一、设定squid相关内核参数
cat >> /etc/sysctl.conf << EOF
# Squid FD相关内核参数
fs.file-max = 1000000
fs.nr_open = 1048576
# 高并发补充参数(可选)
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.core.netdev_max_backlog = 65535
echo "net.core.rmem_max=33554432"
echo "net.core.wmem_max=33554432"
EOF
# 生效内核参数
sysctl -p
二、安装squid7.4
yum install -y autoconf automake libtool-ltdl-devel flex bison ed
# 创建用户/组
useradd -r -s /sbin/nologin squid
# 进入Squid源码目录(以官方预打包squid-7.4为例)
cd /tmp/squid-7.4
步骤 1:安装 bootstrap 依赖(生成 configure 必需)
# 在 squid-SQUID_7_4 目录下执行
./bootstrap.sh
# 下载最新的config.sub/config.guess(适配AlmaLinux 10.1)
wget -O cfgaux/config.sub https://git.savannah.gnu.org/cgit/config.git/plain/config.sub
wget -O cfgaux/config.guess https://git.savannah.gnu.org/cgit/config.git/plain/config.guess
chmod +x cfgaux/config.sub cfgaux/config.guess
# 导出依赖环境变量(手动编译的nghttp3/ngtcp2/nghttp2)
export PKG_CONFIG_PATH=/usr/local/nghttp3/lib/pkgconfig:/usr/local/ngtcp2/lib/pkgconfig:/usr/local/nghttp2/lib/pkgconfig:$PKG_CONFIG_PATH
export LD_LIBRARY_PATH=/usr/local/nghttp3/lib:/usr/local/ngtcp2/lib:/usr/local/nghttp2/lib:$LD_LIBRARY_PATH
export CFLAGS="-I/usr/local/nghttp3/include -I/usr/local/ngtcp2/include -I/usr/local/nghttp2/include"
export LDFLAGS="-L/usr/local/nghttp3/lib -L/usr/local/ngtcp2/lib -L/usr/local/nghttp2/lib"
#编译安装
./configure \
--prefix=/opt/squid \
--build=x86_64-pc-linux-gnu \
--host=x86_64-pc-linux-gnu \
--enable-gnuregex \
--disable-carp \
--enable-async-io=240 \
--with-pthreads \
--enable-storeio=ufs,aufs,diskd \
--disable-wccp \
--enable-icmp \
--enable-cachemgr-hostname=localhost \
--with-maxfd=65535 \
--enable-linux-netfilter \
--enable-large-cache-files \
--disable-ident-lookups \
--enable-default-hostsfile=/etc/hosts \
--with-dl \
--with-large-files \
--enable-delay-pools \
--enable-snmp \
--disable-internal-dns \
--enable-underscore \
--enable-arp-acl \
--enable-quic \
--with-nghttp3=/usr/local/nghttp3 \
--with-ngtcp2=/usr/local/ngtcp2 \
--with-nghttp2=/usr/local/nghttp2 \
--enable-ssl \
--enable-ssl-proxy \
--enable-ssl-crtd \
--enable-prometheus \
--with-openssl \
--with-pcre=/tmp/pcre2-10.47 \
--with-epoll \
--enable-removal-policies="heap,lru" \
--enable-acl-cache \
--enable-acl \
--enable-header-rewrite \
--with-error-dir=$(pwd)/errors \
--enable-header-modifications \
--enable-vary-cache \
--with-nghttp2 \
CXXFLAGS="-std=c++20 -Wno-error" \
CFLAGS="-Wno-error"
#新增:强制使用C++20标准,适配Squid 7.4代码
CXXFLAGS="-std=c++20 -Wno-error" \
新增:关闭-Werror,避免语法警告中断编译
CFLAGS="-Wno-error"
这两个参数可以不加
--enable-cache-digests \
--enable-cache-key \
make -j 1 && make install
以后安装注意加上–enable‑ocsp参数,用于适配 ocsp_enable/sslproxy_certificate_validation 等指令
#拷贝https证书 创建目录(缓存/日志)
cp /tmp/testdomain.com-cert.pem /opt/squid/etc/testdomain-combined.pem
cp /tmp/testdomain.com-key.pem /opt/squid/etc/testdomain-combined.key
cat /opt/squid/etc/squid.conf
==================squid.conf开始=============
# ====================== 基础配置 ======================
cache_effective_user squid
cache_effective_group squid
visible_hostname cache.test.com
cache_mgr [email protected]
tcp_recv_bufsize 65536 bytes
# ====================== HTTPS反向代理核心(7.4 稳定版) ======================
https_port 443 accel vhost defaultsite=testdomain.com \
tls-cert=/opt/squid/etc/testdomain.com-cert.pem \
tls-key=/opt/squid/etc/testdomain.com-key.pem
# 源站配置(7.4 兼容版)
cache_peer 47.84.62.225 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER
# ====================== 关键:回传客户端真实IP到源站(7.4 原生方案) ======================
# 1. 核心:启用forwarded_for,Squid会自动添加X-Forwarded-For头(7.4 原生支持)
forwarded_for on
# 2. 禁用Squid自动添加的X-Forwarded-Port/X-Forwarded-Ssl(保留)
# 保留原有Host头和协议头替换
request_header_access X-Forwarded-Port deny all
request_header_access X-Forwarded-Ssl deny all
# 确保这些IP头不被过滤,强制透传
request_header_access X-Real-IP allow all
request_header_access X-Forwarded-For allow all
request_header_access X-Forwarded-Proto allow all
# 3. Host头和协议头替换(7.4 兼容:仅用固定字符串)
request_header_replace Host "testdomain.com"
request_header_add X-Forwarded-Proto "https"
# ====================== 若有Nginx前置(7.4 兼容方案) ======================
# 如果Squid前面有Nginx,需先让Nginx传递X-Forwarded-For,再配置:
# forwarded_for transparent # 透明模式,直接转发Nginx传递的X-Forwarded-For,不叠加Squid IP
# request_header_replace Host "testdomain.com"
# request_header_add X-Forwarded-Proto "https"
# ====================== 缓存配置 ======================
cache_mem 512 MB
maximum_object_size 10 MB
maximum_object_size_in_memory 6 MB
cache_dir ufs /data/squidcache 4096 64 256
cache_swap_high 95
cache_swap_low 80
cache_store_log none
cache_replacement_policy heap GDSF # 优先保留静态文件缓存
memory_replacement_policy heap LFUDA # 内存缓存优先保留高频访问文件
# ====================== 关键:精准控制静态文件忽略查询字符串(7.4兼容) ======================
# 1. 第一步:定义静态文件ACL(给后缀规则起个名称)
acl static_files urlpath_regex -i \.(jpg|jpeg|png|gif|ico|webp|css|js|woff2|woff|ttf|mp4|mp3|avi|amr|mid|mmf|3gp|mpeg|rm|wmv)$
# ====================== 新增:替换alt-svc响应头 ======================
header_replace alt-svc 'h3=":443", h3-29=":443", h2=":443"; ma=86400' all
# 3. 忽略客户端差异化请求头(7.4必支持的request_header_access)
request_header_access User-Agent deny static_files
request_header_access Accept deny static_files
request_header_access Accept-Language deny static_files
request_header_access Referer deny static_files
request_header_access Cookie deny static_files
request_header_access Cache-Control deny static_files
request_header_access Pragma deny static_files
# ====================== 缓存规则(确保静态文件能缓存,动态文件不缓存) ======================
# 2. 第二步:定义WordPress专属ACL(仅testdomain.com生效,7.4兼容版)
acl wp_domain dstdomain .testdomain.com
# 替换url_query:用urlpath_regex匹配WP允许缓存的查询参数(p/cat/tag/page_id等)
acl wp_cache_query urlpath_regex -i \?(p|cat|tag|page_id|attachment_id|author|feed)=[0-9a-zA-Z_-]+(&.*)?$
# 保留原有不缓存的ACL(7.4兼容)
acl wp_no_cache_path urlpath_regex -i ^/wp-admin/ ^/wp-login.php ^/xmlrpc.php ^/wp-(admin|login|comments|cron)
acl wp_no_cache_param urlpath_regex -i \?(.*&)?(preview=true|edit=true|comment=)(&.*)?$
acl dynamic_scripts urlpath_regex -i \.(php|jsp|asp|aspx|json)$
acl custom_dynamic_scripts urlpath_regex -i \.(abc|xyz|def)$ # 替换成你的自定义动态后缀
# 3. 第三步:缓存允许/禁止规则(7.4完全兼容)
# 允许静态文件缓存
cache allow static_files # 放行所有域名的静态文件缓存(核心!)
cache allow wp_domain wp_cache_query # 仅WP域名,匹配允许的查询参数才缓存(核心!)
cache deny wp_domain wp_no_cache_path # 禁止WP域名的后台/登录页
cache deny wp_domain wp_no_cache_param # 禁止WP域名的编辑/预览参数
cache deny dynamic_scripts custom_dynamic_scripts # 禁止所有域名的动态脚本
# 第三步:默认禁止所有未明确放行的内容(必须在最后)
cache deny all # 默认禁止所有未放行内容
# 静态资源:强制缓存1天,忽略源站缓存头(核心触发hit)
# 静态文件强制缓存,忽略源站的Vary头(避免源站返回Vary: User-Agent导致缓存差异化)
refresh_pattern -i \.(jpg|jpeg|png|gif|ico|webp)$ 1440 80% 43200 ignore-reload override-expire override-lastmod # 核心:7.4兼容的忽略Vary头 # 图片缓存1天
refresh_pattern -i \.(css|js|woff2|woff|ttf)$ 1440 80% 43200 ignore-reload override-expire override-lastmod # 样式/脚本缓存1天
refresh_pattern -i \.(mp4|mp3|avi|amr|mid|mmf|3gp|mpeg|rm|wmv)$ 1440 80% 43200 ignore-reload override-expire override-lastmod # 音频/视频缓存1天
# WordPress 页面缓存规则(7.4兼容,替换url_query为urlpath_regex)
refresh_pattern -i \?(p|cat|tag|page_id|attachment_id|author|feed)= 600 50% 7200 \
override-expire \
ignore-no-store \
ignore-private \
reload-into-ims \
ignore-reload
refresh_pattern . 5 25% 2880 ignore-reload # 动态页面备用缓存规则(当前不生效)
# 日志配置
# ====================== 7.4兼容版日志格式 ======================
logformat squid_combined "%>a %{%Y-%m-%d %H:%M:%S}tl %tl \"%rm %ru\" \"%rv\" %>Hs %<st \"%{Referer}>h\" \"%{User-Agent}>h\" %Ss:%Sh"
access_log /log/squid/access.log squid_combined
cache_log /log/squid/cache.log
logfile_rotate 31
# ====================== 访问控制规则(无冗余警告) ======================
# 1. 仅定义非内置的ACL(删除手动的localhost定义)
acl Localhost_Mgr src 192.168.0.200
acl client_ip src all
acl PURGE method PURGE
# 2. 最高优先级:允许PURGE方法(用内置localhost)
http_access allow PURGE localhost Localhost_Mgr
http_access deny PURGE
# 3. 第二优先级:允许本地IP(用内置localhost)
http_access allow localhost
http_access allow Localhost_Mgr
# 5. 第四优先级:禁止favicon.ico
acl block_favicon urlpath_regex -i ^/favicon.ico$
http_access deny block_favicon
# 4. 第三优先级:域名白名单
acl allowed_domains dstdomain testdomain.com www.testdomain.com testdomain.online
http_access deny !allowed_domains
# 新增:极简防盗链规则,
# 匹配你的域名(所有子域名) + 空referer
acl allowed_referer referer_regex -i testdomain.com www.testdomain.com
acl notnull_refer referer_regex .
http_access allow static_files !notnull_refer
http_access deny static_files !allowed_referer
deny_info https://www.testdomain.com/logo.gif allowed_referer
# 6. 第五优先级:并发限制(用内置localhost)
acl high_conn_limit maxconn 50
http_access deny !localhost high_conn_limit
# 7. 第六优先级:防爬虫规则
acl anti_spider_ua req_header User-Agent -i Baiduspider Sosospider 360Spider YisouSpider Bytespider
http_access deny anti_spider_ua
acl spider_rate_limit srcdomain baidu.com sogou.com
acl spider_conn_limit maxconn 10
http_access deny spider_rate_limit spider_conn_limit
# 8. 第七优先级:允许所有合法请求
http_access allow client_ip
# 9. 最后:默认禁止
http_access deny all
icp_port 0
==================squid.conf结束=============
启动
chown -Rf squid:squid /opt/squid /data /log/squid /opt/squid/run /opt/squid/etc/ignore_query /data/squidcache
chmod -R 0755 /data /log/squid
chown -Rf squid:squid /opt/squid /log/squid /opt/squid/run /data/squidcache
/opt/squid/sbin/squid -k parse
/opt/squid/sbin/squid -z
/opt/squid/sbin/squid -N -d1
开机自启(未测试)
cat > /usr/lib/systemd/system/squid.service << EOF
[Unit]
Description=Squid Cache Proxy
After=network.target
[Service]
Type=forking
ExecStart=/opt/squid/sbin/squid -s
ExecReload=/opt/squid/sbin/squid -k reconfigure
ExecStop=/opt/squid/sbin/squid -k shutdown
User=squid
Group=squid
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable squid
其他
1.多域名证书不是用echo合并多个域名证书,而是用acme一次性生成支持多个域名的证书
2.纯静态资源应该用以下缓存策略
#磁盘缓存:Heap-LFU (Least Frequently Used)
cache_replacement_policy heap LFU
#内存缓存:Heap-LRU (Least Recently Used)
memory_replacement_policy heap LRU
3.refresh_pattern常用参数说明(已在最终配置中体现)
refresh_pattern -i \.(woff2|css|js...)$ 10 100% 60 \
ignore-reload # 忽略客户端的刷新请求
override-expire # 忽略源站的过期头,强制使用Squid的缓存时长
override-lastmod # 忽略源站的文件修改时间
ignore-no-store # 忽略源站的“禁止缓存”头
ignore-private # 忽略源站的“私有缓存”头
store-stale # 即使缓存过期,也直接返回,不验证
-
后端 Nginx 接收真实 IP 的示例配置(配套)未验证
若你的后端是 Nginx,需在 Nginx 配置中添加server { listen 443 ssl; server_name www.yourdomain.com; # 信任Squid的IP(Squid服务器IP) set_real_ip_from 192.168.1.100; # Squid服务器IP real_ip_header X-Forwarded-For; # 从X-Forwarded-For获取真实IP real_ip_recursive on; # 递归解析(若有多层代理) # 日志中打印真实IP log_format main '$remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; }
5.要实现忽略字符串功能,需要用c文件配合,squid7.4默认不支持部分过滤,只支持全局删除,参数是strip_query_terms on
mkdir -p /data/ssd_cache /data/hdd_cache /log/squid /opt/squid/run /opt/squid/etc/ignore_query
echo " " > /opt/squid/etc/ignore_query/ignore_domains.acl # 场景1:仅域名
echo " " > "/opt/squid/etc/ignore_query/ignore_dirs.acl" # 场景2:域名+目录
echo " " > "/opt/squid/etc/ignore_query/ignore_suffixes.acl" # 场景3:域名+后缀
echo " " > "/opt/squid/etc/ignore_query/ignore_dir_suffixes.acl" # 场景4:域名+目录+后缀
二、4 个配置文件的极简管理方法(无需脚本)
#新增仅域名规则
echo "newdomain.com" >> /etc/squid/ignore_query/ignore_domains.acl
#新增域名+目录规则
echo "^https?://newdomain.com/newdir/" >> /etc/squid/ignore_query/ignore_dirs.acl
#新增域名+后缀规则
echo "^https?://newdomain.com/.*\.mp4$" >> /etc/squid/ignore_query/ignore_suffixes.acl
#新增域名+目录+后缀规则
echo "^https?://newdomain.com/newdir/.*\.mp4$" >> /etc/squid/ignore_query/ignore_dir_suffixes.acl
ACL 文件格式说明(示例)
/etc/squid/site_a_domains.acl(对应 site_a 源站)
# 注释行:以#开头,不会生效
www.yourdomain.com
yourdomain.com
*.sub.yourdomain.com # 泛域名:匹配所有子域名
cdn.yourdomain.com # 单独指定CDN子域名