LinuxSquid透明代理httphttps配置

Centos7 Linux Squid 透明代理http https配置

Centos7 yum squid transparent https https

# cat /etc/redhat-release CentOS Linux release 7.5.1804 (Core)

启用路由转发功能:

echo "net.ipv4.ip_forward = 1">>/etc/sysctl.conf sysctl -p sysctl -w net.ipv4.ip_forward=1

直接yum安装

# yum -y install squid

查看版本:

# squid -v Squid Cache: Version 3.5.20 Service Name: squid configure options:--build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --disable-strict-error-checking --exec_prefix=/usr --libexecdir=/usr/lib64/squid --localstatedir=/var --datadir=/usr/share/squid --sysconfdir=/etc/squid --with-logdir=$(localstatedir)/log/squid --with-pidfile=$(localstatedir)/run/squid.pid --disable-dependency-tracking --enable-eui --enable-follow-x-forwarded-for --enable-auth --enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam --enable-auth-ntlm=smb_lm,fake --enable-auth-digest=file,LDAP,eDirectory --enable-auth-negotiate=kerberos --enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group --enable-cache-digests --enable-cachemgr-hostname=localhost --enable-delay-pools --enable-epoll --enable-ident-lookups --enable-linux-netfilter --enable-removal-policies=heap,lru --enable-snmp --enable-ssl-crtd --enable-storeio=aufs,diskd,rock,ufs --enable-wccpv2 --enable-esi --enable-ecap --with-aio --with-default-user=squid --with-dl --with-openssl --with-pthreads --disable-arch-native build_alias=x86_64-redhat-linux-gnu host_alias=x86_64-redhat-linux-gnu CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie LDFLAGS=-Wl,-z,relro-pie -Wl,-z,relro -Wl,-z,now CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig

备份下默认squid.conf配置文件:

cat squid.conf|sed /^#/d|sed /^$/d > squid.default.conf

帮助文件中用得比较多的是-f -k

# squid -help Usage: squid [-cdhvzCFNRVYX] [-n name] [-s | -l facility] [-f config-file] [-[au] port] [-k signal] -a port Specify HTTP port number (default: 3128). -d levelWrite debugging to stderr also. -f file Use given config-file instead of /etc/squid/squid.conf -hPrint help message. -k reconfigure|rotate|shutdown|restart|interrupt|kill|debug|check|parse Parse configuration file, then send signal to running copy (except -k parse) and exit.

直接贴一个我的最终配置,这玩意我也是反复测试折腾了好一中午的结果

# cat /etc/squid/squid.conf acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10# RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 443 # https acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl CONNECT method CONNECT http_access allow localnet http_access allow localhost http_access allow all http_port 3127 http_port 3128 transparent https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/1_www.snsyr.com_bundle.crt key=/etc/squid/2_www.snsyr.com.key coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320

几个关键点说明alc可以自己去修改,我是为了方便线给了allow all

http_port 3127

http_port 3128 transparent

https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/1_www.snsyr.com_bundle.crt key=/etc/squid/2_www.snsyr.com.key

这三行都需要才能透明代理

其实通过正常的启动日志能够看到为什么要这么处理?

3127,3128,3128各承担的功能不一样

# tail -f /var/log/squid/cache.log 2021/03/05 19:09:41 kid1| DNS Socket created at 0.0.0.0, FD 10 2021/03/05 19:09:41 kid1| Adding domain localdomain from /etc/resolv.conf 2021/03/05 19:09:41 kid1| Adding nameserver 10.211.55.1 from /etc/resolv.conf 2021/03/05 19:09:41 kid1| helperOpenServers: Starting 5/32 ssl_crtd processes 2021/03/05 19:09:41 kid1| WARNING: No ssl_bump configured. Disabling ssl-bump on https_port [::]:3129 2021/03/05 19:09:41 kid1| HTCP Disabled. 2021/03/05 19:09:41 kid1| Finished loading MIME types and icons. 2021/03/05 19:09:41 kid1| Accepting HTTP Socket connections at local=[::]:3127 remote=[::] FD 22 flags=9 2021/03/05 19:09:41 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 23 flags=41 2021/03/05 19:09:41 kid1| Accepting NAT intercepted HTTPS Socket connections at local=[::]:3129 remote=[::] FD 24 flags=41

如果没有3127那么日志告警:

kid1ERROR: No forward-proxy ports configured.

ssl-bump 这里应该是有个告警

自己检索解决吧。关于key的那块我是随便找了一个我自己的,免得自己用命令openssl去生成了

配置防火墙:

iptables防火墙简单设置下:

--flush -F [chain]Delete all rules in chain or all chain

iptables -F

iptables -F -t nat

上面两个都是清空对应rules

那么我们需要将局域网或者说需要代理的网段的请求转发到对应的3128和3129端口

局域网内网访问的80端口映射到squid服务器的3128端口 443映射到3129

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-ports 3129

注意上面为什么是eth0 因为我的测试主机在这个网段上10.211.55.3

# ip a 简化的eth0

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

inet 10.211.55.3/24 brd 10.211.55.255 scope global noprefixroute dynamic eth0

查看下nat表

iptables -t nat --list-rules

为了测试,在我的另个主机上删除默认的路由,把路由指到我的这个squid主机上,

route del default gw 10.211.55.1 route add default gw 10.211.55.3

几个日志:

/var/log/squid/access.log

/var/log/squid/cache.log

启动错误看报错,看日志就够了

# /usr/sbin/squid -f /etc/squid/squid.conf -k check

# /usr/sbin/squid -f /etc/squid/squid.conf -k reconfigure

启动

/usr/sbin/squid -f /etc/squid/squid.conf # netstat -nltp|grep squid tcp6 00 :::3129 :::*LISTEN5241/(squid-1) tcp6 00 :::3127 :::*LISTEN5241/(squid-1) tcp6 00 :::3128 :::*LISTEN5241/(squid-1)

也可以看下进程:

过程有的报错解决:

FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

18062021-03-05 15:52:29:::/usr/lib64/squid/ssl_crtd 18072021-03-05 15:52:48:::/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db 18082021-03-05 15:52:57:::chown squid:squid /var/lib/ssl_db

测试我直接走curl

curl -klv http://www.baidu.com

curl -klv

nginx配置SSL后报错nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl"

因为最新版本不支持ssl on;这个配置已失效 使用listen 443 ssl;替代

++++++++++++++++++++++++++++++++插播一段配置nginx的相关,假如这里需要用nginx来实现代理++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

关键点ssl on @版本原因已经为use the "listen ... ssl"

centos7 root@parallels:/usr/local/nginx/conf/vhosts# cat forward.conf server { listen 3128 ssl; access_log /usr/local/nginx/logs/proxy-access.log main; error_log /usr/local/nginx/logs/error.log; ssl_certificate/usr/local/nginx/conf/sslkey/bppstore.com.pem; ssl_certificate_key/usr/local/nginx/conf/sslkey/bppstore.com.key; ssl_session_timeout5m; #ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; 这行和下行保留一个就行 ssl_protocols TLSv1; ssl_ciphers RC4:HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # dns resolver used by forward proxying resolver 119.29.29.29 valid=60s ipv6=off; # forward proxy for CONNECT request proxy_connect; proxy_connect_allow443 563; 80补充进来 proxy_connect_connect_timeout10s; proxy_connect_read_timeout 10s; proxy_connect_send_timeout 10s; # forward proxy for non-CONNECT request location / { proxy_pass ; proxy_set_header Host $host; } }

reload nginx

/usr/local/nginx/sbin/nginx -s reload

配置一个支持ssl的配置:

centos7 root@parallels:/usr/local/nginx/conf/vhosts# tail -f /usr/local/nginx/logs/proxy-access.log 那么请求https://www.baidu.com是OK的 node2 root@node2:~# curl -klv 10.211.55.6 - - [05/Mar/2021:14:47:53 +0800] "GET / HTTP/1.1" 200 2381 "-" "curl/7.29.0" "-"