这样的squid代理配置居然会出错!?[问题已解决-段誉]代理服务器教程
|
| 论文作者:佚名 论文来源:不详 论文发布时间:2006-6-19 18:15:27 论文发布人:chjchjchj |
 减小字体
 增大字体
摘要:这样的squid代理配置居然会出错!?[问题已解决-段誉]
RED9 IPTABLES防火墙和SQUID代理各自分开,[color=darkred:28e91ce9db]但不能在线升级系统补丁,WEB新发带附件邮件出错!感觉是不能上传附件![/color:28e91ce9db]
SQUID代理服务器本身直接在防火墙用NAT出去。
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.10.1 -j snat --to x.x.x.x
上面192.168.10.1 是SQUID服务器对外网卡地址,ETH1是防火墙的对内网卡。测试NAT没问题的。
SQUID代理服务器的ETH1网卡做了VLAN配置,对应内网的几个网段。这样主要是可用MAC地址做访问控制。配置如下,请大家帮忙找问题所在,多谢!
http_port 192.168.1.1:3128
http_port 192.168.2.1:3128
http_port 192.168.3.1:3128
http_port 192.168.4.1:3128
http_port 192.168.5.1:3128
icp_port 0
ssl_unclean_shutdown off
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \? asp php shtml php3 cgi
acl cache_prevent url_regex Servlet
acl mmx urlpath_regex -i \.mp3$ \.avi$
no_cache deny QUERY
no_cache deny cache_prevent
no_cache deny mmx
#acl aclname url_regex [-i] ^http:// ...# regex matching on whole URL
hierarchy_stoplist cgi-bin ?
cache_mem 200 MB
cache_swap_low 80
cache_swap_high 100
half_closed_clients off
maximum_object_size 1024 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
dns_nameservers x.x.x.x x.x.x.x
dns_timeout 1 minutes
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
redirect_rewrites_host_header off
cache_dir aufs /cache/cache 4096 16 1024
cache_access_log /cache/squidlog/access.log
cache_log /cache/squidlog/cache.log
cache_store_log none
mime_table /usr/local/squid/etc/mime.conf
pid_filename /cache/squidlog/squid.pid
logfile_rotate 100
log_icp_queries off
buffered_logs on
emulate_httpd_log on
cache_effective_user squid
cache_effective_group squid
visible_hostname proxy
cache_mgr administrator@server
error_directory /usr/local/squid/share/errors/Simplify_Chinese
icon_directory /usr/local/squid/share/icons
unlinkd_program /usr/local/squid/libexec/unlinkd
redirect_children 5
redirect_rewrites_host_header off
ftp_list_width 32
ftp_passive on
log_icp_queries off
buffered_logs on
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl proto proto HTTP FTP Gopher SSL WAIS
acl method method GET POST
acl CONNECT method CONNECT
acl localhost src 127.0.0.1
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 20 # ftp-data
acl Safe_ports port 21 # ftp
acl Safe_ports port 22 # ssl
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080 8081 8180 8181
http_access allow manager localhost
http_access deny manager
http_access deny to_localhost
http_access deny CONNECT !SSL_ports
acl ss time AS
acl work1 time MTWHF 08:00-12:00
acl work2 time MTWHF 14:00-17:00
acl mac arp "/etc/mac"
acl macall arp "/etc/macall"
acl to_ghip dst x.x.x.x
acl outip src x.x.x.x x.x.x.x
http_access allow to_ghip
http_access allow outip
http_access deny !Safe_ports
http_access allow mac
http_access deny macall work1
http_access deny macall work2
http_access allow macall
http_access deny all
http_reply_access allow all
snmp_port 3401
acl aclsnmp snmp_community public
snmp_access allow aclsnmp localhost
snmp_access deny all
snmp_incoming_address 0.0.0.0
snmp_outgoing_address 0.0.0.0
digest_generation on
digest_rebuild_period 1 hour
digest_rewrite_period 1 hour
digest_swapout_chunk_size 4096 bytes
digest_rebuild_chunk_percentage 10
以上配置在防火墙和代理同在一台机器上时没这样的问题。这可是我经过优化得到的比较满意的配置了。请各路朋友帮忙找找问题所在,拜托了!
unixli 回复于:2004-02-19 17:45:51没人有这样的问题吗?
mzxxzm 回复于:2004-02-21 15:59:56错就是错吗,我对这个不是很了解,但不知道你那个http_access deny all 是什么意思啊我不太清楚,DENY是禁止的意思吧?怎么禁上了所有呢,不太明白。 A A
( @ @ )
~
unixli 回复于:2004-02-22 17:09:49[quote:9113571752="mzxxzm"]错就是错吗,我对这个不是很了解,但不知道你那个http_access deny all 是什么意思啊我不太清楚,DENY是禁止的意思吧?怎么禁上了所有呢,不太明白。 A A
( @ @ )
~[/quote:9113571752]
http_access deny all 这一句做为最后一条规则,是当前面的规则都不匹配时所应用的规则,如没这句,那squid会自动加入和最后一条规则相反的规则。
unixli 回复于:2004-04-14 09:47:58以上问题上个月问题已解决。主要是的RED9的vlan技术不成熟造成和一些厂家的交换机、网卡不兼容,升级为2.6.4内核后问题解决!
unixli 回复于:2004-04-14 09:48:15以上问题上个月问题已解决。主要是的RED9的vlan技术不成熟造 |
|
|
|
|
|
|
| ∷相关技术评论 |
(评论内容只代表网友观点,与本站立场无关!) [查看发表评论...] | |
|
|
| |
 站内广告 |
 | |
|
| 站内搜索 |
| |
| 栏目导航 |
| |
|
|
 相关技术 |
|
|
| 本月热门 |
| |
|
|
| 本日热门 |
| |
|
|
|
设为首页
加入收藏
联系我们
