ERROR: Directive 'emulate_httpd_log' is obsolete.
[root@Squid-Server ~]# netstat -antup | grep 3128
[root@Squid-Server ~]# /usr/local/squid/sbin/squid -D
2019/08/13 14:02:29| WARNING: -D command-line option is obsolete.
[root@Squid-Server ~]# netstat -antup | grep 3128
tcp6 0 0 :::3128 :::* LISTEN 9317/(squid-1)
6.1.5 防火墙的设置
#在网关上操作(Squid)
[root@Squid-Server ~]# systemctl stop firewalld.service
[root@Squid-Server ~]# iptables -t nat -A PREROUTING -i ens34 -p tcp --dport 80 -j REDIRECT --to-ports 3128 #ens34为内网网卡
[root@Squid-Server ~]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 61 packets, 5124 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- ens34 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 304 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 4 packets, 304 bytes)
pkts bytes target prot opt in out source destination
#做出网转换
[root@Squid-Server ~]# iptables -t nat -A POSTROUTING -o ens32 -s 192.168.100.0/24 -j MASQUERADE
[root@Squid-Server ~]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 2 packets, 168 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- ens34 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ens32 192.168.100.0/24 0.0.0.0/0
#开启网关的转发功能
[root@Squid-Server ~]# vim /etc/sysctl.conf
[root@Squid-Server ~]# sed -n '11,21p' /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.ip_local_port_range = 4000 65000
[root@Squid-Server ~]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.ip_local_port_range = 4000 65000
6.1.6 测试透明代理
(1)路由检查
#内网客户端(192.168.100.100为网关内网卡ens34)
[root@Client ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.100.100 0.0.0.0 UG 0 0 0 ens32
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 ens32
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 ens32
#网关squid服务器(ens32网段192.168.200.0/24,ens34网段192.168.100.0/24,网关服务器无需设置网关)
[root@Squid-Server ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.200.254 0.0.0.0 UG 0 0 0 ens32
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 ens32
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 ens34
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 ens34
192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 ens32
#WebServer(无需设置任何网关,模拟公网)
[root@WebServer ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.200.254 0.0.0.0 UG 0 0 0 ens32
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 ens32
192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 ens32
(2)代理测试
#在内网客户端上测试
[root@Client ~]# echo "192.168.200.14 www.yunwei.com bbs.yunwei.com" >> /etc/hosts
[root@Client ~]# tail -1 /etc/hosts
192.168.200.14 www.yunwei.com yunwei.yangwenbo.com
[root@Client ~]# curl www.yunwei.com
192.168.200.14 www.yunwei.com
[root@Client ~]# curl www.yunwei.com
192.168.200.14 www.yunwei.com
[root@Client ~]# curl bbs.yunwei.com
192.168.200.14 bbs.yunwei.com
[root@Client ~]# curl bbs.yunwei.com
192.168.200.14 bbs.yunwei.com
#查看squiid服务器代理日志
[root@Squid-Server ~]# cat /usr/local/squid/var/logs/access.log
1565833400.456 0 192.168.100.200 TCP_MISS/200 348 GET http://www.yunwei.com/ - ORIGINAL_DST/192.168.200.14 text/html
1565833401.074 0 192.168.100.200 TCP_MISS/200 348 GET http://www.yunwei.com/ - ORIGINAL_DST/192.168.200.14 text/html
1565833407.499 289 192.168.100.200 TCP_MISS/200 348 GET http://bbs.yunwei.com/ - ORIGINAL_DST/192.168.200.14 text/html
1565833410.983 0 192.168.100.200 TCP_MISS/200 348 GET http://bbs.yunwei.com/ - ORIGINAL_DST/192.168.200.14 text/html
备注:如果访问失败,为什么不试试在web服务器搭了网站呢,比如nginx
6.1.7 squid配合iptables实现上网网关及访问控制
(1) 控制上网例子:限制下载BT文件下载mp3
#修改squid.conf
acl BT urlpath_regex -i \.torrent$
acl BT urlpath_regex -i \.torrent$\.mp3$
http_access deny BT
(2) 控制访问黄色网站
#修改squid.conf
acl sex url_regex -i ^http://.*sex.*$
http_access deny sex
acl ett url_regex -i http://.*yunwei.*
http_access deny ett
(3) 单个IP每秒最多请求(并发)30个;可以用来防止多线程下载,爬虫等
acl OverConnLimit maxconn 30
http_access deny OverConnLimit
acl url_no_log urlpath_regex \.gif \.jpg \.css \.js \.swf \.GIF \.JPG \.SWF F5BigIP
acl method_no_log method PURGE HEAD
access_log /squid/logs/access.log combined !url_no_log !method_no_log #不计入log日志
#检测squid语法
/usr/local/squid/sbin/squid -k parse
#重新加载squid服务
/usr/local/squid/sbin/squid -k reconfigure
acl MyNetwork src all #定义规则
http_access deny all #设置规则“所有源地址”禁止
http_access allow MyNetwork #设置规则“所有源地址”允许,但是上面的规则已经定义了,这条规则无效不执行
6.2 squid反向代理生产使用案例
6.2.1 squid反向代理生产案例介绍
6.2.2 squid反向代理如何获得数据更新
HTTP协议本身设计的优先级顺序如下:
#最上面优先级最高,到下面最小:
Cache-Control:no-store
Cache-Control:no-cache
Cache-Control:must-revalidate
Cache-Control:max-age
Expires:
常用Header简单讲解
1.不缓存控制
2.指定过期时间控制
6.3 squid反向代理实战配置(记得部署防火墙策略)
| 主机名 |外网卡(ens34) | 网卡模式 |内网卡(ens32) |网卡模式 | 网关IP |用途 |
| :--: | :--: | :--: | :--: | :--: |
| Squid| 192.168.100.100 |NAT8 | 192.168.200.13|NAT(仅主机) | 无网关 | 反向代理,网关 |
| NginxWeb | | | 192.168.200.14|NAT(仅主机) |192.168.200.13 | 内网Web服务器 |
| InternetClient |192.168.100.200|NAT8 || |无网关| 外网客户端 |
6.3.1 搭建Web服务器并上传3张图片到网页目录下
(1)nginxWeb服务器的配置文件如下:
[root@NginxWeb ~]# cat /usr/local/nginx/conf/nginx.conf
worker_processes 1;
events {
worker_connections 20480;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name www.yangwenbo.com;
location / {
root html/www;
index index.html index.htm;
}
}
server {
listen 80;
server_name bbs.yangwenbo.com;
location / {
root html/bbs;
index index.html index.htm;
}
}
}
(2)上传3张图片到/usr/local/nginx/html/www目录下
[root@NginxWeb ~]# hostname -I
192.168.200.14
[root@NginxWeb ~]# cd /usr/local/nginx/html/www/
[root@NginxWeb www]# ll
总用量 2652
-rw-r--r-- 1 root root 869805 8月 14 14:26 home01.png.jpg
-rw-r--r-- 1 root root 860001 8月 14 14:26 home02.png.jpg
-rw-r--r-- 1 root root 977899 8月 14 14:26 home03.png.jpg
-rw-r--r-- 1 root root 24 8月 15 12:23 index.html
(3)浏览器打开图片进行访问测试
http://192.168.200.14/home01.png.jpg
http://192.168.200.14/home02.png.jpg
http://192.168.200.14/home03.png.jpg
6.3.2 squid反向代理的典型设置
(1)准备squid.conf模板文件
[root@Squid-Server ~]# cd /usr/local/squid/etc/
[root@Squid-Server etc]# cp squid.conf{,.bak} #备份原配置文件
[root@Squid-Server etc]# egrep -v "^$|^#" squid.conf.default > squid.conf #重新生成配置文件的初始模板
(2)将squid.conf配置文件修改为如下内容:
[root@Squid-Server etc]# cat squid.conf | grep yang
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.200.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 transparent
coredump_dir /usr/local/squid3/var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#################新增内容开始start###################################
#refresh_pattern [-i] regexp min percent max [options] #强制缓存内容,违反http协议
refresh_pattern -i \.jpg$ 30 50% 4320 reload-into-ims #强制缓存内容,违反http协议
refresh_pattern -i \.png$ 30 50% 4320 reload-into-ims #强制缓存内容,违反http协议
refresh_pattern -i \.gif$ 30 50% 4320 reload-into-ims #强制缓存内容,违反http协议
######################新增内容结束stop##############################
#icp_port 3130
coredump_dir /usr/local/squid3/var/cache
##################新增内容开始start###################################
cache_mem 99 MB #缓存大小设置
cache_swap_low 90 #缓存从最小占用90时开始逐渐清除旧缓存
cache_swap_high 95 #缓存从最大占用95时,立刻清除旧缓存
maximum_object_size 8192 KB #最大缓存对象大小
minimum_object_size 0 KB #最小缓存对象大小
maximum_object_size_in_memory 4096 KB #缓存对象最大在内存中的大小
memory_replacement_policy lru #缓存算法
#####################################################
cache_mgr [email protected] #管理员邮箱
cache_effective_user squid #程序用户
cache_effective_group squid #程序组
visible_hostname www.yangwenbo.com #squid主机名
######################################################
cache_peer www.yangwenbo.com parent 80 0 no-query no-digest max-conn=32 originserver
#反向代理的Web源站的域名,因为是域名所以squid本地必须做hosts映射
hosts_file /etc/hosts #域名映射文件位置
request_header_max_size 128 KB #请求头部的最大大小
ipcache_size 1024
ipcache_low 90
ipcache_high 95
####################新增内容结束stop##################
(3)测试配置文件语法,并重启Squid服务
[root@Squid-Server ~]# squid -k parse
#以下省略若干。。。
[root@Squid-Server ~]# netstat -antup | grep 3128
tcp6 0 0 :::3128 :::* LISTEN 8742/(squid-1)
[root@Squid-Server ~]# /usr/local/sbin/squid -k shutdown
[root@Squid-Server ~]# netstat -antup | grep 3128
[root@Squid-Server ~]#
[root@Squid-Server ~]# /usr/local/sbin/squid -D
2019/08/19 10:36:23| WARNING: -D command-line option is obsolete.
[root@Squid-Server ~]# netstat -antup | grep 3128
tcp6 0 0 :::3128 :::* LISTEN 8878/(squid-1)
(4)在squid本地hosts文件里做代理的源站域名映射
[root@Squid-Server ~]# vim /etc/hosts
[root@Squid-Server ~]# tail -2 /etc/hosts
192.168.200.14 www.yangwenbo.com
192.168.200.14 bbs.yangwenbo.com
6.3.3 进行squid反向代理访问测试
(1)在windows上输入squid反向代理服务器的地址,端口3128,进行图片的访问测试
http://192.168.200.13:3128
http://192.168.200.13:3128/home01.png.jpg
http://192.168.200.13:3128/home02.png.jpg
http://192.168.200.13:3128/home03.png.jpg
(2)观察squid服务器的访问日志
[root@Squid-Server ~]# tail -f /usr/local/squid/var/logs/access.log
1566197856.079 1 192.168.200.1 TCP_MISS/200 341 GET http://192.168.200.13:3128/ - FIRSTUP_PARENT/192.168.200.14 text/html
1566197875.150 36 192.168.200.1 TCP_MISS/200 870130 GET http://192.168.200.13:3128/home01.png.jpg - FIRSTUP_PARENT/192.168.200.14 image/jpeg
1566197945.822 27 192.168.200.1 TCP_MISS/200 860326 GET http://192.168.200.13:3128/home02.png.jpg - FIRSTUP_PARENT/192.168.200.14 image/jpeg
1566197947.977 37 192.168.200.1 TCP_MISS/200 978224 GET http://192.168.200.13:3128/home03.png.jpg - FIRSTUP_PARENT/192.168.200.14 image/jpeg
6.3.4 进行squid离线缓存测试
(1)修改squid.conf配置文件
[root@Squid-Server ~]# echo "offline_mode on" >> /usr/local/squid/etc/squid.conf
[root@Squid-Server ~]# tail -1 /usr/local/squid/etc/squid.conf
offline_mode on #开启squid离线模式
(2)重启动squid服务
[root@Squid-Server ~]# /usr/local/squid/sbin/squid -k shutdown
[root@Squid-Server ~]# netstat -antup | grep 3128
[root@Squid-Server ~]#
[root@Squid-Server ~]# squid -k parse
#以上省略若干。。。
2019/08/21 15:26:23| Processing: offline_mode on
2019/08/21 15:26:23| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
[root@Squid-Server ~]# /usr/local/squid/sbin/squid -D
2019/08/21 15:27:30| WARNING: -D command-line option is obsolete.
[root@Squid-Server ~]# netstat -antup | grep 3128
tcp6 0 0 :::3128 :::* LISTEN 9469/(squid-1)
(3)关闭后端RS节点的Web服务
[root@NginxWeb ~]# nginx -s stop
[root@NginxWeb ~]# netstat -antup | grep nginx
[root@NginxWeb ~]#
(4)清空浏览器缓存
(5)用浏览器访问squid代理服务器的3128端口
http://192.168.200.13:3128/home01.png.jpg
http://192.168.200.13:3128/home02.png.jpg
http://192.168.200.13:3128/home03.png.jpg
(6)观察squid代理服务器的访问日志
[root@Squid-Server ~]# tail -f /usr/local/squid/var/logs/access.log
1566373700.829 0 192.168.200.13 TCP_MISS/403 4247 GET http://192.168.200.13:3128/favicon.ico - HIER_NONE/- text/html
1566373700.830 1 192.168.200.1 TCP_MISS/403 4323 GET http://192.168.200.13:3128/favicon.ico - ORIGINAL_DST/192.168.200.13 text/html
1566373722.771 28 192.168.200.1 TCP_MEM_HIT/200 870139 GET http://192.168.200.13:3128/home01.png.jpg - HIER_NONE/- image/jpeg
1566373729.176 19 192.168.200.1 TCP_MEM_HIT/200 860335 GET http://192.168.200.13:3128/home02.png.jpg - HIER_NONE/- image/jpeg
1566373736.323 32 192.168.200.1 TCP_MEM_HIT/200 978233 GET http://192.168.200.13:3128/home03.png.jpg - HIER_NONE/- image/jpeg
(7)在Linux公网客户端利用curl -I进行访问测试
[root@InternetClient ~]# curl -I 192.168.100.100:3128
HTTP/1.1 200 OK #访问成功
Server: nginx/1.10.2
Date: Wed, 21 Aug 2019 08:07:43 GMT
Content-Type: text/html #数据类型
Content-Length: 24 #数据大小
Last-Modified: Thu, 15 Aug 2019 04:23:08 GMT #数据最后更新时间
ETag: "5d54de2c-18"
Accept-Ranges: bytes
Age: 124
X-Cache: HIT from www.yangwenbo.com #HIT命中
Via: 1.1 www.yangwenbo.com (squid/3.5.26)
Connection: keep-alive
[root@InternetClient ~]# curl -I 192.168.100.100:3128/home01.png.jpg
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Wed, 21 Aug 2019 08:08:18 GMT
Content-Type: image/jpeg
Content-Length: 869805
Last-Modified: Wed, 14 Aug 2019 06:26:22 GMT
ETag: "5d53a98e-d45ad"
Accept-Ranges: bytes
Age: 94
X-Cache: HIT from www.yangwenbo.com
Via: 1.1 www.yangwenbo.com (squid/3.5.26)
Connection: keep-alive
[root@InternetClient ~]# curl -I 192.168.100.100:3128/home02.png.jpg
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Wed, 21 Aug 2019 08:08:12 GMT
Content-Type: image/jpeg
Content-Length: 860001
Last-Modified: Wed, 14 Aug 2019 06:26:22 GMT
ETag: "5d53a98e-d1f61"
Accept-Ranges: bytes
Age: 196
X-Cache: HIT from www.yangwenbo.com
Via: 1.1 www.yangwenbo.com (squid/3.5.26)
Connection: keep-alive
[root@InternetClient ~]# curl -I 192.168.100.100:3128/home03.png.jpg
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Wed, 21 Aug 2019 08:08:05 GMT
Content-Type: image/jpeg
Content-Length: 977899
Last-Modified: Wed, 14 Aug 2019 06:26:20 GMT
ETag: "5d53a98c-eebeb"
Accept-Ranges: bytes
Age: 209
X-Cache: HIT from www.yangwenbo.com
Via: 1.1 www.yangwenbo.com (squid/3.5.26)
Connection: keep-alive
7. squid访问日志access.log结果编码
#TCP_HIT
Squid发现请求资源的貌似新鲜的拷贝,并将其立即发送到客户端。
#TCP_MISS
Squid没有请求资源的cache拷贝。
#TCP_REFERSH_HIT
Squid发现请求资源的貌似陈旧的拷贝,并发送确认请求到原始服务器。原始服务器返回304(未修改)响应,指示squid的拷贝仍旧是新鲜的。
#TCP_REF_FAIL_HIT
Squid发现请求资源的貌似陈旧的拷贝,并发送确认请求到原始服务器。然而,原始服务器响应失败,或者返回的响应Squid不能理解。在此情形下,squid发送现有cache拷贝(很可能是陈旧的)到客户端。
#TCP_REFRESH_MISS
Squid发现请求资源的貌似陈旧的拷贝,并发送确认请求到原始服务器。原始服务器响应新的内容,指示这个cache拷贝确实是陈旧的。
#TCP_CLIENT_REFRESH_MISS
Squid发现了请求资源的拷贝,但客户端的请求包含了Cache-Control: no-cache指令。Squid转发客户端的请求到原始服务器,强迫cache确认。
#TCP_IMS_HIT
客户端发送确认请求,Squid发现更近来的、貌似新鲜的请求资源的拷贝。Squid发送更新的内容到客户端,而不联系原始服务器。
#TCP_SWAPFAIL_MISS
Squid发现请求资源的有效拷贝,但从磁盘装载它失败。这时squid发送请求到原始服务器,就如同这是个cache丢失一样。
#TCP_NEGATIVE_HIT
在对原始服务器的请求导致HTTP错误时,Squid也会cache这个响应。在短时间内对这些资源的重复请求,导致了否命中。negative_ttl指令控制这些错误被cache的时间数量。请注意这些错误只在内存cache,不会写往磁盘。下列HTTP状态码可能导致否定cache(也遵循于其他约束): 204, 305, 400, 403, 404, 405, 414, 500, 501, 502, 503, 504。
#TCP_MEM_HIT
Squid在内存cache里发现请求资源的有效拷贝,并将其立即发送到客户端。注意这点并非精确的呈现了所有从内存服务的响应。例如,某些cache在内存里,但要求确认的响应,会以TCP_REFRESH_HIT, TCP_REFRESH_MISS等形式记录。
#TCP_DENIED
因为http_access或http_reply_access规则,客户端的请求被拒绝了。注意被http_access拒绝的请求在第9域的值是NONE/-,然而被http_reply_access拒绝的请求,在相应地方有一个有效值。
#TCP_OFFLINE_HIT
当offline_mode激活时,Squid对任何cache响应返回cache命中,而不用考虑它的新鲜程度。
TCP_REDIRECT
重定向程序告诉Squid产生一个HTTP重定向到新的URI。正常的,Squid不会记录这些重定向。假如要这样做,必须在编译squid前,手工定义LOG_TCP_REDIRECTS预处理指令。
#NONE
无分类的结果用于特定错误,例如无效主机名。
相应于ICP查询,下列标签可能出现在access.log文件的第四域。
#UDP_HIT
Squid在cache里发现请求资源的貌似新鲜的拷贝。
#UDP_MISS
Squid没有在cache里发现请求资源的貌似新鲜的拷贝。假如同一目标通过HTTP请求,就可能是个cache丢失。请对比UDP_MISS_NOFETCH。
#UDP_MISS_NOFETCH
跟UDP_MISS类似,不同的是这里也指示了Squid不愿去处理相应的HTTP请求。假如使用了-Y命令行选项,Squid在启动并编译其内存索引时,会返回这个标签而不是UDP_MISS。
#UDP_DENIED
因为icp_access规则,ICP查询被拒绝。假如超过95%的到某客户端的ICP响应是UDP_DENIED,并且客户端数据库激活了,Squid在1小时内,停止发送任何ICP响应到该客户端。若这点发生,你也可在cache.log里见到一个警告。
#UDP_INVALID
Squid接受到无效查询(例如截断的消息、无效协议版本、URI里的空格等)。Squid发送UDP_INVALID响应到客户端。
8. 清空squid过期缓存文件
8.1 通过squidclient命令查看缓存情况
#查看squidclient命令帮助
[root@Squid-Server ~]# /usr/local/squid/bin/squidclient -h
Version: 3.5.26
Usage: /usr/local/squid/bin/squidclient [Basic Options] [HTTP Options]
-s | --quiet Silent. Do not print response message to stdout.
-v | --verbose Verbose debugging. Repeat (-vv) to increase output level.
Levels:
1 - Print outgoing request message to stderr.
2 - Print action trace to stderr.
--help Display this help text.
Connection Settings
-h | --host host Send message to server on 'host'. Default is localhost.
-l | --local host Specify a local IP address to bind to. Default is none.
-p | --port port Port number on server to contact. Default is 3128.
-T timeout Timeout in seconds for read/write operations
Ping Mode
--ping [options] Enable ping mode.
options:
-g count Ping iteration count (default, loop until interrupted).
-I interval Ping interval in seconds (default 1 second).
HTTP Options:
-a Do NOT include Accept: header.
-A User-Agent: header. Use "" to omit.
-H 'string' Extra headers to send. Use '\n' for new lines.
-i IMS If-Modified-Since time (in Epoch seconds).
-j hosthdr Host header content
-k Keep the connection active. Default is to do only one request then close.
-m method Request method, default is GET. #请求方法,默认GET
-n Proxy Negotiate(Kerberos) authentication
-N WWW Negotiate(Kerberos) authentication
-P file Send content from the named file as request payload
-r Force cache to reload URL
-t count Trace count cache-hops
-u user Proxy authentication username
-U user WWW authentication username
-V version HTTP Version. Use '-' for HTTP/0.9 omitted case
-w password Proxy authentication password
-W password WWW authentication password
[root@Squid-Server ~]# /usr/local/squid/bin/squidclient -h Squid-Server -p 3128 mgr:objects | head -40
HTTP/1.1 200 OK
Server: squid/3.5.26
Mime-Version: 1.0
Date: Thu, 22 Aug 2019 06:53:16 GMT
Content-Type: text/plain;charset=utf-8
Expires: Thu, 22 Aug 2019 06:53:16 GMT
Last-Modified: Thu, 22 Aug 2019 06:53:16 GMT
X-Cache: MISS from www.yangwenbo.com
Via: 1.1 www.yangwenbo.com (squid/3.5.26)
Connection: close
KEY B4A1D7782A1D16E27897B33F7AFCDD88
STORE_PENDING NOT_IN_MEMORY SWAPOUT_NONE PING_NONE
DELAY_SENDING,RELEASE_REQUEST,PRIVATE,VALIDATED
LV:-1 LU:1566456796 LM:-1 EX:1566456796
3 locks, 1 clients, 1 refs
Swap Dir -1, File 0XFFFFFFFF
GET cache_object://squid-server/objects
inmem_lo: 0
inmem_hi: 223
swapout: 0 bytes queued
Client #0, (nil)
copy_offset: 0
copy_size: 4096
flags:
KEY DFC1F2670C96E01F30D57BEB2840D36F
STORE_OK IN_MEMORY SWAPOUT_NONE PING_NONE
SPECIAL,VALIDATED
LV:1566374705 LU:1566374705 LM:1565091440 EX:-1
0 locks, 0 clients, 0 refs
Swap Dir -1, File 0XFFFFFFFF
GET http://www.yangwenbo.com/squid-internal-static/icons/silk/box.png
inmem_lo: 0
inmem_hi: 774
swapout: 0 bytes queued
object_sz: 774
KEY EC417A4BDDD742EA6EE734D3B28F67B9
STORE_OK IN_MEMORY SWAPOUT_NONE PING_NONE
#以下省略若干...
#这个命令能知道如下重要信息:
a.打印出的是所有缓存在内存和硬盘上的数据,对象是以key来表示,每个key代表不同的对象。
b.列出对象是否存放在内存,还是硬盘
8.2 通过squidclient命令清空cache中的文件
(1)方法一(重新缓存对象):
(2)方法二(指定删除对象):
squidclient -m purge -p 80 http://192.168.200.13/home01.png.jpg
要清空某个具体的url缓存,squid acl要设置如下规则,否则你无权清理缓存内容:
#修改squid配置文件squid.conf
[root@Squid-Server ~]# cat /usr/local/squid/etc/squid.conf
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.200.0/24 # RFC1918 possible internal network
acl localnet src 192.168.100.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
###########################################
http_access allow PURGE localhost #配置为文件加入本行,注意代码插入位置
http_access allow PURGE localnet #配置为文件加入本行,注意代码插入位置
http_access deny PURGE #配置为文件加入本行,注意代码插入位置
###########################################
http_access deny all
http_port 3128 transparent
coredump_dir /usr/local/squid3/var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#################新增内容开始start###################################
#refresh_pattern [-i] regexp min percent max [options]
refresh_pattern -i \.jpg$ 30 50% 4320 reload-into-ims
refresh_pattern -i \.png$ 30 50% 4320 reload-into-ims
refresh_pattern -i \.gif$ 30 50% 4320 reload-into-ims
######################新增内容结束stop##############################
#icp_port 3130
coredump_dir /usr/local/squid3/var/cache
##################新增内容开始start###################################
cache_mem 99 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8192 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 4096 KB
memory_replacement_policy lru
#####################################################
cache_mgr [email protected]
cache_effective_user squid
cache_effective_group squid
visible_hostname www.yangwenbo.com
######################################################
cache_peer www.yangwenbo.com parent 80 0 no-query no-digest max-conn=32 originserver
#反向代理的Web源站的域名,因为是域名所以squid本地必须做hosts映射
hosts_file /etc/hosts
request_header_max_size 128 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
####################新增内容结束stop##################
#offline_mode on
重启动squid服务
[root@Squid-Server ~]# /usr/local/squid/sbin/squid -k shutdown
[root@Squid-Server ~]# netstat -antup | grep 3128
[root@Squid-Server ~]#
[root@Squid-Server ~]# squid -k parse
#以上省略若干。。。
2019/08/22 15:49:11| Processing: offline_mode on
2019/08/22 15:49:55| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
[root@Squid-Server ~]# /usr/local/squid/sbin/squid -D
2019/08/22 15:50:03| WARNING: -D command-line option is obsolete.
[root@Squid-Server ~]# netstat -antup | grep 3128
tcp6 0 0 :::3128 :::* LISTEN 9469/(squid-1)
进行squid缓存删除测试
#客户端curl -I代理服务器查看命中情况
[root@Squid-Server ~]# curl -I 192.168.100.100:3128/home01.png.jpg
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Wed, 21 Aug 2019 08:08:18 GMT
Content-Type: image/jpeg
Content-Length: 869805
Last-Modified: Wed, 14 Aug 2019 06:26:22 GMT
ETag: "5d53a98e-d45ad"
Accept-Ranges: bytes
Age: 85403
X-Cache: HIT from www.yangwenbo.com
Via: 1.1 www.yangwenbo.com (squid/3.5.26)
Connection: keep-alive
#在squid代理服务器本地删除URL的缓存
[root@Squid-Server ~]# squidclient -m purge -p 3128 http://192.168.100.100:3128/home01.png.jpg
HTTP/1.0 200 OK #删除缓存成功
Server: squid/3.0.STABLE20
Mime-Version: 1.0
Date: Wed, 21 Aug 2019 08:08:18 GMT
Content-Length: 0
X-Cache: MISS from www.yangwenbo.com
Via: 1.0 www.yangwenbo.com (squid/3.0.STABLE20)
Connection: close
#继续在客户端进行访问测试
[root@Squid-Server ~]# curl -I 192.168.100.100:3128/home01.png.jpg
HTTP/1.0 503 Service Unavailable #访问失败
Server: nginx/1.10.2
Date: Wed, 21 Aug 2019 08:08:18 GMT
Content-Type: image/jpeg
Content-Length: 869805
Last-Modified: Wed, 14 Aug 2019 06:26:22 GMT
ETag: "5d53a98e-d45ad"
Accept-Ranges: bytes
Age: 85403
X-Cache: HIT from www.yangwenbo.com
Via: 1.1 www.yangwenbo.com (squid/3.5.26)
Connection: keep-alive
8.3 如何对一组cache服务器清空缓存
acl AdminBoxes src 127.0.0.1 172.16.0.1 192.168.0.1 10.0.0.0/24
acl Purge method PURGE
http_access allow AdminBoxes Purge #设置允许purge的来源地址
http_access deny Purge #拒绝其他主机Purge文件
9. Squid集群做CDN全网加速(只有入职CDN公司才会用的上)
9.1 网络环境
主服务器群:
源Web服务器群:位于公网ip:220.220.220.10 port:80(后台才是WEB的服务器)
注:要保证TCP 80,UDP 3130 在防火墙上是开的(供icp_port通讯使用,多台Squid集群才会用到)
全国各地分服务器:
A服务器公网IP:124.42.61.88
B服务器公网IP:204.82.18.88
注:要保证TCP 80,UDP 3130 在防火墙上是开的(供icp_port通讯使用,多台squid集群才会用到)
9.2 需要解决的问题:
9.3 集群实施:
#主服务器群Squid的配置:
#让Squid监听本机IP的80端口
http_port 220.220.220.10:80 vhost vport
#多台squid通信使用
icp_port 3130
#设置源Web服务器群的ip和端口
cache_peer "内网web服务器的地址" parent 80 0 no-query originserver no-digest name=cache0
#让远程的squid连接本地Squid工作在sibling模式并指定其端口
cache_peer 220.220.220.10 sibling 80 3130 name=cache1
cache_peer 124.42.61.88 sibling 80 3130 name=cache2 #A服务器
cache_peer 204.82.18.88 sibling 80 3130 name=cache3 #B服务器
#配置本机squid允许接受访问的域名,即业务服务域名
cache_peer_domain cache0 www.yunjisuan.com
#允许以下端口的代理
acl Safe_ports port 80
acl Safe_ports port 3130
#全国各地分服务器Squid的配置:
A服务器:
http_port 124.42.61.88:80 vhost vport
icp_port 3130
#设置主服务器群服务器为源服务器
cache_peer 220.220.220.10 parent 80 0 no-query originserver no-digest name=cache0
cache_peer 124.42.61.88 sibling 80 3130 name=cache1
cache_peer 220.220.220.10 sibling 80 3130 name=cache2
cache_peer 204.82.18.88 sibling 80 3130 name=cache3
cache_peer_domain cache0 www.yunjisuan.com
acl Safe_ports port 80
acl Safe_ports port 3130
B服务器:
http_port 204.82.18.88:80 vhost vport
icp_port 3130
cache_peer 220.220.220.10 parent 80 0 no-query originserver no-digest name=cache0
cache_peer 204.82.18.88 sibling 80 3130 name=cache1
cache_peer 220.220.220.10 sibling 80 3130 name=cache2
cache_peer 124.42.61.88 sibling 80 3130 name=cache3
cache_peer_domain cache0 www.yunjisuan.com
acl Safe_ports port 80
acl Safe_ports port 3130
注:下面看看cache_peer的参数