Squid sostoit iz - osnovnoj programmy squid, programmy obrabotki DNS zaprosov dnsserver, programmy skachivaniya ftp dannyh ftpget, a takzhe nekotoryh instrumentov upravleniya. Kogda squid zapuskaetsya, on zapuskaet zadannoe chislo dnsserver-ov, kazhdyj iz kotoryh rabotaet samostoyatel'no, blokiruya tol'ko DNS zaprosy. Takim obrazom umen'shaetsya obshchee vremya ozhidaniya otveta DNS.
Squid beret svoe nachalo s osnovannogo ARPA proekta Harvest. http://harvest.cs.colorado.edu/
Nam nuzhno bylo kak-to otlichat'sya ot kesha Harvest. Squid bylo kodovoe nazvanie na nachal'noj stadii razrabotki, a potom ono priliplo.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
Pozhalujsta shlite ispravleniya, obnovleniya i kommentarii na: squid-faq@nlanr.net.
% gzip -dc squid-x.y.z-src.tar.gz | tar xvf -
Zatem nuzhno otkonfigurirovat', otkompilirovat' i ustanovit'
% cd squid-x.y.z
% ./configure
% make all
% make install
Luchshe vsego ispol'zovat' GNU C (gcc) kompilyator. Poslednie versii imeyut format ANSI C, tak chto starye kompilyatory mogut ne rabotat'. GNU C kompilyator dostupen na ftp://prep.ai.mit.edu/pub/gnu/. Mozhno zadat' neskol'ko parametrov konfiguracionnogo skripta. Naibolee poleznyj --prefix dlya ustanovki v druguyu direktoriyu. Po umolchaniyu eto /usr/local/squid.CHtoby pomenyat' sleduet sdelat' sleduyushchee:
% cd squid-x.y.z
% ./configure --prefix=/some/other/directory/squid
/usr/local/squid/bin/RunCache &
% client http://www.netscape.com/ > test
Sushchestvuyut i drugie HTTP programmy-klienty rabotayushchie v komandnoj stroke. |ti dve Vy mozhete najti poleznymi:url_get, po adresu ftp://ftp.pasteur.fr/pub/Network/url_get/, iechoping, po adresu ftp://ftp.pasteur.fr/pub/Network/echoping/. Takzhe prover'te naibolee vazhnye fajly access.log icache.log.
cd squid-1.1.x patch < /tmp/fixes.patch No vremya ot vremeni mogut popadat'sya patchi sozdannye iz direktorii 'src', togda nuzhno:
cd squid-1.1.x/src patch < /tmp/fixes.patch Esli programma patch budet chem-to nedovol'na i budet otkazyvat'sya rabotat' nado budet vzyat' bolee novuyu versiyu, naprimer zdes' GNU FTP site.
Naprimer, privedennyj nizhesquid.conf na childcache.example.com skonfigurirovan tak, chto ego kesh poluchaet dannye s odnogo roditel'skogo i s dvuh bratskih keshej:
# squid.conf - On the host: childcache.example.com # # Format is: hostname type http_port udp_port # cache_host parentcache.example.com parent 3128 3130 cache_host childcache2.example.com sibling 3128 3130 cache_host childcache3.example.com sibling 3128 3130Direktiva cache_host_domain pozvolyaet ukazyvat' dlya kazhdogo domena kak bratskij, tak i roditel'skij kesh:
# squid.conf - On the host: sv.cache.nlanr.net # # Format is: hostname type http_port udp_port # cache_host electraglide.geog.unsw.edu.au parent 3128 3130 cache_host cache1.nzgate.net.nz parent 3128 3130 cache_host pb.cache.nlanr.net parent 3128 3130 cache_host it.cache.nlanr.net parent 3128 3130 cache_host sd.cache.nlanr.net parent 3128 3130 cache_host uc.cache.nlanr.net sibling 3128 3130 cache_host bo.cache.nlanr.net sibling 3128 3130 cache_host_domain electraglide.geog.unsw.edu.au .au cache_host_domain cache1.nzgate.net.nz .au .aq .fj .nz cache_host_domain pb.cache.nlanr.net .uk .de .fr .no .se .it cache_host_domain it.cache.nlanr.net .uk .de .fr .no .se .it cache_host_domain sd.cache.nlanr.net .mx .za .mu .zmVysheprivedennaya konfiguraciya opisyvaet, chto kesh budet ispol'zovat' pb.cache.nlanr.net i it.cache.nlanr.net dlya domenov uk, de, fr, no, se i it, sd.cache.nlanr.net dlya domenov mx, za, mu i zm, i cache1.nzgate.net.nz dlya domenov au, aq, fj, i nz.
cache_announce 24 announce_to sd.cache.nlanr.net:3131 Primechanie: anonsirovanie kesha eto ne tozhe samoe chto vstuplenie v ierarhiyu NLANR. Vy mozhete vstupit' v ierarhiyu NLANR bez registracii, i mozhno zaregistrirovat'sya bez vstupleniya v ierarhiyu keshej NLANR.
Uskoritel' keshiruet prihodyashchie zaprosy dlya ishodyashchih dannyh (naprimer, teh chto Vy opublikovali na svoem servere). Tem samym on zabiraet zagruzku s Vashego HTTP servera i vnutrennej seti. Vy ubiraete server s 80 porta (ili kakoj on u Vas tam), i podstavlyaete uskoritel', kotoryj probrasyvaet HTTP dannye s "real'nogo" HTTP servera (tol'ko uskoritel' dolzhen znat' gde real'nyj server). Vneshnij mir ne vidit ni kakoj raznicy (krome razve uvelicheniya skorosti dostupa).
Krome razgruzki real'nogo web servera, uskoritel' mozhet nahodit'sya snaruzhi brandmauera ili lyubogo drugogo uzkogo mesta v seti i obshchat'sya s HTTP serverami vnutri, umen'shaya traffik cherez uzkoe mesto i uproshchaya konfiguraciyu. Dva ili bolee uskoritelya soedinennye cherez ICP mogut uvelichit' skorost' i ustojchivost' web servera k lyubomu odinochnomu sboyu.
Redirektor Squid mozhet zastavit' uskoritel' rabotat' kak odnu svyaznuyu mashinu dlya neskol'kih serverov. Esli Vam nuzhno perenesti chasti Vashej fajlovoj sistemy s odnogo servera na drugoj, ili esli otdel'no administriruemye HTTP servera dolzhny logicheski poyavlyat'sya pod edinoj URL ierarhiej, uskoritel' sdelaet eto.
Esli Vy hotite lish' keshirovat' "ostal'noj mir" dlya uvelicheniya effektivnosti dostupa lokal'nyh pol'zovatelej v Internet, to rezhim uskoritelya sleduet otklyuchit'. Kompanii, kotorye derzhat svoj web-server ispol'zuyut uskoritel' dlya povysheniya effektivnosti dostupa k nemu. Te zhe, komu vazhen effektivnyj dostup lokal'nyh pol'zovatelej v Internet ispol'zuyut keshiruyushchij proksi. Mnogie, i my v tom chisle pol'zuyutsya i tem i etim.
Sravnenie kesha Squid i ego analoga Harvest pokazyvaet uvelichenie na poryadok proizvoditel'nosti pervogo po sravneniyu s CERN i drugimi shiroko rasprostrannenymi keshiruyushchimi programmami. |to preimushchestvo pozvolyaet keshu rabotat' kak httpd uskoritelyu, keshu skonfigurirovannomu kak glavnyj web-server (na 80 portu), perenapravlyaya nepravil'nye ssylki na real'nyj httpd (na 81 port).
V takoj konfiguracii administrator web uzla perenosit vse ne podlezhashchie keshirovaniyu URL na 81 port httpd. Kesh obsluzhivaet ssylki na keshiruemye obฎekty, takie kak HTML stranicy i GIF-y, a real'nyj httpd (na 81 portu) - vse nekeshiruemye, naprimer zaprosy i cgi-bin programmy. Esli pol'zovanie serverom napryamuyu zavisit ot keshiruemyh obฎektov, to takaya konfiguraciya mozhet sushchestvenno snizit' zagruzku web-servera.
Pri etom pomnite, chto luchshe vsego ne zapuskat' squid kak httpd-uskoritel' i kak keshiruyushchij proksi odnovremenno, tak kak oni imeyut razlichnye rabochie rezhimy. Bolee vysokuyu proizvoditel'nost' Vy poluchite zapuskaya ih na raznyh mashinah. Vse zhe Squid mozhet odnovremenno rabotat' i kak httpd-uskoritel' i kak keshiruyushchij proksi, esli naprotiv httpd_accel_with_proxy Vy postavite on v svoem squid.conf.
Nuzhno vospol'zovat'sya direktivoj inside_firewall v squid.conf chtoby zadat' spisok vnutrennih po otnosheniyu k brandmaueru domenov. Naprimer:
inside_firewall example.com
Mozhno zadat' neskol'ko:
inside_firewall example.com example.org example.net
Ispol'zovanie inside_firewall privodit k dvum putyam vybora servera. Obฎekty ne podpadayushchie ni pod odin iz perechislennyh domenov budut rassmatrivat'sya vne brandmauera. Dlya etogo zhe sluchaya:
Poetomu ochen' vazhno chtoby bylo dostatochno dnsserver processov chtoby obrabotat' kazhdoe obrashchenie, v protivnom sluchaesquid mozhet neozhidanno povisat'. Na praktike nado opredelit' maksimal'noe chislo dnsserver-ov, kotorye mogut ponadobit'sya squid, i dobavit' eshche dva na vsyakij sluchaj. Drugimi slovami, esli Vy videli v rabote tol'ko tri dnsserver processa, ostav'te kak minimum pyat'. I pomnite, chtodnsserver malen'kij i pri prostoe osobo ne zagruzhaet sistemu.
CHtoby pol'zovat'sya socks5, ne trebuetsya nikak izmenenij koda Squid. Vse chto nado, eto dobavit' stroku -Dbind=SOCKSbind etc v stroku kompilyacii i -lsocks v stroku linkov.
Zdes' vid ekrana ruchnoj nastrojki proksi Netscape Navigator.
Zdes' vid ekrana avtomaticheskoj nastrojki proksi Netscape Navigator. Vy takzhe mozhete obratit'sya k dokumentacii Netscape po sisteme konfiguracii proksi Navigator pri pomoshchi JavaScript po adresu http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html
Zdes' primer avtokonfiguracii na JavaScript ot Oskar Pearson:
//We (www.is.co.za) run a central cache for our customers that they
//access through a firewall - thus if they want to connect to their intranet
//system (or anything in their domain at all) they have to connect
//directly - hence all the "fiddling" to see if they are trying to connect
//to their local domain.
//Replace each occurrence of company.com with your domain name
//and if you have some kind of intranet system, make sure
//that you put it's name in place of "internal" below.
//We also assume that your cache is called "cache.company.com", and
//that it runs on port 8080. Change it down at the bottom.
//(C) Oskar Pearson and the Internet Solution (http://www.is.co.za)
function FindProxyForURL(url, host)
{
//If they have only specified a hostname, go directly.
if (isPlainHostName(host))
return "DIRECT";
//These connect directly if the machine they are trying to
//connect to starts with "intranet" - ie http://intranet
//Connect directly if it is intranet.*
//If you have another machine that you want them to
//access directly, replace "internal*" with that
//machine's name
if (shExpMatch( host, "intranet*")||
shExpMatch(host, "internal*"))
return "DIRECT";
//Connect directly to our domains (NB for Important News)
if (dnsDomainIs( host,"company.com")||
//If you have another domain that you wish to connect to
//directly, put it in here
dnsDomainIs(host,"sistercompany.com"))
return "DIRECT";
//So the error message "no such host" will appear through the
//normal Netscape box - less support queries :)
if (!isResolvable(host))
return "DIRECT";
//We only cache http, ftp and gopher
if (url.substring(0, 5) == "http:" ||
url.substring(0, 4) == "ftp:"||
url.substring(0, 7) == "gopher:")
//Change the ":8080" to the port that your cache
//runs on, and "cache.company.com" to the machine that
//you run the cache on
return "PROXY cache.company.com:8080; DIRECT";
//We don't cache WAIS
if (url.substring(0, 5) == "wais:")
return "DIRECT";
else
return "DIRECT";
}
% setenv http_proxy http://mycache.example.com:3128/
% setenv gopher_proxy http://mycache.example.com:3128/
% setenv ftp_proxy http://mycache.example.com:3128/
Dlya Lynx nastrojki proksi mozhno sdelat' v fajle lynx.cfg. Pri takoj nastrojke vse pol'zovateli Lynx smogut pol'zovat'sya proksi bez dopolnitel'nogo zadaniya okruzheniya dlya kazhdogo pol'zovatelya. Naprimer:
http_proxy:http://mycache.example.com:3128/ ftp_proxy:http://mycache.example.com:3128/ gopher_proxy:http://mycache.example.com:3128/
Zdes' vid ekrana nastrojki proksi Internet Explorer.
Microsoft takzhe sobiraetsya podderzhivat' kak u Netscape avtomaticheskuyu nastrojku proksi cherez JavaScript. Sejchas, tol'ko MSIE versii 3.0a dlya Windows 3.1 i Windows NT 3.51 podderzhivaet etu vozmozhnost' (naprimer, v versii 3.01 build 1225 dlya Windows 95 i NT 4.0, ee net).
Esli Vasha versiya MSIE podderzhivaet takuyu vozmozhnost', vyberite Options iz menyu View. SHCHelknite na zakladke Advanced i v levom nizhnem uglu shchelknite na knopke Automatic Configuration. Vpishite URL Vashego fajla JavaScript. Potom perezapustite MSIE. MSIE budet pereschityvat' fajl JavaScript kazhdyj raz pri zapuske.
Vid ekrana prilagaetsya.
V etom zhe okne est' knopka vyzyvayushchaya okno isklyuchenij, gde mozhno zadat' hosty ili domeny, kotrye ne nado keshirovat'. Zdes' vid ekrana.
Warning: this technique has several significant shortcomings!
# # Code maturity level options # CONFIG_EXPERIMENTAL=y # # Networking options # CONFIG_FIREWALL=y # CONFIG_NET_ALIAS is not set CONFIG_INET=y CONFIG_IP_FORWARD=y # CONFIG_IP_MULTICAST is not set CONFIG_IP_FIREWALL=y # CONFIG_IP_FIREWALL_VERBOSE is not set CONFIG_IP_MASQUERADE=y CONFIG_IP_TRANSPARENT_PROXY=y CONFIG_IP_ALWAYS_DEFRAG=y # CONFIG_IP_ACCT is not set CONFIG_IP_ROUTER=yZdes' http://www.xos.nl/linux/ipfwadm/ voz'mite ishodniki ipfwadm i ustanovite ego. Ipfwadm ponadobitsya dlya zadaniya pravil perenapravleniya. YA dobavil eti pravila v skript zapuskaemyj iz /etc/rc.d/rc.inet1 (Slackware) kotoryj ustanavlivaet interfejs v moment zagruzki. Perenapravlenie dolzhno byt' zaversheno do zadaniya lyubyh vhodnyh pravil. CHtoby ubedit'sya, chto eto rabotaet ya otklyuchil forwarding (masquerading).
/etc/rc.d/rc.firewall:
#!/bin/sh
# rc.firewall Linux kernel firewalling rules
FW=/sbin/ipfwadm
# Flush rules, for testing purposes
for i in I O F # A # If we enabled accouting too
do
${FW} -$i -f
done
# Default policies:
${FW} -I -p rej # Incoming policy: reject (quick error)
${FW} -O -p acc # Output policy: accept
${FW} -F -p den # Forwarding policy: deny
# Input Rules:
# Loopback-interface (local access, eg, to local nameserver):
${FW} -I -a acc -S localhost/32 -D localhost/32
# Local Ethernet-interface:
# Redirect to Squid proxy server:
${FW} -I -a acc -P tcp -D default/0 80 -r 80
# Accept packets from local network:
${FW} -I -a acc -P all -S localnet/8 -D default/0 -W eth0
# Only required for other types of traffic (FTP, Telnet):
# Forward localnet with masquerading (udp and tcp, no icmp!):
${FW} -F -a m -P tcp -S localnet/8 -D default/0
${FW} -F -a m -P udp -S localnet/8 -D default/0
Ves' traffik lokal'noj seti s lyubym adresom naznacheniya perenapravlyaetsya na lokal'nyj 80 port. Pravila mozhno posmotret' i oni budut vyglyadet' kak-to tak:
IP firewall input rules, default policy: reject type prot source destination ports acc all 127.0.0.1 127.0.0.1 n/a acc/r tcp 10.0.0.0/8 0.0.0.0/0 * -> 80 => 80 acc all 10.0.0.0/8 0.0.0.0/0 n/a acc tcp 0.0.0.0/0 0.0.0.0/0 * -> *Zdes' vazhnye ustanovki v squid.conf:
http_port 80 icp_port 3130 httpd_accel virtual 80 httpd_accel_with_proxy onVnimanie, virtual eto magicheskoe slovo zdes'!
YA protestiroval na Windows 95 kak s Microsoft Internet Explorer 3.01 tak i Netscape Communicator i eto rabotaet s oboimi s otklyuchennymi ustanovkami proksi.
Odin raz squid kazhetsya zaciklilsya kogda ya ukazal brauzeru na lokal'nyj 80 port. No etogo mozhno izbezhat' dobaviv stroku:
${FW} -I -a rej -P tcp -S localnet/8 -D dec/32 80
IP firewall input rules, default policy: reject
type prot source destination ports
acc all 127.0.0.1 127.0.0.1 n/a
rej tcp 10.0.0.0/8 10.0.0.1 * -> 80
acc/r tcp 10.0.0.0/8 0.0.0.0/0 * -> 80 => 80
acc all 10.0.0.0/8 0.0.0.0/0 n/a
acc tcp 0.0.0.0/0 0.0.0.0/0 * -> *
Zamechanie o preobrazovanii imen: Vmesto togo, chtoby prosto
peredat' URL proksi, brauzer sam preobrazovyvaet ih. Udo