FreeBsd5.4+pf+squid反向代理实战笔记(1)

上一篇 / 下一篇  2008-11-04 09:47:32 / 个人分类:linux/Uinx安全

查看( 0 ) / 评论( 0 ) / 评分( 0 / 0 )

1、硬件配置
HP NETSERVER 800 PⅢ1000 内存256M Inter82559网卡两张
2、分区情况

Filesystem Size Used Avail Capacity Mounted on

/dev/da0s1a 248M 54M 174M 24% /

devfs 1.0K 1.0K 0B 100% /dev

/dev/da0s1f 4.8G 130M 4.3G 3% /home

/dev/da0s1d 248M 12K 228M 0% /tmp

/dev/da0s1g 4.8G 565M 3.9G 12% /usr

/dev/da0s1e 5.8G 410K 5.3G 0% /var
3、系统安装情况
采用最小化安装
并且安装src和ports(原本打算采用ports安装,但是不知道怎么搞的,竟然不能cvs源码,当然也就不能通过ports安装,无奈之下只能采用源码编译)
4、内核编译
没有对内核采用优化,这里只是为了验证pf和squid结合做反向代理的可行性,在实际的生产应用中应该对服务器内核做一定程度的优化。
cd /usr/src/sys/i386/conf

cp GENERIC cache
编辑内核cache在内核中添加如下选项
device pf

device pflog

device pfsync

options ALTQ

options ALTQ_CBQ
编译内核
/usr/sbin/config cache

cd ../config/cache

make depend

make

make install
至此内核编译完毕
reboot
5、让系统自动加载pf
编辑/etc/rc.conf

usbd_enable="NO"

defaultrouter="218.4.xxx.xxx"

hostname="cache.aaa.com"

ifconfig_fxp0="inet 218.4.xxx.xxx netmask 255.255.255.248"

ifconfig_fxp1="inet 192.168.2.10 netmask 255.255.255.0"

gateway_enable="YES"

inetd_enable="YES"

pf_enable="YES"

pf_rules="/etc/pf.conf"

pf_flags=""

pflog_enable="YES"

pflog_logfile="/var/log/pflog"

sshd_enable="YES"
6、打开ip转发
在/etc/sysctl.conf中添加如下内容
net.inet.ip.forwarding=1

7、实现共享上网,最简单的pf设置
wan_if="fxp0"

lan_if="fxp1"

inter_net="192.168.2.0/24"

web_server="192.168.2.3"

ftp_server="192.168.2.3"

scrub in all

nat on $wan_if from $inter_net to any -%26gt; fxp0

rdr on fxp1 proto tcp from $lan_if to any port 80 -%26gt; $lan_if port 80

rdr on fxp1 proto tcp from any to any port 21 -%26gt; 127.0.0.1 port 8021

#rdr on fxp0 proto tcp from any to $wan_if port 80 -%26gt;$web_server port 8080

#rdr on fxp1 proto tcp from $lan_if to $wan_if port 80 -%26gt;$web_server port 8080

rdr on $wan_if proto tcp from any to any port 21 -%26gt; $ftp_server port 21

rdr on $wan_if proto tcp from any to any port 49152:65535 -%26gt; $ftp_server port 49152:65535

# in on $wan_if

pass in quick on $wan_if proto tcp from any to $ftp_server port 21 keep state

pass in quick on $wan_if proto tcp from any to $ftp_server port %26gt; 49151 keep state

# out on $lan_if

pass out quick on $lan_if proto tcp from any to $ftp_server port 21 keep state

pass out quick on $lan_if proto tcp from any to $ftp_server port %26gt; 49151 keep state

#Disable danger port

#Danger_Port="{445 135 139 593 5554 9995 9996}"

#block quick on $wan_if inet proto tcp from any to any port $Danger_Port

#block quick on $wan_if inet proto tcp from any to any port $Danger_Port

pass in all

pass out all
(最后这两条在实际的应用中是不可靠的,应该先限制所有,然后逐步打开自己需要的服务)
pf的设置到此基本完毕
下面开始squid部分
1、安装squid
./configure --enable-useragent-log

--enable-referer-log

--enable-default-err-language=Simplify_Chinese

--enable-err-languages="Simplify_Chinese English"

--disable-internal-dns

--enable-pf-transparent

#make

#make install

#mkdir /home/cache(创建存放cache的目录)
2、增加squid运行的用户和用户组(我的都设为squid)
chown squid:squid /home/cache

ee /usr/local/squid/etc/squid.conf
在/etc/hosts中加入内部的DNS解析,比如我的:
192.168.2.2 www.aaa.com

192.168.2.3 mail.aaa.com
3、下面开始配置squid.conf文件(下面是我的配置文件)
visible_hostname cache . example.com

cache_dir ufs /home/cache 1024 16 256

cache_mem 100 MB

cache_effective_user squid

cache_effective_group squid

http_port 80

httpd_accel_host virtual

httpd_accel_single_host off

httpd_accel_port 80

httpd_accel_uses_host_header on

httpd_accel_with_proxy on

# accelerater my domain only

acl acceleratedHostA dstdomain . example1.com

#acl acceleratedHostB dstdomain .example2.com

#acl acceleratedHostC dstdomain .example3.com

# accelerater http protocol on port 80

acl acceleratedProtocol protocol HTTP

acl acceleratedPort port 80

# access arc

acl all src 0.0.0.0/0.0.0.0

# Allow requests when they are to the accelerated machine AND to the

# right port with right protocol

http_access allow acceleratedProtocol acceleratedPort acceleratedHostA

#http_access allow acceleratedProtocol acceleratedPort acceleratedHostB

#http_access allow acceleratedProtocol acceleratedPort acceleratedHostC

# logging

emulate_httpd_log on

cache_store_log none

# manager

acl manager proto cache_object

http_access allow manager all

cachemgr_passwd pass all

squid.conf文件配置完成
squid.conf文件配置完成

4、目录权限设置
chown –R squid:squid /home/cache
创建日志文件,默认的在/usr/local/squid/var/access.log
5、创建缓存目录:
/usr/local/squid/sbin/squid -z

启动squid

/usr/local/squid/sbin/squid
在这个笔记中我的构建意图是
web服务通过squid反向代理来完成
至于其他(我现在只有ftp)服务则通过pf来完成
那么为了完成这个目标我们还需要在pf规则中添加如下语句
rdr on $lan_if proto tcp from $lan_if to any port 80 -%26gt; $lan_if port 80
($lan_if是我网关机的内网卡)凡是对80端口的访问,都统统转发到网关上Squid侦听端口80,而在pf规则中只允许ftp服务通过(疑问是外网访问呢,是否也需要添加类似的这句呢)
至此,FreeBsd5.4+pf+squid反向代理基本完成。




导入论坛 引用链接 收藏 分享给好友 推荐到圈子 管理 举报

TAG: hp HP net NET Net server Server SERVER 硬件

 

评分:0

我来说两句

显示全部

:loveliness: :handshake :victory: :funk: :time: :kiss: :call: :hug: :lol :'( :Q :L ;P :$ :P :o :@ :D :( :)

Open Toolbar