centos6.x squid 单网卡透明缓存+服务器优化

正好最近单位的网速升级了,百兆光纤 ,哇嘎嘎 用迅雷偷偷的下载发现可以达到 全速,基本可以维持在 9~12M/s  爽歪歪!

这么好的资源肯定要充分利用呀,但又不能全给那些个逛淘宝,看视频,玩网游的害群之马给糟蹋了,故做一个squid +L7 的透明网关 想必是极好的!

这样用squid 缓存加速,L7 跑7层限速限流  给我自己开一个vip 白名单(以后自己下载个苍老师的小电影啥)妥妥儿的! 🙂

本篇只记录squid 加速透明网关,至于l7 嘛 下次再写!单位有现成的硬件流控产品,我就不折腾了!

环境 如下:

os: centos6.6 64bit 

squid:  Squid Cache: Version 3.1.10

#先从系统层面开始 需要简单的优化下

#调整文件描述符大小 默认的1024 实在太小

echo "ulimit -SHn 102400">> /etc/rc.local   #设置开机自动生效

#内核参数优化

cat >> /etc/sysctl.conf <<EOF
net.ipv4.tcp_syncookies = 1            #1是开启SYN Cookies,当出现SYN等待队列溢出时,启用Cookies来处,理,可防范少量SYN攻击,默认是0关闭
net.ipv4.tcp_tw_reuse = 1              #1是开启重用,允许讲TIME_AIT sockets重新用于新的TCP连接,默认是0关闭
net.ipv4.ip_local_port_range = 4096 65000   #应用程序可使用的端口范围
net.ipv4.tcp_max_tw_buckets = 5000     #系统同时保持TIME_WAIT套接字的最大数量,如果超出这个数字,TIME_WATI套接字将立刻被清除并打印警告信息,默认180000
net.ipv4.tcp_max_syn_backlog = 4096    #进入SYN宝的最大请求队列,默认是1024
net.core.netdev_max_backlog =  10240   #允许送到队列的数据包最大设备队列,默认300
net.core.somaxconn = 2048              #listen挂起请求的最大数量,默认128
net.core.wmem_default = 8388608        #发送缓存区大小的缺省值
net.core.rmem_default = 8388608        #接受套接字缓冲区大小的缺省值(以字节为单位)
net.core.rmem_max = 16777216           #最大接收缓冲区大小的最大值
net.core.wmem_max = 16777216           #发送缓冲区大小的最大值
net.ipv4.tcp_synack_retries = 2        #SYN-ACK握手状态重试次数,默认5
net.ipv4.tcp_syn_retries = 2           #向外SYN握手重试次数,默认4
net.ipv4.tcp_tw_recycle = 1            #开启TCP连接中TIME_WAIT sockets的快速回收,默认是0关闭
net.ipv4.tcp_max_orphans = 3276800     #系统中最多有多少个TCP套接字不被关联到任何一个用户文件句柄上,如果超出这个数字,孤儿连接将立即复位并打印警告信息
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_mem[0]:低于此值,TCP没有内存压力;
net.ipv4.tcp_mem[1]:在此值下,进入内存压力阶段;
net.ipv4.tcp_mem[2]:高于此值,TCP拒绝分配socket。内存单位是页,可根据物理内存大小进行调整,如果内存足够大的话,可适当往上调。上述内存单位是页,而不是字节。
net.ipv4.tcp_timestamps = 0
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
EOF
sysct -p   #使之生效

#接着就是安装配置squid了

yum install squid
chkconfig squid on
#squid 的配置如下 请更改其中的配置 以符合自己的需求
vim /etc/squid/squid.conf
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
#acl loacalhost src 172.28.10.0/24
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 172.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.27.10.0/24 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src 192.168.2.11/32
#acl localnet src 192.168.3.11/32

#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 25          # multiling http
acl Safe_ports port 110         # multiling http
acl Safe_ports port 143         # multiling http
acl Safe_ports port 47          # multiling http
acl Safe_ports port 53          # multiling http
acl Safe_ports port 8880
acl Safe_ports port 873         # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access allow all
# Squid normally listens to port 3128
http_port 3128 transparent
http_port 0.0.0.0:3128
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /home/squid/var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:   1440    20%     10080     
#(原始数据进入squid的缓冲的时间-原始web数据所规定的Last-Modified时间)*percent,该响应过期;)     10080(最大缓存保留时间单位为分钟)
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|?) 0     0%      0
refresh_pattern .               0       20%     4320
refresh_pattern -i .css$ 1440 50% 129600 reload-into-ims
#(该参数是先对比,不同就去源地址下,同样的用本地缓存返回)
refresh_pattern -i .xml$ 1440 50% 129600 reload-into-ims
refresh_pattern -i .htm$ 1440 90% 129600 reload-into-ims
refresh_pattern -i .shtml$ 1440 90% 129600 reload-into-ims
refresh_pattern -i .png$ 1440 90% 129600 reload-into-ims
refresh_pattern -i .jpg$ 1440 90% 129600 reload-into-ims
refresh_pattern -i .jpeg$ 1440 90% 129600 reload-into-ims
refresh_pattern -i .gif$ 1440 90% 129600 reload-into-ims
refresh_pattern -i .bmp$ 1440 90% 129600 reload-into-ims
refresh_pattern -i .js$ 1440 90% 129600 reload-into-ims
refresh_pattern -i .mp3$ 1440 50% 2880 ignore-reload
#(该参数是无条件缓存)

#refresh_pattern -i .wmv$ 1440 50% 2880 ignore-reload
#refresh_pattern -i .rm$ 1440 50% 2880 ignore-reload
#refresh_pattern -i .swf$ 1440 50% 2880 ignore-reload
#refresh_pattern -i .mpeg$ 1440 50% 2880 ignore-reload
#refresh_pattern -i .wma$ 1440 50% 2880 ignore-reload
#refresh_pattern -i .exe$ 1440 50% 2880 ignore-reload
#refresh_pattern -i .rar$ 1440 50% 2880 ignore-reload
#refresh_pattern -i .zip$ 1440 50% 2880 ignore-reload
#refresh_pattern -i .gz$ 1440 50% 2880 ignore-reload
#refresh_pattern -i .bz2$ 1440 50% 2880 ignore-reload
#refresh_pattern -i .7z$ 1440 50% 2880 ignore-reload
#visible_hostname 172.25.20.20  
cache_dir aufs /home/squid/cache    102400 16 256 max-size=204800
cache_dir  ufs /home/squid/var/spool/squid 40960 16 256
#cache_log /home/squid/var/log/squid/cache.log
#access_log /home/squid/var/log/squid/access.log
#cache_store_log /home/squid/var/log/squid/store.log
#logfile_rotate 4

cache_mem  4096 MB
cache_swap_low 85
cache_swap_high 95
ipcache_size 65535
fqdncache_size 65535
maximum_object_size 500 MB
cache_effective_user squid
cache_effective_group squid

memory_pools on
memory_pools_limit 128 MB 设置预分配内存大小

#acl denywords url_regex -i sex
#http_access deny badwords
#以上2句不允许使用该缓存服务器访问URL正则表达式中含sex字样的URL

hierarchy_stoplist .jsp Ctrl
acl QUERY urlpath_regex .jsp Ctrl
no_cache deny QUERY
#以上3句不缓存url中有.jsp或Ctrl的页面;直接访问主机.

#反向代理的WEB服务端口号。
#httpd_accel_port 80

#此处设置反向代理的主机名,如果对后面多个域名进行缓冲,请使用虚拟主机模式(hosts文件中)。
#httpd_accel_host virtual(127.0.0.1单个域名时;直接用ip而不用virtual;但须加httpd_accel_single_host on)或用dns服务器: #dns_nameservers 60.191.254.49

#此处设置开反向代理的同时,是否开普通代理缓存服务。
#如果这行不注释掉,就没有高速缓存功能。不正向代理(不让外面用)就off;默认为on
#httpd_accel_with_proxy off

#squid2.6反向代理

#cache_peer 127.0.0.1 parent 80 0 no-query originserver

#发生错误时,生成提示所显示的缓存服务器名
visible_hostname www.tiaoh.com

#发生错误时,生成提示所显示的缓存服务器管理员名
#cache_mgr  [email protected]

#打开“emulate_httpd_log”选项,将使Squid仿照Web服务器的格式创建访问记录。
#如果希望使用Web访问记录分析程序,就需要设置这个参数. 默认为off
emulate_httpd_log off

#不写日志
cache_access_log none
cache_log none
cache_store_log none

#写日志
#cache_store_log /var/log/squid/store.log
#cache_access_log /var/log/squid/access.log
#cache_log /var/log/squid/cache.log

#客户端不持续连接
client_persistent_connections off

#设置snmp监控的共同体有密码为123; 默认为public
acl snmppublic snmp_community 123

#设置snmp监控端口;默认为3401
snmp_port 3401

#允许所有的计算机访问snmppublic;默认为all
snmp_access allow snmppublic all

#时间设置
#消极存储对象的生存时间。所谓的消极存储对象,就是诸如“连接失败”及404 Not Found等一类错误信息。默认为:5 minutes。
negative_ttl 1 minutes

#缓存失败的D N S查询结果的生存时间。默认为5min。
negative_dns_ttl 1 minutes

#缓存成功的DNS查询结果的生存时间。默认为6小时。
positive_dns_ttl 1 hours

#在建立与客户的连接后, squid将花多长时间等待客户发出HTTP请求。默认值为30s。
request_timeout 1 minutes

#squid等待连接完成的超时值。默认值为2min。
connect_timeout 1 minutes

#持续连接时间。默认值为1min。
persistent_request_timeout 1 minutes

#squid在与其他服务器和代理建立连接后,该连接闲置多长时间后被关闭。默认值为120秒。
pconn_timeout 1 minutes

#swap 性能微调
#有时候由于用户的不正常操作,可能会使与squid的TCP连接处于半关闭状态,这时候,该TCP连接的发送端已经关闭,而接收端正常工作。
#默认时,该值设为on. squid将一直保持这种处于半关闭状态的TCP连接,直到返回套接字的读写错误才将其关闭。
#如果将该值设为off,则一旦从客户端 返回“no more data to read”的信息,squid就立即关闭该连接
half_closed_clients off

#紧接着 设置 sysctl 的ip转发 ,并且配置iptbles 的3128重定向

echo "1" > /proc/sys/net/ipv4/ip_forward
#或者 vim /etc/sysctl.conf
net.ipv4.ipforward = 1
#iptables的规则  添加你所需要的 网段ip ,别忘了放行 3128 端口 和80 端口
iptables -t nat -A PREROUTING -s 172.27.10.0/24 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -s 172.28.10.0/24 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#最后 别忘了 以上目录的相关权限 启动squid 即可
mkdir -p /home/squid/cache
mkdir -p /home/squid/var/spool/squid
chown -R squid:squid /home/squid
/etc/init.d/squid  restart
#squid 常用命令
/etc/init.d/squid -z        # 建立缓存目录
/etc/init.d/squid -k parse  #测试语法是否有误
/etc/init.d/squid  start/stop/restart/status/reload   # 当语法有错误时,在执行这几条命令时也会提示语法错误
squid -k rotate  #切割日志循环,可以配合crontab 任务计划脚本按需执行。

 

发表评论

This site uses Akismet to reduce spam. Learn how your comment data is processed.