代理服务器（一机多IP）配置

Posted 2020-09-08

环境：CentOS6.5 64位 8核8G内存 

主IP：183.211.57.240 （255.255.255.0 gw:183.211.57.1）

绑定IP：183.211.57.（151-161，163-181）

配置过程：

一、先配绑定IP

[[email protected] network-scripts]# ll

total 224

-rw-r--r--. 1 root root   276 Apr  6 08:09 ifcfg-eth0

-rw-r--r--. 1 root root   133 Apr  6 09:00 ifcfg-eth0-range0

-rw-r--r--. 1 root root   134 Apr  6 09:09 ifcfg-eth0-range1

#vim ifcfg-eth0

DEVICE=eth0

TYPE=Ethernet

UUID=3cb23812-d5e2-4ee6-be48-94358d54588d

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=none

HWADDR=00:15:17:74:D8:E6

IPADDR=183.211.57.240

PREFIX=24

GATEWAY=183.211.57.1

DNS1=202.96.134.133

DEFROUTE=yes

IPV4_FAILURE_FATAL=yes

IPV6INIT=no

NAME="System eth0"

#vim ifcfg-eth0-range0

DEVICE=eth0

BOOTPROTO=static

IPADDR_START=183.211.57.151

IPADDR_END=183.211.57.161

CLONENUM_START=3    #表示eth0:3 开始，这个无所谓，但不要跟后面的重复就行，把IP数数出来。

NETMASK=255.255.255.0

ONBOOT=yes

#vim ifcfg-eth0-range1             

DEVICE=eth0

BOOTPROTO=static

IPADDR_START=183.211.57.163

IPADDR_END=183.211.57.181

CLONENUM_START=20  #我这里就是空出了10多个IP，跟上面的别重叠

NETMASK=255.255.255.0

ONBOOT=yes

然后 #service network restart 就可以了。

二、安装并配置squid

在服务器上执行：#yum -y install squid 

重点在配置文件：(下面我只是用4个IP举例，按实际全都列进去就行了)

#vim /etc/squid.conf

#

# Recommended minimum configuration:

#

acl manager proto cache_object

acl localhost src 183.61.251.150/32

#acl localhost src 216.18.158.203/32 ::1

#acl to_localhost dst 183.211.57.2/22 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network

acl localnet src 157.16.0.0/12  # RFC1918 possible internal network

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl localnet src fc00::/7       # RFC 4193 local private network range

acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

#

# Recommended minimum Access Permission configuration:

#

# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager

acl ip_allow src 183.211.57.0/24

acl     cloud_1         myip    183.211.57.151

acl     cloud_2         myip    183.211.57.152

acl     cloud_3         myip    183.211.57.153

acl     cloud_4         myip    183.211.57.154

.

.

.

http_access allow ip_allow

http_access allow all

http_access     allow   cloud_1

http_access     allow   cloud_2

http_access     allow   cloud_3

http_access     allow   cloud_4

.

.

.

tcp_outgoing_address    183.211.57.151  cloud_1

tcp_outgoing_address    183.211.57.152  cloud_2

tcp_outgoing_address    183.211.57.153  cloud_3

tcp_outgoing_address    183.211.57.154  cloud_4

.

.

.

icp_access allow all

forwarded_for off

request_header_access X-Forwarded-For deny all

request_header_access Via deny all

request_header_access All allow all

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost

# And finally deny all other access to this proxy

http_access deny all

# Squid normally listens to port 3128

http_port 25283

# We recommend you to use at least the following line.

hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

acl OverConnLimit maxconn 8000

IPTABLES 防火墙配置：

[[email protected] network-scripts]# cat /etc/sysconfig/iptables

# Generated by iptables-save v1.4.7 on Thu Apr  6 09:46:04 2017

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [75:8727]

-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT 

# -A INPUT -p tcp -m tcp --dport 25283 -j ACCEPT 

-A INPUT -s 122.129.32.0/24 -p tcp -m tcp --dport 25283 -j ACCEPT

-A INPUT -s 183.60.150.0/24 -p tcp -m tcp --dport 25283 -j ACCEPT

-A INPUT -s 211.17.158.203/32 -p tcp -m tcp --dport 25283 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A INPUT -p icmp -j ACCEPT 

-A INPUT -i lo -j ACCEPT 

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 

-A INPUT -j REJECT --reject-with icmp-host-prohibited 

-A FORWARD -j REJECT --reject-with icmp-host-prohibited 

COMMIT

# Completed on Thu Apr  6 09:46:04 2017