当前位置:网站首页>Squid 代理服务之透明代理服务器架构搭建

Squid 代理服务之透明代理服务器架构搭建

2022-07-23 12:04:00 全栈程序员站长

大家好,又见面了,我是你们的朋友全栈君。

文章目录

1. 服务器配置

服务器

主机名

IP地址

主要软件

Squid 服务器

squid_server

外网ens33:192.168.10.20 | 内网ens37:10.0.0.100

squid

Web 服务器

web_server

内网 10.0.0.200

apache

Win10 客户端

外网 192.168.10.85

edge 浏览器

2. Squid 服务器部署

2.1 修改 Squid 配置文件

[[email protected]_server ~]# vim /etc/squid.conf

# And finally deny all other access to this proxy
http_access allow all
http_access deny all

# Squid normally listens to port 3128
##60行,修改,添加提供内网服务的网卡IP地址,和支持透明代理选项transparent
http_port 192.168.10.20:3128 transparent
cache_effective_user squid
cache_effective_group squid
cache_mem 64 MB
reply_body_max_size 10 MB
maximum_object_size 4096 KB

[[email protected]_server ~]# systemctl restart squid

2.2 开启路由转发,实现本机中不同网段的地址转发

[[email protected]_server ~]#echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[[email protected]_server ~]#sysctl -p
net.ipv4.ip_forward = 1

2.3 修改防火墙规则

[[email protected]_server ~]#iptables -F
[[email protected]_server ~]#iptables -t nat -F
[[email protected]_server ~]#iptables -t nat -I PREROUTING -i ens33 -s 192.168.10.0/24 -p tcp --dport 80 -j REDIRECT --to 3128
#用于转发 http 协议,将访问端口重定向到 3128
[[email protected]_server ~]#iptables -t nat -I PREROUTING -i ens33 -s 192.168.10.0/24 -p tcp --dport 443 -j REDIRECT --to 3128
#用于转发 https 协议,将访问端口重定向到 3128
[[email protected]_server ~]#iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
#定义防火墙入站规则,允许 3128 的连接请求

3. 客户端访问测试

客户端 192.168.10.85 访问 web 服务器 10.0.0.200

  • 关闭手动代理
  • 网关指向 squid 代理 ens33 IP

查看 Squid 访问日志的新增记录(192.168.10.20)

在客户端多刷新几次页面,查看访问情况

[[email protected]_server ~]#tail -f /usr/local/squid/var/logs/access.log
1635941728.519  31737 192.168.10.85 TCP_TUNNEL/200 6844 CONNECT cp601.prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/184.29.187.90 -
1635941729.950  28933 192.168.10.85 TCP_TUNNEL/200 6842 CONNECT cp601.prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/184.29.187.90 -
1635941766.747  69937 192.168.10.85 TCP_TUNNEL/200 6591 CONNECT disc601.prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/184.29.187.90 -
1635941822.746 133072 192.168.10.85 TCP_TUNNEL/200 6617 CONNECT geover.prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/104.85.33.217 -
1635941886.914   1612 192.168.10.85 TCP_TUNNEL/200 4900 CONNECT v10.events.data.microsoft.com:443 - HIER_DIRECT/20.42.73.25 -
1635941897.422    476 192.168.10.85 TCP_TUNNEL/200 3968 CONNECT settings-win.data.microsoft.com:443 - HIER_DIRECT/40.119.249.228 -
1635941899.775    446 192.168.10.85 TCP_TUNNEL/200 4017 CONNECT settings-win.data.microsoft.com:443 - HIER_DIRECT/40.119.249.228 -
1635941912.755  11406 192.168.10.85 TCP_TUNNEL/200 4901 CONNECT v10.events.data.microsoft.com:443 - HIER_DIRECT/20.42.73.25 -
1635944385.775      0 192.168.10.20 TCP_MISS/403 4076 GET http://www.msftconnecttest.com/connecttest.txt - HIER_NONE/- text/html
1635944385.775     49 192.168.10.85 TCP_MISS/403 4137 GET http://www.msftconnecttest.com/connecttest.txt - ORIGINAL_DST/192.168.10.20 text/html
1635944910.531      3 192.168.10.85 TCP_MISS/403 5244 GET http://10.0.0.200/ - ORIGINAL_DST/10.0.0.200 text/html
1635944910.611      2 192.168.10.85 TCP_MISS/200 5405 GET http://10.0.0.200/noindex/css/open-sans.css - ORIGINAL_DST/10.0.0.200 text/css
1635944910.611      3 192.168.10.85 TCP_MISS/200 19666 GET http://10.0.0.200/noindex/css/bootstrap.min.css - ORIGINAL_DST/10.0.0.200 text/css
1635944910.649      1 192.168.10.85 TCP_MISS/200 4280 GET http://10.0.0.200/images/poweredby.png - ORIGINAL_DST/10.0.0.200 image/png
1635944910.649      1 192.168.10.85 TCP_MISS/200 2650 GET http://10.0.0.200/images/apache_pb.gif - ORIGINAL_DST/10.0.0.200 image/gif
1635944910.729      0 192.168.10.85 TCP_MISS/404 494 GET http://10.0.0.200/noindex/css/fonts/Bold/OpenSans-Bold.woff - ORIGINAL_DST/10.0.0.200 text/html
1635944910.730      0 192.168.10.85 TCP_MISS/404 496 GET http://10.0.0.200/noindex/css/fonts/Light/OpenSans-Light.woff - ORIGINAL_DST/10.0.0.200 text/html
1635944910.854      0 192.168.10.85 TCP_MISS/404 495 GET http://10.0.0.200/noindex/css/fonts/Light/OpenSans-Light.ttf - ORIGINAL_DST/10.0.0.200 text/html
1635944910.854      1 192.168.10.85 TCP_MISS/404 493 GET http://10.0.0.200/noindex/css/fonts/Bold/OpenSans-Bold.ttf - ORIGINAL_DST/10.0.0.200 text/html
1635944910.879      1 192.168.10.85 TCP_MISS/404 464 GET http://10.0.0.200/favicon.ico - ORIGINAL_DST/10.0.0.200 text/html

可以看到前面几次的访问较慢,后面速度较快,因为后面访问直接返回的 squid 服务器中的缓存数据,客户端的响应速度得到了很大的提升。

查看 Web 访问日志的新增记录(10.0.0.200) 

[[email protected]_server ~]#tail -f /var/log/httpd/access_log
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 238 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1" 404 240 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1" 404 240 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 238 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"

访问记录来自于 squid 代理服务器的外网卡,代理服务器的外网口代替客户机在访问,使得 web 服务端无法得知客户的真实 IP。

发布者:全栈程序员栈长,转载请注明出处:https://javaforall.cn/126268.html原文链接:https://javaforall.cn

原网站

版权声明
本文为[全栈程序员站长]所创,转载请带上原文链接,感谢
https://cloud.tencent.com/developer/article/2054950

边栏推荐

猜你喜欢

随机推荐