## make ssl key
openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout /etc/squid/squid.key -out /etc/squid/squid.cert
## squid.conf
```
visible_hostname asplord
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
cache_dir ufs /var/cache/squid 2000 16 256
cache_mem 1024 MB
http_port 192.168.1.254:3128
http_port 192.168.1.254:3127 intercept
https_port 192.168.1.254:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
ssl_bump allow all
# Hide proxy information
via off
forwarded_for delete
maximum_object_size 5 MB
acl QUERY urlpath_regex cgi-bin \? \.php \.asp \.cgi
no_cache deny QUERY
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
logfile_rotate 10
#refresh patterns for caching static files
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern . 0 40% 40320
dns_nameservers 168.95.1.1
```
## Transparent Proxy Redirection via iptables
```
iptables -t nat -A PREROUTING -p tcp --dport 80 -d 192.168.1.254 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.254:3127
```
openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout /etc/squid/squid.key -out /etc/squid/squid.cert
## squid.conf
```
visible_hostname asplord
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
cache_dir ufs /var/cache/squid 2000 16 256
cache_mem 1024 MB
http_port 192.168.1.254:3128
http_port 192.168.1.254:3127 intercept
https_port 192.168.1.254:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
ssl_bump allow all
# Hide proxy information
via off
forwarded_for delete
maximum_object_size 5 MB
acl QUERY urlpath_regex cgi-bin \? \.php \.asp \.cgi
no_cache deny QUERY
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
logfile_rotate 10
#refresh patterns for caching static files
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern . 0 40% 40320
dns_nameservers 168.95.1.1
```
## Transparent Proxy Redirection via iptables
```
iptables -t nat -A PREROUTING -p tcp --dport 80 -d 192.168.1.254 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.254:3127
```
執行時間: 0.0265 秒, 瀏覽次數: 4240
© 2014 ASPLord.com 贊助本站
