Squid反向署理加快缓存+负载均衡试验架构51CTO博客 - 乐橙lc8

Squid反向署理加快缓存+负载均衡试验架构51CTO博客

2019年04月04日09时19分08秒 | 作者: 文景 | 标签: 缓存,目录,效劳 | 浏览: 935

实验环境:
公司有两台web效劳器,运转同一套网站,读取同一台mysql数据库。
两台web效劳器的主机名如下:
test1.com 192.168.1.119
test2.com 192.168.1.120
squid效劳器ip:192.168.1.123

DNS: 192.168.9.254

实验思路:DNS将www.fb.com解析给squid效劳器,squid轮询web主机回来其间一台作应对,并供给缓冲加快的效劳!

留意:在次实验中,针对https的部分有点问题,需求负载均衡设备做一些设置!别的,两台web效劳器部分网站目录的同步问题,已处理能够才从NFS挂载目录的方法来完成!

一、根底装备

A、更新

1、替换更新源(效劳器坐落国内做此操作)

sed -i "s/mirror.centos.org/centos/mirrors.centos.91.com/g" /etc/yum.repos.d/CentOS-Base.repo

sed -i "s/^mirrorlist/#mirrorlist/g" /etc/yum.repos.d/CentOS-Base.repo

sed -i "s/^#baseurl/baseurl/g" /etc/yum.repos.d/CentOS-Base.repo

2、更新

yum clean all

yum -y update

[sepatator]

B、优化

1、增加以下内容到/etc/sysctl.conf结尾

kernel.core_uses_pid = 1

net.ipv4.ip_forward = 1

net.ipv4.conf.lo.arp_ignore = 1

net.ipv4.conf.lo.arp_announce = 2

net.ipv4.conf.all.arp_ignore = 1

net.ipv4.conf.all.arp_announce = 2

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_fin_timeout = 30

net.ipv4.tcp_keepalive_time = 300

net.ipv4.tcp_window_scaling = 0

net.ipv4.tcp_sack = 0

net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_syncookies = 1

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.icmp_ignore_bogus_error_responses = 1

net.ipv4.conf.all.log_martians = 1

net.ipv4.tcp_max_syn_backlog = 4096

net.ipv4.tcp_max_tw_buckets = 1440000

net.ipv4.ip_local_port_range = 1024 65536

net.core.rmem_max = 16777216

net.core.wmem_max = 16777216

net.ipv4.tcp_rmem = 4096 87380 16777216

net.ipv4.tcp_wmem = 4096 65536 16777216

net.ipv4.tcp_keepalive_intvl = 15

net.ipv4.tcp_retries2 = 5

fs.file-max = 655360

net.core.somaxconn = 4096

履行:

sysctl -p

使之收效

2、加大可答应翻开的文件句柄数

echo "* soft nofile 65536" >>/etc/security/limits.conf

echo "* hard nofile 65536" >>/etc/security/limits.conf

3、时刻校正

yum -y install ntp

service ntpd restart

service ntpd stop

echo "#time update" >> /etc/crontab

echo "0 23 * * * root /usr/sbin/ntpdate time.windows.com" >> /etc/crontab

C、硬盘分区挂载

检查硬盘

fdisk -l

依据实践物理机器是否硬raid及硬盘数量做不同的raid及分区状况

由于这儿是做cache,不主张运用软raid

二、squid的编译装置装备

1、squid的装置

装置gcc等工具包

yum install gcc gcc+ gcc-c++ gcc-g77 autoconf automake ncurses-devel flex openssl-devel mod_ssl make

cd /home/soft

tar zxvf squid-3.1.16.tar.gz

cd squid-3.1.16

./configure prefix=/usr/local/squid enable-gnuregex enable-dlmalloc with-pthreads enable-ssl enable-stacktrace enable-removal-policies=heap,lru enable-delay-pools enable-kill-parent-hack enable-snmp enable-icmp enable-err-language=simplify_Chinese enable-default-err-languages=Simplify_Chinese enable-cahce-digests disable-ident-lookups with-filedescriptors=65536 enable-underscore enable-large-cache-files with-large-files enable-storeio=aufs,diskd,ufs enable-linux-netfilter enable-async-io=160 enable-cachemgr

make

make install

cd /usr/local/squid

2、生成证书并恳求新证书

openssl genrsa -des3 -out *.squid.key 1024

openssl req -new -key *.squid.key -out *.squid.csrc

这是需求生成正式证书运用的,假如仅仅需求未认证的证书,可运用以下指令生成:

openssl req -utf8 -new -key *.squid.key -out *.squid.csr

这儿生成的证书不要运用暗码,形似squid不能运用暗码,我第一次运用了暗码能正常发动,但会提示未认证,让我搞了良久的时刻。

3、squid装备

mkdir /data/cache1

mkdir /data/cache2

mkdir /data/cachelog

chown squid /data/cache*

把效劳商供给的证书放到/data/key/目录下,包含中级根证书,证书,公钥三个文件。

修正squid.conf文件内容:

#

# Recommended minimum configuration:

#

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

# acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

# acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

acl localnet src 192.168.9.0/24 # RFC1918 possible internal network

# acl localnet src fc00::/7 # RFC 4193 local private network range

# acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

 

acl CONNECT method CONNECT

#

# Recommended minimum Access Permission configuration:

#

# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

# http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost

# And finally deny all other access to this proxy

http_access deny all

# Squid normally listens to port 3128

# http_port 3128

# Uncomment and adjust the following to add a disk cache directory.

# cache_dir ufs /usr/local/squid/var/cache 100 16 256

# Leave coredumps in the first cache dir

coredump_dir /usr/local/squid/var/cache

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 0 20% 4320

-

# host and cache port setting

# 主机名(3.0参加装备),无此项无法发动

visible_hostname squid

cache_mgr jason.kou@factorybuy.com

# 设置运转squid用户,一般不能以root运转

cache_effective_user squid

cache_effective_group squid

cachemgr_passwd password all

client_persistent_connections off

server_persistent_connections on

half_closed_clients off

# 设定squid为accel加快形式,vhost必需求加.不然将无法将主机头转发至后端效劳器,

# 拜访时就会呈现无法找到主机头的过错

http_port 80 accel vhost vport

# 增加443端口之后或许导致IE浏览器无法正常拜访https页面,未测验

http_port 443 accel vhost vport

# https_port 443 cert=/data/squid.csr key=/data/squid.key defaultsite=www.fb.com

# https_port 443 cert=/usr/local/squid/data/cert.pem /usr/local/squid/data/key.pem

# cache directory setting

# 缓存目录8192M,其间一级目录16个,二级256个(每个一级下16个二级)

cache_dir ufs /usr/local/squid/data/cache 8192 16 256

max_open_disk_fds 0

-

# cache storage setting

-

# 大于此容量的目标将不会被保存在磁盘上,默许巨细是4M,假如squid效劳器用于缓冲flash等大型文件,

# 主张将此值变大.不然过大的文件在下次重>启后将需求从头获取

maximum_object_size_in_memory 4 MB

minimum_object_size 0 KB

maximum_object_size 4 MB

# 缓存内容巨细操控,当cache目录被占用到95%时,内容将被清空20%

cache_swap_high 95

cache_swap_low 80

# 替换机制(lru叫做“最近不常用的单元”unit一般便是常说object, 也便是当cache

# 中的内容比方内存或硬盘到达上限时就需求进行数据的换进和换出作业)

memory_replacement_policy lru

cache_replacement_policy lru

# cache time out setting

forward_timeout 20 seconds

connect_timeout 15 seconds

read_timeout 3 minutes

request_timeout 1 minutes

persistent_request_timeout 15 seconds

client_lifetime 15 minutes

shutdown_lifetime 5 seconds

negative_ttl 10 seconds

-

# cache log setting

-

emulate_httpd_log on

logformat squid %ts.%tu %tr %>a %Ss/%>Hs %<st %rm %ru %un %Sh/%<A %mt

access_log /usr/local/squid/data/logs/access_log.log common

cache_log /usr/local/squid/data/logs/cache.log

cache_store_log /usr/local/squid/data/logs/store.log

cache_swap_log /usr/local/squid/data/logs/cache_swap.log

mime_table /usr/local/squid/etc/mime.conf

# 过错信息目录

error_directory /usr/local/squid/share/errors/en-us/

pid_filename /usr/local/squid/data/squid.pid

# 不记载store.log

# cache_store_log none

# vhost setting

# 界说不同的父节点,将节点设为no-query以及originserver阐明这些节点是实践效劳器

cache_peer test1.com parent 80 0 no-query no-digest originserver name=test1 round-robin

cache_peer test2.com parent 80 0 no-query no-digest originserver name=test2 round-robin

# 设定不同域名转发到不同的cache_peer上,假如没有这项.不同域名的域名或许被分发到同一台效劳器上.

cache_peer_domain test1 www.fb.com

cache_peer_domain test2 www.fb.com

# 答应客户端一切恳求(这儿能够设置阻拦url,格局如下面两行缓存设置)

http_access allow all

# 设置不缓存url类型(空格离隔

acl QUERY urlpath_regex .php .jsp .asp .pl .cgi

cache deny QUERY

-

hosts_file /etc/hosts

4、发动

/usr/local/squid/sbin/squid -z 生成缓存目录

/usr/local/squid/sbin/squid -s

netstat -na |grep 443

netstat -na |grep 80

看端口监听是否发动了

假如OK,那么squid装备结束,这儿不做squid装备的一些解说,由于我自己也不是十分了解!

三、双机高可用

一些关于squid调试的指令:

1,初始化你在 squid.conf 里装备的 cache 目录

#squid/sbin/squid -z

假如有过错提示,请检查你的 cache目录的权限。

2,对你的squid.conf 排错,即验证 squid.conf 的 语法和装备。

#squid/sbin/squid -k parse

假如squid.conf 有语法或装备过错,这儿会回来提示你,假如没有回来,祝贺,能够测验发动squid。

3,在前台发动squid,并输出发动进程。

#/usr/local/squid/sbin/squid -N -d1

假如有到 ready to server reques,祝贺,发动成功。

然后 ctrl + c,中止squid,并以后台运转的方法发动它。

4,发动squid在后台运转。

#squid/sbin/squid -s

这时分能够 ps -A 来检查体系进程,能够看到俩个 squid 进程。

5,中止 squid

#squid/sbin/squid -k shutdown

这个不必解说吧。

6,重引导修正过的 squid.conf

#squid/sbin/squid -k reconfigure

当你发现你的装备有不尽你意的时分,能够随时修正squid.conf,然后别忘记对你的 squid.conf排错,

然后再履行此指令,即可让squid从头依照你的 squid.conf 来运转。

7,把squid增加到体系发动项

修正 /etc/rc.d/rc.local

增加如下行: /usr/local/squid/sbin/squid -s

再来点其他的。

1,修正cache 缓存目录的权限。

#chown -R squid:squid /home/cache

我的cache缓存目录是 /home/cache,squid履行用户和用户组是 squid,squid。

2,修正squid 日志目录的权限

#chown -R squid:squid /usr/local/squid/data/logs

这一步并不是合适每一个运用squid的用户.意为让squid有权限在该目录进行写操作 。

例如生成 access.log cache.log store.log

3,检查你的日志文档。

#more /usr/local/squid/var/logs/access.log | grep TCP_MEM_HIT

该指令能够看到在squid运转进程中,有那些文件被squid缓存到内存中,并回来给拜访用户。

#more /usr/local/squid/var/logs/access.log | grep TCP_HIT

该指令能够看到在squid运转进程中,有那些文件被squid缓存到cache目录中,并回来给拜访用户。

#more /usr/local/squid/var/logs/access.log | grep TCP_MISS

该指令能够看到在squid运转进程中,有那些文件没有被squid缓存,而是现重原始效劳器获取并回来给拜访用户。

关掉不必要的效劳

echo alias vi="vim" alias grep="grep color" >> /etc/profile

echo -e "* soft nofile 65536* hard nofile 65536" > /etc/security/limits.conf

chkconfig level 0123456 NetworkManager off

chkconfig level 0123456 NetworkManagerDispatcher off

chkconfig level 0123456 anacron off

chkconfig level 0123456 atd off

chkconfig level 0123456 auditd off

chkconfig level 0123456 autofs off

chkconfig level 0123456 avahi-daemon off

chkconfig level 0123456 avahi-dnsconfd off

chkconfig level 0123456 bluetooth off

chkconfig level 0123456 capi off

chkconfig level 0123456 centcore off

chkconfig level 0123456 centstorage off

chkconfig level 0123456 conman off

chkconfig level 0123456 cups off

chkconfig level 0123456 dc_client off

chkconfig level 0123456 dc_server off

chkconfig level 0123456 dhcdbd off

chkconfig level 0123456 dovecot off

chkconfig level 0123456 dund off

chkconfig level 0123456 firstboot off

chkconfig level 0123456 gpm off

chkconfig level 0123456 hidd off

chkconfig level 0123456 hplip off

chkconfig level 0123456 httpd off

chkconfig level 0123456 innd off

chkconfig level 0123456 ip6tables off

chkconfig level 0123456 ipmi off

chkconfig level 0123456 irda off

chkconfig level 0123456 irqbalance off

chkconfig level 0123456 isdn off

chkconfig level 0123456 kdump off

chkconfig level 0123456 kudzu off

chkconfig level 0123456 ldap off

chkconfig level 0123456 lisa off

chkconfig level 0123456 mdmonitor off

chkconfig level 0123456 mdmpd off

chkconfig level 0123456 microcode_ctl off

chkconfig level 0123456 multipathd off

chkconfig level 0123456 nagios off

chkconfig level 0123456 named off

chkconfig level 0123456 netconsole off

chkconfig level 0123456 netfs off

chkconfig level 0123456 netplugd off

chkconfig level 0123456 nfs off

chkconfig level 0123456 nfslock off

chkconfig level 0123456 nscd off

chkconfig level 0123456 ntpd off

chkconfig level 0123456 oddjobd off

chkconfig level 0123456 pand off

chkconfig level 0123456 pcscd off

chkconfig level 0123456 portmap off

chkconfig level 0123456 postgresql off

chkconfig level 0123456 psacct off

chkconfig level 0123456 rdisc off

chkconfig level 0123456 readahead_later off

chkconfig level 0123456 restorecond off

chkconfig level 0123456 rpcgssd off

chkconfig level 0123456 rpcidmapd off

chkconfig level 0123456 rpcsvcgssd off

chkconfig level 0123456 rwhod off

chkconfig level 0123456 saslauthd off

chkconfig level 0123456 setroubleshoot off

chkconfig level 0123456 smb off

chkconfig level 0123456 snmpd off

chkconfig level 0123456 snmptrapd off

chkconfig level 0123456 spamassassin off

chkconfig level 0123456 sysstat off

chkconfig level 0123456 tux off

chkconfig level 0123456 vncserver off

chkconfig level 0123456 vsftpd off

chkconfig level 0123456 wdaemon off

chkconfig level 0123456 winbind off

chkconfig level 0123456 wpa_supplicant off

chkconfig level 0123456 xfs off

chkconfig level 0123456 xinetd off

chkconfig level 0123456 ypbind off

chkconfig level 0123456 yum-updatesd off

chkconfig level 0123456 acpid off

chkconfig level 0123456 iptables off

service NetworkManager stop

service NetworkManagerDispatcher stop

service anacron stop

service atd stop

service auditd stop

service autofs stop

service avahi-daemon stop

service avahi-dnsconfd stop

service bluetooth stop

service capi stop

service centcore stop

service centstorage stop

service conman stop

service cups stop

service dc_client stop

service dc_server stop

service dhcdbd stop

service dovecot stop

service dund stop

service firstboot stop

service gpm stop

service hidd stop

service hplip stop

service httpd stop

service innd stop

service ip6tables stop

service ipmi stop

service irda stop

service irqbalance stop

service isdn stop

service kdump stop

service kudzu stop

service ldap stop

service lisa stop

service mdmonitor stop

service mdmpd stop

service microcode_ctl stop

service multipathd stop

service nagios stop

service named stop

service netconsole stop

service netfs stop

service netplugd stop

service nfs stop

service nfslock stop

service nscd stop

service ntpd stop

service oddjobd stop

service pand stop

service pcscd stop

service portmap stop

service postgresql stop

service psacct stop

service rdisc stop

service readahead_later stop

service restorecond stop

service rpcgssd stop

service rpcidmapd stop

service rpcsvcgssd stop

service rwhod stop

service saslauthd stop

service setroubleshoot stop

service smb stop

service snmpd stop

service snmptrapd stop

service spamassassin stop

service sysstat stop

service tux stop

service vncserver stop

service vsftpd stop

service wdaemon stop

service winbind stop

service wpa_supplicant stop

service xfs stop

service xinetd stop

service ypbind stop

service yum-updatesd stop

service acpid stop

service nfslock stop

chkconfig nfslock off

service portmap stop

chkconfig portmap off

service iptables stop

chkconfig iptables off

service sendmail stop

chkconfig sendmail off

service cups stop

chkconfig cups off

chkconfig list | grep :on

 

版权声明
本文来源于网络,版权归原作者所有,其内容与观点不代表乐橙lc8立场。转载文章仅为传播更有价值的信息,如采编人员采编有误或者版权原因,请与我们联系,我们核实后立即修改或删除。

猜您喜欢的文章