Руководство по установке прокси-сервера Squid на FreeBSD

10.09.2002 17:39

В статье "Setting Up Squid on FreeBSD" в типичном для статей daemonnews лаконичном и всеохватывающем стиле достаточно неплохо описываются тонкости установки и настройки proxy-сервера Squid под FreeBSD, упомянута даже технология ограничения трафика через delay-pools и органзация принудительного заворачивания (transparent) трафика в через прокси.

Кратко:

./configure --enable-delay-pools --enable-ipf-transparent 
            --enable-storeio=diskd,ufs --enable-storeio=diskd,ufs 
            --disable-ident-lookups --enable-snmp --enable-removal-policies


/usr/local/squid/etc/squid.conf:

	# Need for transparent proxy
	# You need to --enable-ipf-transparent
	http_port 3128
	httpd_accel_host virtual
	httpd_accel_port 80
	httpd_accel_with_proxy  on
	httpd_accel_uses_host_header on

	# Physical memory / 3
	cache_mem 128 MB
	# Max out Squid I/O perfomance, 15 GB cache and use Squid special diskd
        # but you need to recompile the kernel
	# To use disk you need to --enable-storeio=diskd,ufs
	# Reasonable values for Q1 and Q2 are 72 and 64, respectively.
	# Q1 value must bigger Q2
	cache_dir diskd /usr/local/squid/cache 15360 16 256 Q1=72 Q2=64

	# You can use normal ufs instead
	#cache_dir ufs /usr/local/squid/cache 15360 16 256

	# I dont want to log anything
	# The reason is to save some expensive I/O operation.
	cache_access_log /dev/null
	cache_store_log none
	cache_log /dev/null

	# Cache replacement policy
	# The  heap GDSF policy optimizes object-hit rate by keeping  smaller popular
	# objects in cache, so it has a better chance of getting a hit. It achieves  a
	# lower byte hit rate than LFUDA, though, since it evicts larger (possibly popular)
	# objects.
	# The  heap LFUDA  ( Least  Frequently Used  with Dynamic  Aging )  policy keeps
	# popular objects in cache  regardless of their size  and thus optimizes byte  hit
	# rate at the  expense of hit  rate since one  large, popular object  will prevent
	# many smaller, slightly less popular objects from being cached.
	# You need to --enable-removal-policies
	cache_replacement_policy GDSF

	# Standard Access List
	# I have two subnets, one for student and another one for admin
	# Modify this according to your network
	acl all src 0.0.0.0/0.0.0.0
	acl manager proto cache_object
	acl localhost src 127.0.0.1/255.255.255.255
	acl outgoing src 192.168.10.2/255.255.255.255
	acl student src 192.168.0.0/255.255.255.0
	acl admin src 192.168.1.0/255.255.255.0
	acl SSL_ports port 443 563
	acl Safe_ports port 80          # http
	acl Safe_ports port 21          # ftp
	acl Safe_ports port 443 563     # https, snews
	acl Safe_ports port 70          # gopher
	acl Safe_ports port 210         # wais
	acl Safe_ports port 1025-65535  # unregistered ports
	acl Safe_ports port 280         # http-mgmt
	acl Safe_ports port 488         # gss-http
	acl Safe_ports port 591         # filemaker
	acl Safe_ports port 777         # multiling http
	acl CONNECT method CONNECT

	http_access allow manager
	http_access allow localhost
	http_access allow outgoing
	http_access allow student
	http_access allow admin
	http_access deny !Safe_ports
	http_access deny CONNECT !SSL_ports
	http_access deny all

	icp_access allow localhost
	icp_access allow student
	icp_access allow admin
	icp_access deny all

	# Avoid caching cgi scripts
	acl QUERY urlpath_regex cgi-bin
	no_cache deny QUERY

	acl magic_words1 url_regex -i 192.168
	acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi
 .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov

	# Delay Pool
	# For delay pool, you need to --enable-delay-pools
	delay_pools 2

	# I have ADSL 2Mbits line
	# 2 mbits == 256 kbytes per second
	# 256 KB/s, 5 KB/s
	# It means 256 KB/s bandwith for the whole network, 
        # but 5 KB/s for each node, which is fair for everybody
	delay_class 1 2
	delay_parameters 1 256000/256000 5000/256000
	delay_access 1 allow magic_words2
	delay_access 1 allow student
	delay_access 1 allow admin

	# -1/-1 means that there are no limits for local traffic.
	delay_class 2 2
	delay_parameters 2 -1/-1 -1/-1
	delay_access 2 allow magic_words1

	# Cancel download if file is bigger than 1MB
	reply_body_max_size 1024 KB

	# snmp stuff
	acl snmppublic snmp_community public
	snmp_access allow snmppublic localhost
	snmp_access deny all

	# Change to your domain
	# visible_hostname yourdomain.domain.com
	# cache_mgr yourname@youremail.com


mkdir /usr/local/squid/cache
chown nobody:nogroup cache
/usr/local/squid/bin/squid -k parse
/usr/local/squid/bin/squid -z



/etc/rc.conf:
        ipfilter_enable="YES"
	ipnat_enable="YES"
	ipmon_enable="YES"
	ipfs_enable="YES"


/etc/ipnat.rules
	rdr rl0 0/0 port 80 -> 127.0.0.1 port 3128 tcp

Пересобираем ядро:
	options         SYSVMSG
	options         MSGMNB=8192     # max # of bytes in a queue
	options         MSGMNI=40       # number of message queue identifiers
	options         MSGSEG=512      # number of message segments per queue
	options         MSGSSZ=64       # size of a message segment
	options         MSGTQL=2048     # max messages in system

исправить +/–

Главная ссылка к новости (http://ezine.daemonnews.org/20...)

Лицензия: CC-BY

Источник: daemonnews

Тип: Интересно

Короткая ссылка: https://opennet.ru/1494-bsd

Ключевые слова: bsd, squid, proxy, howto, install

При перепечатке указание ссылки на opennet.ru обязательно

Обсуждение (3)

RSS

1, alex (?), 19:28, 10/09/2002 [ответить]	+/–
Хорошая статья без "воды"

2, Аноним (2), 18:56, 04/11/2002 [ответить]	+/–
А как быть, если при ./configure говорит, что нет файлов для transparent proxy, хотя этот port установлен?

3, kamuzoff (?), 22:32, 05/09/2005 [ответить]	+/–
неплохо было бы такую же статью сгенерить для freeBSD 5.4 например на эту конфигурацию сквид 2.5.10 ругается на строку с Q1 и Q2 - их я просто удалил на строку c reply_body_max_size - теперь у неё синтаксис без KB и в конце по умолчанию добавляется allow all сейчас буду тестить.

Добавить комментарий

Текст: