文章目录
- 1. 服务器配置
- 2. Squid 服务器部署
- 2.1 修改 Squid 配置文件
- 2.2 开启路由转发,实现本机中不同网段的地址转发
- 2.3 修改防火墙规则
- 3. 客户端访问测试
1. 服务器配置
| 服务器 | 主机名 | IP地址 | 主要软件 |
|---|---|---|---|
| Squid 服务器 | squid_server | 外网ens33:192.168.10.20 | 内网ens37:10.0.0.100 | squid |
| Web 服务器 | web_server | 内网 10.0.0.200 | apache |
| Win10 客户端 | 外网 192.168.10.85 | edge 浏览器 |
2. Squid 服务器部署
2.1 修改 Squid 配置文件
[root@squid_server ~]# vim /etc/squid.conf# And finally deny all other access to this proxy
http_access allow all
http_access deny all# Squid normally listens to port 3128
##60行,修改,添加提供内网服务的网卡IP地址,和支持透明代理选项transparent
http_port 192.168.10.20:3128 transparent
cache_effective_user squid
cache_effective_group squid
cache_mem 64 MB
reply_body_max_size 10 MB
maximum_object_size 4096 KB[root@squid_server ~]# systemctl restart squid
2.2 开启路由转发,实现本机中不同网段的地址转发
[root@squid_server ~]#echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@squid_server ~]#sysctl -p
net.ipv4.ip_forward = 1
2.3 修改防火墙规则
[root@squid_server ~]#iptables -F
[root@squid_server ~]#iptables -t nat -F
[root@squid_server ~]#iptables -t nat -I PREROUTING -i ens33 -s 192.168.10.0/24 -p tcp --dport 80 -j REDIRECT --to 3128
#用于转发 http 协议,将访问端口重定向到 3128
[root@squid_server ~]#iptables -t nat -I PREROUTING -i ens33 -s 192.168.10.0/24 -p tcp --dport 443 -j REDIRECT --to 3128
#用于转发 https 协议,将访问端口重定向到 3128
[root@squid_server ~]#iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
#定义防火墙入站规则,允许 3128 的连接请求
3. 客户端访问测试
客户端 192.168.10.85 访问 web 服务器 10.0.0.200
- 关闭手动代理
- 网关指向 squid 代理 ens33 IP
查看 Squid 访问日志的新增记录(192.168.10.20)
在客户端多刷新几次页面,查看访问情况
[root@squid_server ~]#tail -f /usr/local/squid/var/logs/access.log
1635941728.519 31737 192.168.10.85 TCP_TUNNEL/200 6844 CONNECT cp601.prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/184.29.187.90 -
1635941729.950 28933 192.168.10.85 TCP_TUNNEL/200 6842 CONNECT cp601.prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/184.29.187.90 -
1635941766.747 69937 192.168.10.85 TCP_TUNNEL/200 6591 CONNECT disc601.prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/184.29.187.90 -
1635941822.746 133072 192.168.10.85 TCP_TUNNEL/200 6617 CONNECT geover.prod.do.dsp.mp.microsoft.com:443 - HIER_DIRECT/104.85.33.217 -
1635941886.914 1612 192.168.10.85 TCP_TUNNEL/200 4900 CONNECT v10.events.data.microsoft.com:443 - HIER_DIRECT/20.42.73.25 -
1635941897.422 476 192.168.10.85 TCP_TUNNEL/200 3968 CONNECT settings-win.data.microsoft.com:443 - HIER_DIRECT/40.119.249.228 -
1635941899.775 446 192.168.10.85 TCP_TUNNEL/200 4017 CONNECT settings-win.data.microsoft.com:443 - HIER_DIRECT/40.119.249.228 -
1635941912.755 11406 192.168.10.85 TCP_TUNNEL/200 4901 CONNECT v10.events.data.microsoft.com:443 - HIER_DIRECT/20.42.73.25 -
1635944385.775 0 192.168.10.20 TCP_MISS/403 4076 GET http://www.msftconnecttest.com/connecttest.txt - HIER_NONE/- text/html
1635944385.775 49 192.168.10.85 TCP_MISS/403 4137 GET http://www.msftconnecttest.com/connecttest.txt - ORIGINAL_DST/192.168.10.20 text/html
1635944910.531 3 192.168.10.85 TCP_MISS/403 5244 GET http://10.0.0.200/ - ORIGINAL_DST/10.0.0.200 text/html
1635944910.611 2 192.168.10.85 TCP_MISS/200 5405 GET http://10.0.0.200/noindex/css/open-sans.css - ORIGINAL_DST/10.0.0.200 text/css
1635944910.611 3 192.168.10.85 TCP_MISS/200 19666 GET http://10.0.0.200/noindex/css/bootstrap.min.css - ORIGINAL_DST/10.0.0.200 text/css
1635944910.649 1 192.168.10.85 TCP_MISS/200 4280 GET http://10.0.0.200/images/poweredby.png - ORIGINAL_DST/10.0.0.200 image/png
1635944910.649 1 192.168.10.85 TCP_MISS/200 2650 GET http://10.0.0.200/images/apache_pb.gif - ORIGINAL_DST/10.0.0.200 image/gif
1635944910.729 0 192.168.10.85 TCP_MISS/404 494 GET http://10.0.0.200/noindex/css/fonts/Bold/OpenSans-Bold.woff - ORIGINAL_DST/10.0.0.200 text/html
1635944910.730 0 192.168.10.85 TCP_MISS/404 496 GET http://10.0.0.200/noindex/css/fonts/Light/OpenSans-Light.woff - ORIGINAL_DST/10.0.0.200 text/html
1635944910.854 0 192.168.10.85 TCP_MISS/404 495 GET http://10.0.0.200/noindex/css/fonts/Light/OpenSans-Light.ttf - ORIGINAL_DST/10.0.0.200 text/html
1635944910.854 1 192.168.10.85 TCP_MISS/404 493 GET http://10.0.0.200/noindex/css/fonts/Bold/OpenSans-Bold.ttf - ORIGINAL_DST/10.0.0.200 text/html
1635944910.879 1 192.168.10.85 TCP_MISS/404 464 GET http://10.0.0.200/favicon.ico - ORIGINAL_DST/10.0.0.200 text/html
可以看到前面几次的访问较慢,后面速度较快,因为后面访问直接返回的 squid 服务器中的缓存数据,客户端的响应速度得到了很大的提升。
查看 Web 访问日志的新增记录(10.0.0.200)
[root@web_server ~]#tail -f /var/log/httpd/access_log
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 238 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1" 404 240 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1" 404 240 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
10.0.0.100 - - [03/Nov/2021:21:08:33 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 238 "http://10.0.0.200/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40"
访问记录来自于 squid 代理服务器的外网卡,代理服务器的外网口代替客户机在访问,使得 web 服务端无法得知客户的真实 IP。
