前言
Squid服务的所有设定都包含在主配置文件/etc/squid/squid.conf内,通过主配置文件的参数可实现代理服务器的绝大部分功能,如ACL、正向代理、反向代理、透明代理等。
/etc/squid/squid.conf配置文件部分输出如下:
# # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
配置文件的常用参数及解析
参数 解析 acl all src 0.0.0.0/0.0.0.0 允许所有IP访问 acl manager proto http manager url 协议为http acl localhost src 127.0.0.1/255.255.255.255 允午本机IP访问代理服务器 acl to_localhost dst 127.0.0.1 允午目的地址为本机IP acl Safe_ports port 80 允许安全更新的端口为80 acl CONNECT method CONNECT 请求方法以CONNECT acl OverConnLimit maxconn 16 限制每个IP最大允许16个连接 icp_access deny all 禁止从邻居服务器缓冲内发送和接收ICP请求 miss_access allow all 允许直接更新请求 ident_lookup_access deny all 禁止lookup检查DNS http_port 8080 transparent 指定Squid监听浏览器客户请求的端口号 fqdncache_size 1024 FQDN 高速缓存大小 maximum_object_size_in_memory 2 MB 允许最大的文件载入内存 memory_replacement_policy heap LFUDA 内存替换策略 max_open_disk_fds 0 允许最大打开文件数量,参数为0代表无限制 minimum_object_size 1 KB 允许最小文件请求体大小 maximum_object_size 20 MB 允许最大文件请求体大小 cache_swap_high 95 最多允许使用swap 95% access_log /var/log/squid/access.log squid 定义日志存放记录 cache_store_log none 禁止store日志 icp_port 0 指定Squid从邻居服务器缓冲内发送和接收ICP请求的端口号 coredump_dir /var/log/squid 定义dump的目录 ignore_unknown_nameservers on 开反DNS查询,当域名地址不相同时候,禁止访问 always_direct allow all cache 丢失或不存在是允许所有请求直接转发到原始服务器 cache_dir ufs /var/spool/squid 100 16 256 用于指定硬盘缓冲区,缓冲目录容量(单位M)、一级缓存目录数量、二级缓存目录数量 access_log /var/log/squid/access.log 设置访问日志 dns_nameservers 10.80.90.103 指定dns地址