发布于 2年前

Ubuntu搭建Squid代理服务器以及配置SSL

ubuntu的apt-get编译好的squid是没有包含ssl,需要手动编译。

编译安装

安装ssl相关的包

apt-get install openssl libssl-dev ssl-cert

下载squid源码

apt-get source squid
apt-get build-dep squid
apt-get install devscripts build-essential fakeroot

修改编译配置

cd squid3-3.5.12
vi debian/rules

在 DEB_CONFIGURE_EXTRA_FLAGS 下添加两项

  --with-openssl \
  --enable-ssl-crtd \

这两项是启动ssl

编译

./configure
debuild -us -uc -b

安装

编译成功后,会在源代码的父目录,生成一系列.deb包。安装amd64的squid:

cd ..
apt-get install squid-langpack
dpkg -i squid-common_3.5.12-1ubuntu7.3_all.deb
dpkg -i squid_3.5.12-1ubuntu7.3_amd64.deb

配置

配置文件为:/etc/squid/squid.conf。

SSL相关配置:

acl SSL_ports port 443
https_port 10251 cert=/cert/server.crt key=/cert/server.key

分别配置了ssl的端口,服务器证书和密钥。

完整配置可以修改如下:

acl SSL_ports port 443
acl Safe_ports port 1-65535     # unregistered ports
acl CONNECT method CONNECT
acl HEAD method HEAD
http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
#http_access allow localhost manager
http_access deny manager
#http_access allow localhost
http_access allow all
http_port 10250
https_port 10251 cert=/cert/server.crt key=/cert/server.key
coredump_dir /var/spool/squid3
# based on http://code.google.com/p/ghebhes/downloads/detail?name=tunning.conf&can=2&q=
#All File
refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|rpm|divx|dvr-ms)      1440 100% 129600 reload-into-ims
refresh_pattern -i \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 1440 100% 129600 reload-into-ims
refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)         1440 100% 129600 reload-into-ims
refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p))                   1440 100% 129600 reload-into-ims
refresh_pattern -i \.(og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav)                  1440 100% 129600 reload-into-ims
refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t))               1440 100% 129600 reload-into-ims
refresh_pattern -i \.(doc|pdf)$           1440   50% 43200 reload-into-ims
refresh_pattern -i \.(html|htm)$          1440   50% 40320 reload-into-ims
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320
# http options
via off
# memory cache options
cache_mem 512 MB
maximum_object_size_in_memory 256 KB
# disk cache
#cache_dir diskd /var/spool/squid3 10240 16 256
#maximum_object_size 20480 KB
# timeouts
# forward_timeout 10 seconds
# connect_timeout 10 seconds
# read_timeout 10 seconds
# write_timeout 10 seconds
# client_lifetime 59 minutes
# request_timeout 30 seconds
half_closed_clients off
#
forwarded_for delete
dns_v4_first on
ipcache_size 4096
dns_nameservers 223.5.5.5, 114.114.114.114
# error page
cache_mgr admin@example.com
visible_hostname example.com
email_err_data off
err_page_stylesheet none

启动测试

使用sytemctl启动squid服务

systemctl restart squid.service

使用curl,这里需要使用客户端证书

curl --proxy-cacert /cert/ca.crt -x https://example.com:10251 http://baidu.com

注意:在chrome需要把ca.crt导入到chrome的受信任根证书目录,否则会报ERR_PROXY_CERTIFICATE_INVALID错误。

©2020 edoou.com   京ICP备16001874号-3