Ubuntu搭建Squid代理服务器以及配置SSL
ubuntu的apt-get编译好的squid是没有包含ssl,需要手动编译。
编译安装
安装ssl相关的包
apt-get install openssl libssl-dev ssl-cert
下载squid源码
apt-get source squid
apt-get build-dep squid
apt-get install devscripts build-essential fakeroot
修改编译配置
cd squid3-3.5.12
vi debian/rules
在 DEB_CONFIGURE_EXTRA_FLAGS 下添加两项
--with-openssl \
--enable-ssl-crtd \
这两项是启动ssl
编译
./configure
debuild -us -uc -b
安装
编译成功后,会在源代码的父目录,生成一系列.deb包。安装amd64的squid:
cd ..
apt-get install squid-langpack
dpkg -i squid-common_3.5.12-1ubuntu7.3_all.deb
dpkg -i squid_3.5.12-1ubuntu7.3_amd64.deb
配置
配置文件为:/etc/squid/squid.conf。
SSL相关配置:
acl SSL_ports port 443
https_port 10251 cert=/cert/server.crt key=/cert/server.key
分别配置了ssl的端口,服务器证书和密钥。
完整配置可以修改如下:
acl SSL_ports port 443
acl Safe_ports port 1-65535 # unregistered ports
acl CONNECT method CONNECT
acl HEAD method HEAD
http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
#http_access allow localhost manager
http_access deny manager
#http_access allow localhost
http_access allow all
http_port 10250
https_port 10251 cert=/cert/server.crt key=/cert/server.key
coredump_dir /var/spool/squid3
# based on http://code.google.com/p/ghebhes/downloads/detail?name=tunning.conf&can=2&q=
#All File
refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|rpm|divx|dvr-ms) 1440 100% 129600 reload-into-ims
refresh_pattern -i \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 1440 100% 129600 reload-into-ims
refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js) 1440 100% 129600 reload-into-ims
refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)) 1440 100% 129600 reload-into-ims
refresh_pattern -i \.(og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav) 1440 100% 129600 reload-into-ims
refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t)) 1440 100% 129600 reload-into-ims
refresh_pattern -i \.(doc|pdf)$ 1440 50% 43200 reload-into-ims
refresh_pattern -i \.(html|htm)$ 1440 50% 40320 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
# http options
via off
# memory cache options
cache_mem 512 MB
maximum_object_size_in_memory 256 KB
# disk cache
#cache_dir diskd /var/spool/squid3 10240 16 256
#maximum_object_size 20480 KB
# timeouts
# forward_timeout 10 seconds
# connect_timeout 10 seconds
# read_timeout 10 seconds
# write_timeout 10 seconds
# client_lifetime 59 minutes
# request_timeout 30 seconds
half_closed_clients off
#
forwarded_for delete
dns_v4_first on
ipcache_size 4096
dns_nameservers 223.5.5.5, 114.114.114.114
# error page
cache_mgr admin@example.com
visible_hostname example.com
email_err_data off
err_page_stylesheet none
启动测试
使用sytemctl启动squid服务
systemctl restart squid.service
使用curl,这里需要使用客户端证书
curl --proxy-cacert /cert/ca.crt -x https://example.com:10251 http://baidu.com
注意:在chrome需要把ca.crt导入到chrome的受信任根证书目录,否则会报ERR_PROXY_CERTIFICATE_INVALID错误。