apt-getinstallsquid
- vim /etc/squid/squid.conf
1. 將 http_access allow localhost 改成 http_access allow all
2. 將 http_access deny all 註解
- /etc/init.d/squid restart
如何驗證?
到Client端指定Proxy Server,
然後到Proxy Server端,打開Wireshark filter http,
你可以看到Client瀏覽任何網頁,一定會經過Proxy Server。
後來想要支援 HTTPS,可是最後把 Ubuntu環境搞壞了,不過Squid有支援Windows版
這邊記錄一下安裝設定。
主要參考重點就是這篇
https://docs.diladele.com/faq/squid/sslbump_squid_windows.html
1. 安裝Windows版的Squid
2. CA部分我這邊還是用Linux指令去產生,也可以用找Windows指令來產生
3. 大部分還是照步驟去設定
4. 說明Config
這塊是我遇到Squid無法接受unknown CA,我故意加這段bypass
# ignore errors with certain cites (very dangerous!)
acl TrustedName url_regex ^https://192.168.100.200/
sslproxy_cert_error allow TrustedName
sslproxy_cert_error deny all
(參考: https://wiki.squid-cache.org/Features/SslBump )
完成squid.conf如下:
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl ssl_exclude_domains ssl::server_name "d:/squid/etc/squid/ssl_exclude_domains.conf"
acl ssl_exclude_ips dst "d:/squid/etc/squid/ssl_exclude_ips.conf"
ssl_bump splice localhost
ssl_bump peek step1 all
ssl_bump splice ssl_exclude_domains
ssl_bump splice ssl_exclude_ips
ssl_bump stare step2 all
ssl_bump bump all
# ignore errors with certain cites (very dangerous!)
acl TrustedName url_regex ^https://192.168.100.200/
sslproxy_cert_error allow TrustedName
sslproxy_cert_error deny all
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access allow all
# Squid normally listens to port 3128
#http_port 3128
http_port 3128 generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=d:/squid/etc/squid/nginx.crt key=d:/squid/etc/squid/nginx.key
# Uncomment the line below to enable disk caching - path format is /cygdrive/<full path to cache folder>, i.e.
#cache_dir aufs /cygdrived:/squid/cache 3000 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
dns_nameservers 8.8.8.8 208.67.222.222
max_filedescriptors 3200
# certificate generation program
sslcrtd_program d:/squid/lib/squid/ssl_crtd -s d:/squid/var/cache/squid_ssldb -M 4MB
沒有留言:
張貼留言