[English title:How to install Squid in Ubuntu 16.04 LTS?]
[前言]
因為做論文研究關係,需要用到 Squid 這類的 proxy server 來做網址導向(redirection)的動作。
[環境需求]
本次的Linux Distro:Ubuntu 16.04 LTS
[開始安裝!]
1 2 3 4 5 6 7 8 9 10 11 12 13 | # 更新套件sudo apt-get updatesudo apt-get install squid# 複製一份設定檔,若改錯還可以把設定回復。sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.backup# 編輯 squid.confsudo vim /etc/squid/squid.conf |
[squid.conf 的設定]
這邊只設定成:把指定的網址做重新導向的動作。
那我們是靠著 PHP script 來處理重新導向的動作,squid 會監聽所有的 HTTP 請求。
把他們交給 PHP 之後,接著交由 PHP 執行,接著 PHP 會去跑我們指定的 PHP script ,處理完並得到結果後進行輸出,結束。
以下是 squid.conf 的內容:除了下面有一些客製化的設定之外,基本上可以直接複製拿來做使用的。
我把 configuration (squid.conf) 貼在Gist:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # WELCOME TO SQUID 3.5.12 | |
| # ---------------------------- | |
| # | |
| # This is the documentation for the Squid configuration file. | |
| # This documentation can also be found online at: | |
| # http://www.squid-cache.org/Doc/config/ | |
| # | |
| # You may wish to look at the Squid home page and wiki for the | |
| # FAQ and other documentation: | |
| # http://www.squid-cache.org/ | |
| # http://wiki.squid-cache.org/SquidFaq | |
| # http://wiki.squid-cache.org/ConfigExamples | |
| # | |
| # This documentation shows what the defaults for various directives | |
| # happen to be. If you don't need to change the default, you should | |
| # leave the line out of your squid.conf in most cases. | |
| acl SSL_ports port 443 | |
| acl Safe_ports port 80 # http | |
| acl Safe_ports port 21 # ftp | |
| acl Safe_ports port 443 # https | |
| acl Safe_ports port 70 # gopher | |
| acl Safe_ports port 210 # wais | |
| acl Safe_ports port 1025-65535 # unregistered ports | |
| acl Safe_ports port 280 # http-mgmt | |
| acl Safe_ports port 488 # gss-http | |
| acl Safe_ports port 591 # filemaker | |
| acl Safe_ports port 777 # multiling http | |
| acl CONNECT method CONNECT | |
| # Recommended minimum Access Permission configuration: | |
| # | |
| # Deny requests to certain unsafe ports | |
| http_access deny !Safe_ports | |
| # Deny CONNECT to other than secure SSL ports | |
| http_access deny CONNECT !SSL_ports | |
| # Only allow cachemgr access from localhost | |
| http_access allow localhost manager | |
| http_access deny manager | |
| # Squid normally listens to port 3128 | |
| http_port 3128 | |
| # TAG: https_port | |
| # If shared memory caching is enabled, Squid does not use the shared | |
| # cache space for in-transit objects, but they still consume as much | |
| # local memory as they need. For more details about the shared memory | |
| # cache, see memory_cache_shared. | |
| #Default: | |
| cache_mem 8 MB | |
| # TAG: maximum_object_size_in_memory (bytes) | |
| # Objects greater than this size will not be attempted to kept in | |
| # the memory cache. This should be set high enough to keep objects | |
| # accessed frequently in memory to improve performance whilst low | |
| # enough to keep larger objects from hoarding cache_mem. | |
| #Default: | |
| maximum_object_size_in_memory 1024 KB | |
| # See also cache_swap_high and cache_replacement_policy | |
| #Default: | |
| cache_swap_low 90 | |
| # TAG: cache_swap_high (percent, 0-100) | |
| # See also cache_swap_low and cache_replacement_policy | |
| #Default: | |
| cache_swap_high 95 | |
| # Leave coredumps in the first cache dir | |
| coredump_dir /var/spool/squid | |
| # The refresh_pattern lines are checked in the order listed here. | |
| # The first entry which matches is used. If none of the entries | |
| # match the default will be used. | |
| # | |
| # Note, you must uncomment all the default lines if you want | |
| # to change one. The default setting is only active if none is | |
| # used. | |
| # | |
| # | |
| # | |
| # Add any of your own refresh_pattern entries above these. | |
| # | |
| refresh_pattern ^ftp: 1440 20% 10080 | |
| refresh_pattern ^gopher: 1440 0% 1440 | |
| refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | |
| refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 | |
| # example lin deb packages | |
| #refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600 | |
| refresh_pattern . 0 20% 4320 | |
| # ADMINISTRATIVE PARAMETERS | |
| # ----------------------------------------------------------------------------- | |
| # TAG: cache_mgr | |
| # Email-address of local cache manager who will receive | |
| # mail if the cache dies. The default is "webmaster". | |
| cache_mgr peter279k@gmail.com | |
| #Default: | |
| # cache_mgr webmaster | |
| # TAG: visible_hostname | |
| visible_hostname lab223 | |
| # TAG: ipcache_size (number of entries) | |
| # Maximum number of DNS IP cache entries. | |
| #Default: | |
| ipcache_size 1024 | |
| # TAG: ipcache_low (percent) | |
| #Default: | |
| ipcache_low 90 | |
| # TAG: ipcache_high (percent) | |
| # The size, low-, and high-water marks for the IP cache. | |
| #Default: | |
| ipcache_high 95 | |
| # TAG: fqdncache_size (number of entries) | |
| # Maximum number of FQDN cache entries. | |
| #Default: | |
| fqdncache_size 1024 | |
| # Custom configuration | |
| acl MyNetwork src 192.168.0.1 | |
| acl BLKSite dstdomain www.google.com.pa | |
| deny_info https://google.com.tw all | |
| http_reply_access deny BLKSite all | |
| http_access allow MyNetwork | |
| url_rewrite_program /etc/squid/url_redirect.php | |
| url_rewrite_children 5 | |
| #http_access deny all | |
| forwarded_for off | |
| request_header_access Allow allow all | |
| request_header_access Authorization allow all | |
| request_header_access WWW-Authenticate allow all | |
| request_header_access Proxy-Authorization allow all | |
| request_header_access Proxy-Authenticate allow all | |
| request_header_access Cache-Control allow all | |
| request_header_access Content-Encoding allow all | |
| request_header_access Content-Length allow all | |
| request_header_access Content-Type allow all | |
| request_header_access Date allow all | |
| request_header_access Expires allow all | |
| request_header_access Host allow all | |
| request_header_access If-Modified-Since allow all | |
| request_header_access Last-Modified allow all | |
| request_header_access Location allow all | |
| request_header_access Pragma allow all | |
| request_header_access Accept allow all | |
| request_header_access Accept-Charset allow all | |
| request_header_access Accept-Encoding allow all | |
| request_header_access Accept-Language allow all | |
| request_header_access Content-Language allow all | |
| request_header_access Mime-Version allow all | |
| request_header_access Retry-After allow all | |
| request_header_access Title allow all | |
| request_header_access Connection allow all | |
| request_header_access Proxy-Connection allow all | |
| request_header_access User-Agent allow all | |
| request_header_access Cookie allow all | |
| request_header_access All deny all |
by 以及:url_redirect.php (squid.conf 的 134行,使用 PHP script 處理導向)
作用:指的是,若連線到:www.animen.com.tw 就導向到:www.google.com.sa
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/php | |
| # Squid URL Rewrite program : Codes picked from the internet. | |
| <?php | |
| $temp = array(); | |
| while ( $input = fgets(STDIN) ) { | |
| // Split the output (space delimited) from squid into an array. | |
| $temp = split(' ', $input); | |
| // Set the URL from squid to a temporary holder. | |
| $output = $temp[0] . "\n"; | |
| // Clean the Requesting IP Address field up. | |
| $ip = split('/',rtrim($temp[1], "/-")); | |
| if (preg_match("/^http:\/\/www.animen.com.tw/i", $temp[0])) { | |
| $output = "301:https://www.google.com.sa/\n"; | |
| } | |
| echo $output; | |
| } |
[解析]
比較重要的地方是從:#custom configuration 下面開始(在 129 行開始),裡面有定義一些
requst header, 還有 url_rewrite 等。
- 其中的 192.169.0.1 應該要改成你自己當前電腦所使用的 IP。
- 如果要用:url_rewrite 把所有的請求都交給 PHP 來做處理的話,129 行到 133 行可以刪除。
留下 134 以及 135 行即可。 - 若不靠 PHP scirpt 處理導向的話,請留下 129 行到 133 行。刪掉或註解 134 跟 135 行。
129 行請換成當前電腦的 IP address (請用 ifconfig 指令查詢)。 - 第 129 行到 133 行,作用:當連到 www.google.com.pa 時,會自動導向到:https://google.com.tw
- 若要改 proxy server 的 port number,請參考第 44 行
- 第 101 行的 cache_mgr 是管理者 email 當有存取的動作的時候,就可以發信做通知
當然也要設定與安裝 email server。 - 第 106 行的 visible_hostname 則是填寫你主機的 host name
- 任何設定完之後,記得要重啟 squid 服務,這樣新的設定才會生效。
- 因為會動到 HTTP 應用層上的東西,所以通常重啟服務會稍微久一點,是正常的。
- 有用防火牆的話,記得將 port 打開。(如果要允許讓外部連線的話,不用的話,這步就免了。)
[討論&後記]
雖然有一些方式,像是直接把要導向的 URL 直接的寫在 squid.conf 裡,不過就是我不太熟 bash,再加上要導向的網址很多,想說用 PHP 直接去做掉,會比較快一點。雖然效能會差一點。不過是導向靜態的內容檔案,感覺是還好的。說不定之後就會改成直接在 squid.conf 裡設定,不用 PHP script XD。