TurboLinux11 网站架设 » squid配置详解-sdccf-ChinaUnix博客

Squid是一个缓存Internet数据的一个软件，它会接收用户的下载申请，并自动处理所下载的数据。也就是说，当一个用户想要下载一个主页时，它向Squid发出一个申请，要Squid替它下载，然后Squid连接所申请网站并请求该主页，接着把该主页传给用户同时保留一个备份，当别的用户申请同样的页面时，Squid把保存的备份立即传给用户，使用户觉得速度相当快。目前，Squid可以代理HTTP、FTP、GOPHER、SSL和WAIS协议，暂不能代理POP，NNTP等协议。不过，已经有人开始修改Squid，相信不久的将来，Squid能够代理这些协议。
Squid可用在很多操作系统中，如Linux、Unix、AIX、FreeBSD、HP-UX、Irix、NetBSD、Nextstep、SCO、Solaris、OS/2等，也有不少人在其他操作系统中重新编译过Squid。

要配置squid，首先要确定是否安装此软件包。如下：

[root@ts3-142 ~]# rpm -qa|grep -i squid
squid-2.6.STABLE6-3

和大多数网络服务一样，squid的配置文件也在/etc/squid下。其主要配置文件为/etc/squid/squid.conf，而其中主要的配置选项及介绍如下：

 端口定义

#  TAG: http_port
#	Usage:	port [options]
#		hostname:port [options]        //这里可以用ts3-142:3128
#		1.2.3.4:port [options]         //这里可以用172.16.78.142:3128


#The default port number is 3128.     //默认端口为3128，根据需要可以定义为8080或者80

http_port 3128

访问控制列表

# ACCESS CONTROLS
# -----------------------------------------------------------------------------

#  TAG: acl
#	Defining an Access List      //定义访问控制列表
#
#	acl aclname acltype string1 ...      //访问控制列表的格式
#	acl aclname acltype "file" ...
#
#	when using "file", the file should contain one item per line
#
#	acltype is one of the types described below
#
#	By default, regular expressions are CASE-SENSITIVE.  To make
#	them case-insensitive, use the -i option.
#
       ＊＊＊ IP地址访问控制列表＊＊＊

#	acl aclname src      ip-address/netmask ... (clients IP address)      //以源客户端IP地址为列表
#	acl aclname src      addr1-addr2/netmask ... (range of addresses)     //以源IP地址范围为列表
#	acl aclname dst      ip-address/netmask ... (URL host's IP address)   //以目的主机IP地址为列表
#	acl aclname myip     ip-address/netmask ... (local socket IP address) //squid主机的IP地址为myip列表
#
#	acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
#	  # The arp ACL requires the special configure option --enable-arp-acl.
#	  # Furthermore, the arp ACL code is not portable to all operating systems.
#	  # It works on Linux, Solaris, FreeBSD and some other *BSD variants.
#	  #
#	  # NOTE: Squid can only determine the MAC address for clients that are on
#	  # the same subnet. If the client is on a different subnet, then Squid cannot
#	  # find out its MAC address.
#
      ＊＊＊域名访问控制列表＊＊＊

#	acl aclname srcdomain   .foo.com ...    # reverse lookup, client IP     //以域名为源列表
#	acl aclname dstdomain   .foo.com ...    # Destination server from URL   //以域名为目的列表
#	acl aclname srcdom_regex [-i] xxx ...   # regex matching client name    //
#	acl aclname dstdom_regex [-i] xxx ...   # regex matching server
#	  # For dstdomain and dstdom_regex  a reverse lookup is tried if a IP
#	  # based URL is used and no match is found. The name "none" is used
#	  # if the reverse lookup fails.
#
        ＊＊＊时间访问控制列表＊＊＊

#	acl aclname time     [day-abbrevs]  [h1:m1-h2:m2]
#	    day-abbrevs:
#		S - Sunday
#		M - Monday
#		T - Tuesday
#		W - Wednesday
#		H - Thursday
#		F - Friday
#		A - Saturday
#	    h1:m1 must be less than h2:m2

        ＊＊＊其它访问控制列表＊＊＊

#	acl aclname url_regex [-i] ^http:// ...	# regex matching on whole URL   //匹配以http://开始的列表
#	acl aclname urlpath_regex [-i] \.gif$ ...	# regex matching on URL path  //匹配以.gif为结尾的列表
#	acl aclname urllogin [-i] [^a-zA-Z0-9] ...	# regex matching on URL login field  //
#	acl aclname port     80 70 21 ...                                              //端口列表    
#	acl aclname port     0-1024 ...		# ranges allowed                       //端口范围列表 
#	acl aclname myport   3128 ...		# (local socket TCP port)              //squid本地端口
#	acl aclname proto    HTTP FTP ...                                              //协议列表  
#	acl aclname method   GET POST ...                                              //访问方式列表 
#	acl aclname browser  [-i] regexp ...                                           //浏览器列表

访问控制
格式：http_access allow/deny aclname
典型访问控制规则如下：
http_access allow your-aclname
http_access deny  all