squid

make ssl key

openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout /etc/squid/squid.key -out /etc/squid/squid.cert

squid.conf

visible_hostname asplord

acl localnet src 192.168.1.0/24    # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl Safe_ports port 901        # SWAT
acl CONNECT method CONNECT

http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all

cache_dir ufs /var/cache/squid 2000 16 256
cache_mem 1024 MB

http_port 192.168.1.254:3128
http_port 192.168.1.254:3127 intercept
https_port 192.168.1.254:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem

always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
ssl_bump allow all

# Hide proxy information
via off
forwarded_for delete

maximum_object_size 5 MB

acl QUERY urlpath_regex cgi-bin \? \.php \.asp \.cgi
no_cache deny QUERY

cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
logfile_rotate 10

#refresh patterns for caching static files
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern . 0 40% 40320

dns_nameservers 168.95.1.1

Transparent Proxy Redirection via iptables

iptables -t nat -A PREROUTING -p tcp --dport 80 -d 192.168.1.254 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.254:3127
執行時間: 0.0181 秒, 瀏覽次數: 4200