科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航



ZDNet>网络频道>ZD评测>FreeBsd5.4+pf+squid反向代理实战笔记

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

本向向大家介绍FreeBsd5.4+pf+squid反向代理实战笔记。

来源: 2007年10月12日

关键字:FreeBsd5.4+pf+squid 反向代理 笔记

  1、硬件配置

        HP NETSERVER 800 PⅢ1000 内存256M Inter82559网卡两张

  2、分区情况

  Filesystem Size Used Avail Capacity Mounted on

  /dev/da0s1a 248M 54M 174M 24% /

  devfs 1.0K 1.0K 0B 100% /dev

  /dev/da0s1f 4.8G 130M 4.3G 3% /home

  /dev/da0s1d 248M 12K 228M 0% /tmp

  /dev/da0s1g 4.8G 565M 3.9G 12% /usr

  /dev/da0s1e 5.8G 410K 5.3G 0% /var

  

  3、系统安装情况

  采用最小化安装

  并且安装src和ports(原本打算采用ports安装,但是不知道怎么搞的,竟然不能cvs源码,当然也就不能通过ports安装,无奈之下只能采用源码编译)

  4、内核编译

  没有对内核采用优化,这里只是为了验证pf和squid结合做反向代理的可行性,在实际的生产应用中应该对服务器内核做一定程度的优化。

  cd /usr/src/sys/i386/conf

  cp GENERIC cache

  

  编辑内核cache在内核中添加如下选项

  device pf

  device pflog

  device pfsync

  options ALTQ

  options ALTQ_CBQ

  

  编译内核

  /usr/sbin/config cache

  cd ../config/cache

  make depend

  make

  make install

  

  至此内核编译完毕

  reboot

  

  5、让系统自动加载pf

  编辑/etc/rc.conf

  usbd_enable="NO"

  defaultrouter="218.4.xxx.xxx"

  hostname="cache.aaa.com"

  ifconfig_fxp0="inet 218.4.xxx.xxx netmask 255.255.255.248"

  ifconfig_fxp1="inet 192.168.2.10 netmask 255.255.255.0"

  gateway_enable="YES"

  inetd_enable="YES"

  pf_enable="YES"

  pf_rules="/etc/pf.conf"

  pf_flags=""

  pflog_enable="YES"

  pflog_logfile="/var/log/pflog"

  sshd_enable="YES"

  

  6、打开ip转发

  在/etc/sysctl.conf中添加如下内容

7、实现共享上网,最简单的pf设置
wan_if="fxp0"
lan_if="fxp1"
inter_net="192.168.2.0/24"
web_server="192.168.2.3"
ftp_server="192.168.2.3"
scrub in all
nat on $wan_if from $inter_net to any -> fxp0
rdr on fxp1 proto tcp from $lan_if to any port 80 -> $lan_if port 80
rdr on fxp1 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#rdr on fxp0 proto tcp from any to $wan_if port 80 ->$web_server port 8080
#rdr on fxp1 proto tcp from $lan_if to $wan_if port 80 ->$web_server port 8080
rdr on $wan_if proto tcp from any to any port 21 -> $ftp_server port 21
rdr on $wan_if proto tcp from any to any port 49152:65535 -> $ftp_server port 49152:65535
# in on $wan_if
pass in quick on $wan_if proto tcp from any to $ftp_server port 21 keep state
pass in quick on $wan_if proto tcp from any to $ftp_server port > 49151 keep state
# out on $lan_if
pass out quick on $lan_if proto tcp from any to $ftp_server port 21 keep state
pass out quick on $lan_if proto tcp from any to $ftp_server port > 49151 keep state
#Disable danger port
#Danger_Port="{445 135 139 593 5554 9995 9996}"
#block quick on $wan_if inet proto tcp from any to any port $Danger_Port
#block quick on $wan_if inet proto tcp from any to any port $Danger_Port
pass in all
pass out all
(最后这两条在实际的应用中是不可靠的,应该先限制所有,然后逐步打开自己需要的服务)

pf的设置到此基本完毕

下面开始squid部分

1、安装squid
./configure --enable-useragent-log
--enable-referer-log
--enable-default-err-language=Simplify_Chinese
--enable-err-languages="Simplify_Chinese English"
--disable-internal-dns
--enable-pf-transparent
#make
#make install
#mkdir /home/cache(创建存放cache的目录)
2、增加squid运行的用户和用户组(我的都设为squid)
chown squid:squid /home/cache
ee /usr/local/squid/etc/squid.conf
在/etc/hosts中加入内部的DNS解析,比如我的:
192.168.2.2 www.aaa.com
192.168.2.3 mail.aaa.com
3、下面开始配置squid.conf文件(下面是我的配置文件)
visible_hostname cache . example.com
cache_dir ufs /home/cache 1024 16 256
cache_mem 100 MB
cache_effective_user squid
cache_effective_group squid
http_port 80
httpd_accel_host virtual
httpd_accel_single_host off
httpd_accel_port 80
httpd_accel_uses_host_header on
httpd_accel_with_proxy on
# accelerater my domain only
acl acceleratedHostA dstdomain . example1.com
#acl acceleratedHostB dstdomain .example2.com
#acl acceleratedHostC dstdomain .example3.com
# accelerater http protocol on port 80
acl acceleratedProtocol protocol HTTP
acl acceleratedPort port 80
# access arc
acl all src 0.0.0.0/0.0.0.0
# Allow requests when they are to the accelerated machine AND to the
# right port with right protocol
http_access allow acceleratedProtocol acceleratedPort acceleratedHostA
#http_access allow acceleratedProtocol acceleratedPort acceleratedHostB
#http_access allow acceleratedProtocol acceleratedPort acceleratedHostC
# logging
emulate_httpd_log on
cache_store_log none
# manager
acl manager proto cache_object
http_access allow manager all
cachemgr_passwd pass all
squid.conf文件配置完成
squid.conf文件配置完成
4、目录权限设置
chown –R squid:squid /home/cache
创建日志文件,默认的在/usr/local/squid/var/access.log

5、创建缓存目录:
/usr/local/squid/sbin/squid -z
启动squid
/usr/local/squid/sbin/squid
在这个笔记中我的构建意图是

web服务通过squid反向代理来完成

至于其他(我现在只有ftp)服务则通过pf来完成

那么为了完成这个目标我们还需要在pf规则中添加如下语句

rdr on $lan_if proto tcp from $lan_if to any port 80 -> $lan_if port 80

($lan_if是我网关机的内网卡)凡是对80端口的访问,都统统转发到网关上Squid侦听端口80,而在pf规则中只允许ftp服务通过(疑问是外网访问呢,是否也需要添加类似的这句呢)

至此,FreeBsd5.4+pf+squid反向代理基本完成。
推广二维码
邮件订阅

如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

重磅专题