sa-sa-ki.jpのblog

[root@sl6 ~]# yum -y install squid
sl | 3.2 kB 00:00
sl-security | 1.9 kB 00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package squid.x86_64 7:3.1.10-1.el6 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

============================================================
Package Arch Version Repository Size
============================================================
Installing:
squid x86_64 7:3.1.10-1.el6 sl-security 1.7 M

Transaction Summary
============================================================
Install 1 Package(s)
Upgrade 0 Package(s)

Total download size: 1.7 M
Installed size: 5.8 M
Downloading Packages:
squid-3.1.10-1.el6.x86_64.rpm | 1.7 MB 00:03
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 7:squid-3.1.10-1.el6.x86_64 1/1

Installed:
squid.x86_64 7:3.1.10-1.el6

Complete!

[root@sl6 ~]# vi /etc/squid/squid.conf
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network　#コメント化
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network　#コメント化
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range　#コメント化
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines　#コメント化

# プロキシサーバーを使っている端末のIPアドレス非表示
forwarded_for off　# 追記
# エラー時に表示するホスト名
visible_hostname sa-sa-ki.jp　# 追記
# プロキシサーバーからのアクセスであることを隠します
request_header_access Referer deny all　# 追記
request_header_access X-Forwarded-For deny all　# 追記
request_header_access Via deny all　# 追記
request_header_access Cache-Control deny all　# 追記
# Apache形式のログ出力
access_log /var/log/squid/access.log auto　# 追記
emulate_httpd_log on　# 追記

# 保存してviエディタを終了します

# Squidを起動します
[root@sl6 ~]# /etc/rc.d/init.d/squid start
squid を起動中: . [ OK ]

# Squidの自動起動設定を行います
[root@sl6 ~]# chkconfig squid on
[root@sl6 ~]# chkconfig --list squid
squid 0:off 1:off 2:on 3:on 4:on 5:on 6:off

[root@sl6 ~]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT　# 追加
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

# 保存してviエディタを終了します

# iptablesを再起動してファイアウォールルールを反映します
[root@sl6 ~]# /etc/rc.d/init.d/iptables restart
iptables: ファイアウォールルールを消去中: [ OK ]
iptables: チェインをポリシー ACCEPT へ設定中filter [ OK ]
iptables: モジュールを取り外し中: [ OK ]
iptables: ファイアウォールルールを適用中: [ OK ]

[root@centos ~]# vi /etc/squid/squid.conf

～　中略　～

# TAG: access_log
# These files log client request activities. Has a line every HTTP or
# ICP request. The format is:
# access_log [ [acl acl ...]]
# access_log none [acl acl ...]]
#
# Will log to the specified file using the specified format (which
# must be defined in a logformat directive) those entries which match
# ALL the acl's specified (which must be defined in acl clauses).
# If no acl is specified, all requests will be logged to this file.
#
# To disable logging of a request use the filepath "none", in which case
# a logformat name should not be specified.
#
# To log the request via syslog specify a filepath of "syslog":
#
# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]]
# where facility could be any of:
# authpriv, daemon, local0 .. local7 or user.
#
# And priority could be any of:
# err, warning, notice, info, debug.
#
# Note: 2.6.STABLE14 and earlier only supports a slightly different
# and undocumented format with all uppercase LOG_FACILITY|LOG_PRIORITY
#access_log /var/log/squid/access.log squid　←先頭に#を追記してコメント化
access_log /var/log/squid/access.log auto　←追記

～　中略　～

# TAG: emulate_httpd_log on|off
# The Cache can emulate the log file format which many 'httpd'
# programs use. To disable/enable this emulation, set
# emulate_httpd_log to 'off' or 'on'. The default
# is to use the native log format since it includes useful
# information Squid-specific log analyzers use.
#
#Default:
emulate_httpd_log on　←追記

ファイルを保存してviエディタを終了します

[root@centos ~]# /etc/rc.d/init.d/squid restart
squid を停止中: ................ [ OK ]
init_cache_dir /var/spool/squid/coss... squid を起動中: . [ OK ]

[root@centos ~]# cat /var/log/squid/access.log

[root@centos ~]# vi /etc/squid/squid.conf

# TAG: cache_dir
# Usage:
#
# cache_dir Type Directory-Name Fs-specific-data [options]
#
# You can specify multiple cache_dir lines to spread the
# cache among different disk partitions.
#
# Type specifies the kind of storage system to use. Only "ufs"
# is built by default. To enable any of the other storage systems
# see the --enable-storeio configure option.
#
# 'Directory' is a top-level directory where cache swap
# files will be stored. If you want to use an entire disk
# for caching, this can be the mount-point directory.
# The directory must exist and be writable by the Squid
# process. Squid will NOT create this directory for you.
# Only using COSS, a raw disk device or a stripe file can
# be specified, but the configuration of the "cache_swap_log"
# tag is mandatory.
#
# The ufs store type:
#
# "ufs" is the old well-known Squid storage format that has always
# been there.
#
# cache_dir ufs Directory-Name Mbytes L1 L2 [options]
#
# 'Mbytes' is the amount of disk space (MB) to use under this
# directory. The default is 100 MB. Change this to suit your
# configuration. Do NOT put the size of your disk drive here.
# Instead, if you want Squid to use the entire disk drive,
# subtract 20% and use that value.
#
# 'Level-1' is the number of first-level subdirectories which
# will be created under the 'Directory'. The default is 16.
#
# 'Level-2' is the number of second-level subdirectories which
# will be created under each first-level directory. The default
# is 256.
#
# The aufs store type:
#
# "aufs" uses the same storage format as "ufs", utilizing
# POSIX-threads to avoid blocking the main Squid process on
# disk-I/O. This was formerly known in Squid as async-io.
#
# cache_dir aufs Directory-Name Mbytes L1 L2 [options]
#
# see argument descriptions under ufs above
#
# The diskd store type:
#
# "diskd" uses the same storage format as "ufs", utilizing a
# separate process to avoid blocking the main Squid process on
# disk-I/O.
#
# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
#
# see argument descriptions under ufs above
#
# Q1 specifies the number of unacknowledged I/O requests when Squid
# stops opening new files. If this many messages are in the queues,
# Squid won't open new files. Default is 64
#
# Q2 specifies the number of unacknowledged messages when Squid
# starts blocking. If this many messages are in the queues,
# Squid blocks until it receives some replies. Default is 72
#
# When Q1 < Q2 (the default), the cache directory is optimized
# for lower response time at the expense of a decrease in hit
# ratio. If Q1 > Q2, the cache directory is optimized for
# higher hit ratio at the expense of an increase in response
# time.
#
# The coss store type:
#
# block-size=n defines the "block size" for COSS cache_dir's.
# Squid uses file numbers as block numbers. Since file numbers
# are limited to 24 bits, the block size determines the maximum
# size of the COSS partition. The default is 512 bytes, which
# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
# you should not change the COSS block size after Squid
# has written some objects to the cache_dir.
#
# overwrite-percent=n defines the percentage of disk that COSS
# must write to before a given object will be moved to the
# current stripe. A value of "n" closer to 100 will cause COSS
# to waste less disk space by having multiple copies of an object
# on disk, but will increase the chances of overwriting a popular
# object as COSS overwrites stripes. A value of "n" close to 0
# will cause COSS to keep all current objects in the current COSS
# stripe at the expense of the hit rate. The default value of 50
# will allow any given object to be stored on disk a maximum of
# 2 times.
#
# max-stripe-waste=n defines the maximum amount of space that COSS
# will waste in a given stripe (in bytes). When COSS writes data
# to disk, it will potentially waste up to "max-size" worth of disk
# space for each 1MB of data written. If "max-size" is set to a
# large value (ie >256k), this could potentially result in large
# amounts of wasted disk space. Setting this value to a lower value
# (ie 64k or 32k) will result in a COSS disk refusing to cache
# larger objects until the COSS stripe has been filled to within
# "max-stripe-waste" of the maximum size (1MB).
#
# membufs=n defines the number of "memory-only" stripes that COSS
# will use. When an cache hit is performed on a COSS stripe before
# COSS has reached the overwrite-percent value for that object,
# COSS will use a series of memory buffers to hold the object in
# while the data is sent to the client. This will define the maximum
# number of memory-only buffers that COSS will use. The default value
# is 10, which will use a maximum of 10MB of memory for buffers.
#
# maxfullbufs=n defines the maximum number of stripes a COSS partition
# will have in memory waiting to be freed (either because the disk is
# under load and the stripe is unwritten, or because clients are still
# transferring data from objects using the memory). In order to try
# and maintain a good hit rate under load, COSS will reserve the last
# 2 full stripes for object hits. (ie a COSS cache_dir will reject
# new objects when the number of full stripes is 2 less than maxfullbufs)
#
# The null store type:
#
# no options are allowed or required
#
# Common options:
#
# read-only, no new objects should be stored to this cache_dir
#
# min-size=n, refers to the min object size this storedir will accept.
# It's used to restrict a storedir to only store large objects
# (e.g. aufs) while other storedirs are optimized for smaller objects
# (e.g. COSS). Defaults to 0.
#
# max-size=n, refers to the max object size this storedir supports.
# It is used to initially choose the storedir to dump the object.
# Note: To make optimal use of the max-size limits you should order
# the cache_dir lines with the smallest max-size value first and the
# ones with no max-size specification last.
#
# Note that for coss, max-size must be less than COSS_MEMBUF_SZ
# (hard coded at 1 MB).
#
#Default:
#cache_dir ufs /var/spool/squid 200 16 256　←先頭に#を追記してコメント化する
cache_dir COSS /var/spool/squid/coss 100 max-size=1048576　←追記する

# TAG: cache_swap_state
# Location for the cache "swap.state" file. This index file holds
# the metadata of objects saved on disk. It is used to rebuild
# the cache during startup. Normally this file resides in each
# 'cache_dir' directory, but you may specify an alternate
# pathname here. Note you must give a full filename, not just
# a directory. Since this is the index for the whole object
# list you CANNOT periodically rotate it!
#
# If %s can be used in the file name it will be replaced with a
# a representation of the cache_dir name where each / is replaced
# with '.'. This is needed to allow adding/removing cache_dir
# lines when cache_swap_log is being used.
#
# If have more than one 'cache_dir', and %s is not used in the name
# these swap logs will have names such as:
#
# cache_swap_log.00
# cache_swap_log.01
# cache_swap_log.02
#
# The numbered extension (which is added automatically)
# corresponds to the order of the 'cache_dir' lines in this
# configuration file. If you change the order of the 'cache_dir'
# lines in this file, these index files will NOT correspond to
# the correct 'cache_dir' entry (unless you manually rename
# them). We recommend you do NOT use this option. It is
# better to keep these index files in each 'cache_dir' directory.
#
#Default:
# none
cache_swap_log /var/spool/squid/cache_swap_log　←追記する

ファイルを保存しviエディタを終了します

#サービスを停止しないと作成できないのでsquidを停止します
[root@centos ~]# /etc/rc.d/init.d/squid stop
squid を停止中: ................ [ OK ]

#COSSキャッシュストレージを作成します
[root@centos ~]# squid -z
2010/10/04 16:05:54| Creating Swap Directories

#サービスを起動します
[root@centos ~]# /etc/rc.d/init.d/squid start
init_cache_dir /var/spool/squid/coss... squid を起動中: . [ OK ]

rootユーザにスイッチします
[centos@centos ~]$ su -
パスワード:rootユーザのパスワード

Squidをインストールします
[root@centos ~]# yum -y install squid
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* addons: ftp.iij.ad.jp
* base: ftp.iij.ad.jp
* extras: ftp.iij.ad.jp
* updates: ftp.iij.ad.jp
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package squid.i386 7:x.x.STABLExx-x.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
squid i386 7:x.x.STABLExx-x.el5 base 1.3 M

Transaction Summary
================================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 1.3 M
Downloading Packages:
squid-x.x.STABLExx-x.el5.i386.rpm | 1.3 MB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : squid 1/1

Installed:
squid.i386 7:x.x.STABLExx-x.el5

Complete!

Squidの設定ファイルを開きます
[root@centos ~]# vi /etc/squid/squid.conf

viエディタが起動するので、下記のように追加・変更します

#Recommended minimum configuration:
acl localhost src 127.0.0.1/255.255.255.255
ローカルネットワークに別名を付与します
acl lan src 192.168.0.0/255.255.255.0

# And finally deny all other access to this proxy
http_access allow localhost
別名を付与したローカルネットワークにアクセス許可設定を行います
http_access allow lan
http_access deny all

# TAG: forwarded_for on|off
# If set, Squid will include your system's IP address or name
# in the HTTP requests it forwards. By default it looks like
# this:
#
# X-Forwarded-For: 192.1.2.3
#
# If you disable this, it will appear as
#
# X-Forwarded-For: unknown
#
#Default:
# forwarded_for on
プロキシサーバーを使用している端末のローカルIPアドレスを隠す為、off設定します
forwarded_for off

# TAG: visible_hostname
# If you want to present a special hostname in error messages, etc,
# define this. Otherwise, the return value of gethostname()
# will be used. If you have multiple caches in a cluster and
# get errors about IP-forwarding you must set them to have individual
# names with this setting.
#
#Default:
# none
エラーメッセージなどに表示するホスト名を指定します
visible_hostname sa-sa-ki.jp

# TAG: header_access
# Usage: header_access header_name allow|deny [!]aclname ...
#
# WARNING: Doing this VIOLATES the HTTP standard. Enabling
# this feature could make you liable for problems which it
# causes.
#
# This option replaces the old 'anonymize_headers' and the
# older 'http_anonymizer' option with something that is much
# more configurable. This new method creates a list of ACLs
# for each header, allowing you very fine-tuned header
# mangling.
#
# You can only specify known headers for the header name.
# Other headers are reclassified as 'Other'. You can also
# refer to all the headers with 'All'.
#
# For example, to achieve the same behavior as the old
# 'http_anonymizer standard' option, you should use:
#
# header_access From deny all
# header_access Referer deny all
# header_access Server deny all
# header_access User-Agent deny all
# header_access WWW-Authenticate deny all
# header_access Link deny all
#
# Or, to reproduce the old 'http_anonymizer paranoid' feature
# you should use:
#
# header_access Allow allow all
# header_access Authorization allow all
# header_access WWW-Authenticate allow all
# header_access Proxy-Authorization allow all
# header_access Proxy-Authenticate allow all
# header_access Cache-Control allow all
# header_access Content-Encoding allow all
# header_access Content-Length allow all
# header_access Content-Type allow all
# header_access Date allow all
# header_access Expires allow all
# header_access Host allow all
# header_access If-Modified-Since allow all
# header_access Last-Modified allow all
# header_access Location allow all
# header_access Pragma allow all
# header_access Accept allow all
# header_access Accept-Charset allow all
# header_access Accept-Encoding allow all
# header_access Accept-Language allow all
# header_access Content-Language allow all
# header_access Mime-Version allow all
# header_access Retry-After allow all
# header_access Title allow all
# header_access Connection allow all
# header_access Proxy-Connection allow all
# header_access All deny all
#
# By default, all headers are allowed (no anonymizing is
# performed).
#
#Default:
# none
プロキシサーバーからのアクセスである事を隠します
header_access X-Forwarded-For deny all
header_access Via deny all
header_access Cache-Control deny all

[:]キー、[w]キー、[q]キーを順に押下して内容を保存しviエディタを終了します

IPTablesの設定ファイルを開きます

[root@centos ~]# vi /etc/sysconfig/iptables

viエディタが起動するので、下記を追加します

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.

～　省略　～

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT

～　省略　～

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

[:]キー、[w]キー、[q]キーを順に押下して内容を保存しviエディタを終了します

[root@centos ~]# /etc/rc.d/init.d/iptables restart
ファイアウォールルールを適用中: [ OK ]
チェインポリシーを ACCEPT に設定中filter [ OK ]
iptables モジュールを取り外し中 [ OK ]
iptables ファイアウォールルールを適用中: [ OK ]
iptables モジュールを読み込み中ip_conntrack_netbios_ns [ OK ]

Squidのサービスを起動します
[root@centos ~]# /etc/rc.d/init.d/squid start
init_cache_dir /var/spool/squid... squid を起動中: .. [ OK ]

OS再起動時にSquidのサービスを自動起動するようにします
[root@centos ~]# chkconfig squid on
[root@centos sysconfig]# chkconfig --list squid
squid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
※ランレベル2～5がonになっていればOK