LinuxByte » squid http://www.linuxbyte.org 一个Linux Blog Thu, 26 Jan 2012 08:13:08 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 网吧Linux 网关设置记录补充 http://www.linuxbyte.org/wang-ba-linux-wang-guan-she-zhi-ji-lu-bu-chong.html http://www.linuxbyte.org/wang-ba-linux-wang-guan-she-zhi-ji-lu-bu-chong.html#comments Thu, 03 Nov 2011 02:23:43 +0000 xiao H http://www.linuxbyte.org/?p=766 很早之前写过这篇博文网吧Linux 网关设置记录,现在这台服务器终于玩完了,所以又要重新配置一台了。这次系统用的是CentOS 6 所以,有些东西变了,要记录一下。

squid.conf 中原来的 acl all src 0.0.0.0/0,现在不需要定义了,squid 3.0 以后all 字段是默认设置了。

sysctl.conf 优化中

net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 900

net.ipv4.netfilter.ip_conntrack_tcp_timeout_established 已经改名了,改为net.netfilter.nf_conntrack_tcp_timeout_established 。

其实这一系列网络参数现在都改为net.netfilter.nf 开头了,所以原来的sysctl.conf 优化语句要改一下了。
我的优化语句

net.netfilter.nf_conntrack_tcp_timeout_established= 180
net.netfilter.nf_conntrack_tcp_timeout_fin_wait= 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait= 60
net.netfilter.nf_conntrack_tcp_timeout_last_ack= 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait= 120
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.conf.all.proxy_arp = 1
net.ipv4.tcp_synack_retries = 3

另外加一条

iptables -t nat -A PREROUTING -s 192.168.0.0/24 -i eth1 -p upd --dport 53 -j REDIRECT --to-port 53

强制所有内网DNS请求都有网关解析。

与本文关系暧昧的文字

© xiao H for LinuxByte, 2011
Source: 网吧Linux 网关设置记录补充
Post tags: , , ,

标签:, , ,

Feed enhanced by Better Feed from Ozh

]]> http://www.linuxbyte.org/wang-ba-linux-wang-guan-she-zhi-ji-lu-bu-chong.html/feed 0 refresh_pattern 学习范例 http://www.linuxbyte.org/refreshpattern-xue-xi-fan-li.html http://www.linuxbyte.org/refreshpattern-xue-xi-fan-li.html#comments Thu, 03 Mar 2011 09:46:56 +0000 xiao H http://www.linuxbyte.org/?p=627 一份很强的refresh_pattern 规则。关于refresh_pattern 的用法可以阅读扶凯的文章

# $Rev$
# chudy_fernandez@yahoo.com
# 1 year = 525600 mins, 1 month = 43800 mins
refresh_pattern (get_video|videoplayback|videodownload|\.flv).*(begin|start)\=[1-9][0-9]*	0 0% 0
refresh_pattern imeem.*\.flv 		0 0% 0 				override-lastmod override-expire
refresh_pattern ^ftp:				40320	20%	40320 	override-expire reload-into-ims store-stale
refresh_pattern ^gopher:			1440	0%	1440 
refresh_pattern code.googlec.com.*(svn|download)			0	50%	1440	reload-into-ims
 
#ads
refresh_pattern ^.*(streamate.doublepimp.com.*\.js\?|utm\.gif|ads\?|rmxads\.com|ad\.z5x\.net|bh\.contextweb\.com|bstats\.adbrite\.com|a1\.interclick\.com|ad\.trafficmp\.com|ads\.cubics\.com|ad\.xtendmedia\.com|\.googlesyndication\.com|advertising\.com|yieldmanager|game-advertising\.com|pixel\.quantserve\.com|adperium\.com|doubleclick\.net|adserving\.cpxinteractive\.com|syndication\.com|media.fastclick.net).* 5259487 20% 5259487 ignore-no-cache ignore-no-store ignore-private override-expire ignore-reload ignore-auth ignore-must-revalidate store-stale negative-ttl=40320 max-stale=1440
 
#antivirus
refresh_pattern avast.com.*\.vpx																			40320 50% 161280		store-stale reload-into-ims
refresh_pattern (avgate|avira).*\.(idx|gz)$																	1440 90% 1440 			ignore-reload ignore-no-cache ignore-no-store store-stale ignore-must-revalidate 
refresh_pattern kaspersky.*\.avc$																			5259487 999999% 5259487	ignore-reload store-stale
refresh_pattern kaspersky																					1440 50% 161280			ignore-no-cache store-stale
refresh_pattern mbamupdates.com.*\.ref																		1440 50% 161280			reload-into-ims store-stale
 
#specific sites
refresh_pattern \.rapidshare.*\/[0-9]*\/.*\/[^\/]* 															161280	90%	161280 ignore-reload store-stale
refresh_pattern (get_video\?|videoplayback\?|videodownload\?|\.flv\?|\.fid\?) 										5259487 99999999% 5259487 override-expire ignore-reload store-stale ignore-private negative-ttl=0
refresh_pattern \.(ico|video-stats) 																		5259487 999999% 5259487	override-expire ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth override-lastmod ignore-must-revalidate negative-ttl=10080 store-stale
refresh_pattern \.etology\?	 																				5259487 999999% 5259487	override-expire ignore-reload ignore-no-cache store-stale
refresh_pattern galleries\.video(\?|sz) 																	5259487 999999% 5259487	override-expire ignore-reload ignore-no-cache store-stale
refresh_pattern brazzers\?	 																				5259487 999999% 5259487	override-expire ignore-reload ignore-no-cache store-stale
refresh_pattern \.adtology\?																				5259487 999999% 5259487	override-expire ignore-reload ignore-no-cache store-stale
refresh_pattern ^.*safebrowsing.*google 																	5259487 999999% 5259487	override-expire ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth ignore-must-revalidate negative-ttl=10080 store-stale
refresh_pattern ^http://((cbk|mt|khm|mlt)[0-9]?)\.google\.co(m|\.uk) 										5259487 999999% 5259487	override-expire ignore-reload store-stale ignore-private negative-ttl=10080
refresh_pattern ytimg\.com.*\.(jpg|png)																		5259487 999999% 5259487	override-expire ignore-reload store-stale
refresh_pattern images\.friendster\.com.*\.(png|gif) 														5259487 999999% 5259487	override-expire ignore-reload store-stale
refresh_pattern ((facebook.com)|(85.131.151.39)).*\.(png|gif)												5259487 999999% 5259487	override-expire ignore-reload store-stale
refresh_pattern garena\.com																					5259487 999999% 5259487	override-expire reload-into-ims store-stale
refresh_pattern photobucket.*\.(jp(e?g|e|2)|tiff?|bmp|gif|png) 												5259487 999999% 5259487	override-expire ignore-reload store-stale
refresh_pattern vid\.akm\.dailymotion\.com.*\.on2\? 														5259487 999999% 5259487	ignore-no-cache override-expire override-lastmod store-stale
refresh_pattern .fbcdn.net.*\.(jpg|gif|png)																	5259487 999999% 5259487	ignore-no-cache override-expire ignore-reload store-stale negative-ttl=0
refresh_pattern ^http:\/\/images|pics|thumbs[0-9]\. 														5259487 999999% 5259487	ignore-no-cache ignore-no-store ignore-reload override-expire store-stale
refresh_pattern ^http:\/\/www.onemanga.com.*\/ 																5259487 999999% 5259487	reload-into-ims override-expire store-stale
refresh_pattern mediafire.com\/images.*\.(jp(e?g|e|2)|tiff?|bmp|gif|png) 									5259487 999999% 5259487	reload-into-ims override-expire ignore-private store-stale
 
#general
refresh_pattern \.(jp(e?g|e|2)|tiff?|bmp|gif|png) 															5259487 999999% 5259487	ignore-no-cache ignore-no-store reload-into-ims override-expire ignore-must-revalidate store-stale
refresh_pattern \.(z(ip|[0-9]{2})|r(ar|[0-9]{2})|jar|bz2|gz|tar|rpm|vpu) 									5259487 999999% 5259487	override-expire reload-into-ims
refresh_pattern \.(mp3|wav|og(g|a)|flac|midi?|rm|aac|wma|mka|ape) 											5259487 999999% 5259487	override-expire reload-into-ims ignore-reload
refresh_pattern \.(exe|msi|dmg|bin|xpi|iso|swf|mar|psf|cab)													5259487 999999% 5259487	override-expire reload-into-ims ignore-no-cache ignore-must-revalidate
refresh_pattern \.(mpeg|ra?m|avi|mp(g|e|4)|mov|divx|asf|wmv|m\dv|rv|vob|asx|ogm|flv|3gp|on2)				5259487 9999999% 5259487 override-expire reload-into-ims
refresh_pattern -i (cgi-bin) 0 0% 0
refresh_pattern \.(php|jsp|cgi|asx)\? 0 0% 0
refresh_pattern . 0 50% 161280 store-stale

与本文关系暧昧的文字

© xiao H for LinuxByte, 2011
Source: refresh_pattern 学习范例
Post tags: ,

标签:,

Feed enhanced by Better Feed from Ozh

]]> http://www.linuxbyte.org/refreshpattern-xue-xi-fan-li.html/feed 0 Squid 透明代理优化 http://www.linuxbyte.org/squid-tou-ming-dai-li-you-hua.html http://www.linuxbyte.org/squid-tou-ming-dai-li-you-hua.html#comments Wed, 02 Mar 2011 12:14:20 +0000 xiao H http://www.linuxbyte.org/?p=626 主要记录下用Squid 做正向代理(透明代理)时的优化设置,一切尚在调试中所以下面的优化方式未必都是正确的。

内核调整
/etc/sysctl.conf 下面添加

net.ipv4.netfilter.ip_conntrack_tcp_timeout_established =900
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.conf.all.proxy_arp = 1
net.ipv4.tcp_synack_retries = 3
net.ipv4.ip_conntrack_max = 81920
net.ipv4.tcp_fin_timeout = 5
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000

使设置生效

 /sbin/sysctl -p

文件系统设置
将squid缓存放入独立的文件系统中,文件系统格式建议用Reiserfs,挂载时使用’noatime’参数提高IO性能。

LABEL=/squid             /squid               reiserfs    defaults,noatime     0 0

squid.conf

http_port 192.168.0.254:3128 transparent
cache_mgr hew@linuxbyte.org
cache_mem 512 MB
cache_dir ufs /squid/squid 51200 12 256
maximum_object_size_in_memory 128 KB
maximum_object_size 64 MB
 
#cache_access_log /var/log/squid/access.log squid
cache_access_log none
cache_log none
cache_store_log none
#logfile_rotate 4
 
max_filedesc 6144
pipeline_prefetch on
memory_pools off
memory_pools_limit none
mime_table /etc/squid/mime.conf
 
refresh_pattern -i \.css$ 1440 50% 129600 reload-into-ims
refresh_pattern -i \.xml$ 1440 50% 129600 reload-into-ims
refresh_pattern -i \.htm$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.html$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.shtml$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.png$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.jpg$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.jpeg$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.gif$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.bmp$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.js$ 1440 90% 129600 reload-into-ims
 
refresh_pattern -i \.mp3$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.wmv$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.rm$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.swf$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.mpeg$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.wma$ 1440 50% 2880 ignore-reload
 
refresh_pattern -i \.exe$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.rar$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.zip$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.gz$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.bz2$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.7z$ 1440 50% 2880 ignore-reload
 
client_lifetime 1 hours
half_closed_clients off
visible_hostname proxy.linuxbyte.org
 
cache_effective_user squid
cache_effective_group squid
 
cache_swap_low 75
cache_swap_high 95
 
dns_nameservers 192.168.0.254
 
acl QUERY urlpath_regex -i cgi-bin \?
cache deny QUERY
 
acl all src 0.0.0.0/0
acl localnet src 192.168.0.0/24
http_access allow localnet
http_access deny all

与本文关系暧昧的文字

© xiao H for LinuxByte, 2011
Source: Squid 透明代理优化
Post tags: ,

标签:,

Feed enhanced by Better Feed from Ozh

]]> http://www.linuxbyte.org/squid-tou-ming-dai-li-you-hua.html/feed 0 关于squid的一些记录 http://www.linuxbyte.org/guan-yu-squid-de-yi-xie-ji-lu.html http://www.linuxbyte.org/guan-yu-squid-de-yi-xie-ji-lu.html#comments Tue, 01 Mar 2011 06:07:26 +0000 xiao H http://www.linuxbyte.org/?p=624 max_filedesc 问题
CentOS 5 中自带 Squid 是打过REDHAT的fd补丁的,所以可以直接用max_filedesc 参数加大squid 的最大文件打开数,不过在启动squid之前要运行下

ulimit -HSn xxxxx


关于这个问题更多的可阅读下面文章:
http://www.linuxbyte.org/squid-max_filedesc.html

maximum_object_size_in_memory 的大小

查看Cache information for squid:中下面这段

Storage Swap size: 7549104 KB
Storage Mem size: 418804 KB
Mean Object Size: 160.46 KB

Mean Object Size是平均内容大小,一般要把maximum_object_size_in_memory设置成离它最近的128的倍数。在这个例子中maximum_object_size_in_memory 的值应该是256kB。

与本文关系暧昧的文字

© xiao H for LinuxByte, 2011
Source: 关于squid的一些记录
Post tags: ,

标签:,

Feed enhanced by Better Feed from Ozh

]]> http://www.linuxbyte.org/guan-yu-squid-de-yi-xie-ji-lu.html/feed 0 Squid 限制用户并发连接数 http://www.linuxbyte.org/squid-xian-zhi-yong-hu-bing-fa-lian-jie-shu-2.html http://www.linuxbyte.org/squid-xian-zhi-yong-hu-bing-fa-lian-jie-shu-2.html#comments Sat, 29 May 2010 05:21:42 +0000 xiao H http://www.linuxbyte.org/?p=561 在squid.conf 下加如下配置

client_db  on
acl client_10 src 192.168.0.0/32
acl maxconnect maxconn 10
http_access deny client_10 maxconnect

与本文关系暧昧的文字

© xiao H for LinuxByte, 2010
Source: Squid 限制用户并发连接数
Post tags: ,

标签:,

Feed enhanced by Better Feed from Ozh

]]> http://www.linuxbyte.org/squid-xian-zhi-yong-hu-bing-fa-lian-jie-shu-2.html/feed 2 升级squid 2.6 到2.7 的冤枉路 http://www.linuxbyte.org/%e5%8d%87%e7%ba%a7squid-26-%e5%88%b027-%e7%9a%84%e5%86%a4%e6%9e%89%e8%b7%af.html http://www.linuxbyte.org/%e5%8d%87%e7%ba%a7squid-26-%e5%88%b027-%e7%9a%84%e5%86%a4%e6%9e%89%e8%b7%af.html#comments Tue, 02 Mar 2010 05:58:52 +0000 xiao H http://www.linuxbyte.org/?p=510 昨天用这里提到的包升级squid 2.6 到2.7 ,本以为很简单直接rpm -U 后就能轻松搞定的事因为自己的不细致折腾了很久。我先停用squid 服务然后直接rpm -U 完成后再重启时,squid 没有提示就直接start failed,第一反应是配置文件有问题,2.6到2.7 有些tag 已经作废了,会不会是这个原因,仔细检查没发现squid.conf 有什么不妥,检查日志发现如下提示布满屏幕。

Mar  1 16:58:56 localhost squid[30450]: Squid Parent: child process 30592 started 
Mar  1 16:58:57 localhost squid[30592]: Cannot open HTTP Port
Mar  1 16:58:57 localhost squid[30450]: Squid Parent: child process 30592 exited due to signal 6

放狗搜索Cannot open HTTP Port 结果全是squid 在BSD 下低于1024 端口遇到问题的解决方案,而我开的是3128 显然也都是无用的。
于是继续放狗Squid Parent: child process 30592 exited due to signal 6,结果还是没找到答案,大多数情况是有这个提示还被配合signal 25,而signal 25 显然是因为squid 日志被写满造成的,而单个signal 6 的都没答案。寻遍squid 官方wiki,maillist 和其他常去的论坛站点没答案。
于是又回到 Cannot open HTTP Port,显然BSD 下的1024 端口问题不是答案,那会不会是什么东西占了3128呢?

nmap 192.168.0.254 -p 3128

结果让我内牛满面,不知道为什么虽然我用/etc/init.d/squid stop 停止squid 服务时系统提示给了一个绿绿的OK,但结果是nmap的答案是“3128/tcp open squid-http”,剩下来就简单了,lsof -i:3128 找到pid 然后kill -9 pid。再启动squid 服务时一切正常。
总得来说这次问题是自己看日志不仔细,看到 Cannot open HTTP Port 时直接nmap 检查一下就什么问题都没了。
另:升级到2.7 开始http 1.1 支持后似乎squid 的命中率降低很多,继续观察看看是否有必要开启 http 1.1 支持。

与本文关系暧昧的文字

© xiao H for LinuxByte, 2010
Source: 升级squid 2.6 到2.7 的冤枉路
Post tags:

标签:

Feed enhanced by Better Feed from Ozh

]]> http://www.linuxbyte.org/%e5%8d%87%e7%ba%a7squid-26-%e5%88%b027-%e7%9a%84%e5%86%a4%e6%9e%89%e8%b7%af.html/feed 0 Squid unofficial support for RHEL/CentOS http://www.linuxbyte.org/squid-unofficial-support-for-rhelcentos.html http://www.linuxbyte.org/squid-unofficial-support-for-rhelcentos.html#comments Mon, 01 Mar 2010 06:13:40 +0000 xiao H http://www.linuxbyte.org/?p=509 Red Hat Enterprise Linux for Squid 的非官方支持包
有Squid 2.6/2.7 for RHEL4,Squid 2.6/2.7/3.0 for RHEL5。
虽然是非官方包,但包的质量还是可以的,稳定性各方面都不错。强烈推荐squid 2.7 既有3.0 的新特性,较好的http 1.1 支持,又有2.6 的稳定和速度。
http://people.redhat.com/~jskala/squid/

与本文关系暧昧的文字

© xiao H for LinuxByte, 2010
Source: Squid unofficial support for RHEL/CentOS
Post tags:

标签:

Feed enhanced by Better Feed from Ozh

]]> http://www.linuxbyte.org/squid-unofficial-support-for-rhelcentos.html/feed 0 网吧每IP 限速补充(squid 限速) http://www.linuxbyte.org/wang-ba-mei-ip-xian-su-bu-chong-squid-xian-su.html http://www.linuxbyte.org/wang-ba-mei-ip-xian-su-bu-chong-squid-xian-su.html#comments Sat, 30 Jan 2010 17:00:32 +0000 xiao H http://www.linuxbyte.org/?p=503 之前的Iptables+tc 网吧每IP 限速脚本一文中有一个问题需要补充,如果同时使用squid 做透明代理会使该脚本失效。
做透明代理时有一条iptables规则

iptables -A PREROUTING -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

这一规则把所有内网80端口的请求都转发到了网关,如此一来所有向外网的普通http 请求者都成了网关(192.168.0.254),而网关是不做限速的,所以所有http下载都不被限速了。

所以为了能现在http下载,我们要使用squid 的限速功能,配置命令如下:

acl LIMIT_IP src 192.168.0.0/25 
delay_pools 1
delay_class 1 2
delay_access 1 allow LIMIT_IP
delay_parameters 1 -1/-1 500000/500000

squid 的限速控制不是很精确限速500000 bytes/sec 的浮动在4xx/KB 到8XX/KB 之间 -__-!

与本文关系暧昧的文字

© xiao H for LinuxByte, 2010
Source: 网吧每IP 限速补充(squid 限速)
Post tags: ,

标签:,

Feed enhanced by Better Feed from Ozh

]]> http://www.linuxbyte.org/wang-ba-mei-ip-xian-su-bu-chong-squid-xian-su.html/feed 4 新版qzone 无法被squid 缓存 http://www.linuxbyte.org/qzone-squid-iptables.html http://www.linuxbyte.org/qzone-squid-iptables.html#comments Wed, 08 Oct 2008 15:39:32 +0000 xiao H http://www.linuxbyte.org/?p=274 腾讯更新了qzone程序,不知腾讯的工程师做了些什么反正不能通过squid 正常访问 qzone了,所以只能用iptables 跳过让访问squid,方法如下:

 iptables -t nat -I PREROUTING -d 58.61.166.61 -p tcp -m tcp --dport 80 -j ACCEPT

目前只能用这办法先凑活着,原因慢慢找吧。

与本文关系暧昧的文字

© xiao H for LinuxByte, 2008
Source: 新版qzone 无法被squid 缓存
Post tags: ,

标签:,

Feed enhanced by Better Feed from Ozh

]]> http://www.linuxbyte.org/qzone-squid-iptables.html/feed 3 squid+havp+clamav搭建防毒代理 http://www.linuxbyte.org/squid-havp-clamav.html http://www.linuxbyte.org/squid-havp-clamav.html#comments Thu, 21 Aug 2008 10:03:08 +0000 xiao H http://www.linuxbyte.org/?p=224 今天在CU 瞎逛的时候发现了一个好东西HAVP–HAVP (HTTP AntiVirus proxy) is a proxy with an anti-virus filter.它可以配合iptables+squid+clamav 为我们的透明代理加上防病毒功能,其实就是在squid 前面加一个有病毒检测的父代理。我忍不住就在网吧的网关上体验了一下。具体操作如下:

由于我之前已经做好了透明代理所以这部分内容就不讲了,不了解的同学请查看前文。所以我们现在要做的就是装上clamav和havp,然后配置相关服务。
1.安装设置clamav
这个可以直接从yum 安装
# yum install clamav clamav-db clamav-devel

2.安装设置havp
 a. 安装
   这个没在yum 源里找到所以只能自己用源码编译了。
  # http://www.server-side.de/download/havp-0.89.tar.gz
  # tar zxvf havp-0.89.tar.gz
  # cd havp-0.89
  # ./configure
  # make
  # make install
  下载源码,解包,编译安装这个实在没什么要多说的。
 b.  配置havp
  havp的配置文件为 /usr/local/etc/havp.config,具体内容如下:

CLAMDBDIR /var/clamav
ENABLEARCAVIR false
ENABLEAVAST false
ENABLEAVESERVER false
ENABLEAVG false
ENABLECLAMD false
ENABLECLAMLIB true
ENABLEDRWEB false
ENABLEFPROT false
ENABLENOD32 false
ENABLESOPHIE false
ENABLETROPHIE false
FORWARDED_IP true
GROUP clamav
LOG_OKS false
TEMPDIR /var/tmp/havp
TRANSPARENT false
USER clamav
SCANIMAGES false
SERVERNUMBER 60
MAXSERVERS 120
BIND_ADDRESS 127.0.0.1
PORT 8080

这个是我的最终文件,自带的文件是有注释的,大家可以对照注释去看这些配置语句的含义,我看那个注释太长太碍眼所以清理掉了。ENABLECLAMLIB true ,CLAMDBDIR /var/clamav,GROUP clamav ,USER clamav 这些是为了针对clamav做的。

修改相关目录的宿主和属性:
chown clamav.clamav /var/tmp/havp /var/log/havp /var/run/havp
chmod 700 /var/tmp/havp /var/log/havp /var/run/havp

创建一个虚拟磁盘作为havp 的缓存空间
dd if=/dev/zero of=/data/havp.img bs=256K count=1 seek=1024 (这里的文件位置和大小大家自己控制) 
 mount -o loop,mand /data/havp.img /var/tmp/havp
将挂载项写入fstab
/data/havp.img      /var/tmp/havp           ext2    mand,loop       0 0

内存大的同学可以直接用ramdisk。

3.修改squid 设置
  在squid.conf加入如下语句
  cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default

4.启动服务
 # /usr/local/sbin/havp
 # /etc/init.d/squid reload

一切完成后打开这个网址,下载一个测试病毒,如果系统设置成功的话就会看到一个页面。

系统默认页面是一个英文页面,你可以修改/usr/local/etc/havp/templates/en/virus.html 文件自定义提示页面。

与本文关系暧昧的文字

© xiao H for LinuxByte, 2008
Source: squid+havp+clamav搭建防毒代理
Post tags: , , ,

标签:, , ,

Feed enhanced by Better Feed from Ozh

]]> http://www.linuxbyte.org/squid-havp-clamav.html/feed 4