一洼绿地

带认证的 Squid 代理配置

·3 min read
#squid#proxy

debian 上安装

apt-get install squid-ssl

编译 Squid

host / # apt-get install libxml2 libxml2-dev

host / # ./configure '--build=aarch64-linux-gnu' '--prefix=/usr' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/lib/squid' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--with-build-environment=default' '--enable-build-info=Debian linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-gnutls' '--enable-linux-netfilter' '--enable-ssl' '--enable-ssl-crtd' '--with-openssl=/etc/ssl' 'build_alias=aarch64-linux-gnu' 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-v3o4nw/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic'

生成账号密码

printf “user_name:$(openssl passwd -crypt ‘password’)\n” | sudo tee -a /etc/squid/htpasswd

squid.conf

acl SSL_ports port 443
acl Safe_ports port 1-65535     # unregistered ports
acl CONNECT method CONNECT
acl HEAD method HEAD

http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
#http_access allow localhost manager
http_access deny manager
#http_access allow localhost
# http_access allow all

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/htpasswd
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED

# http_access allow localnet
http_access allow localhost
http_access allow authenticated
# And finally deny all other access to this proxy
http_access deny all

http_port 0.0.0.0:3128
https_port 0.0.0.0:3129 cert=/etc/squid/ssl_cert/doopp_com.pem key=/etc/squid/ssl_cert/doopp_com.key

coredump_dir /var/spool/squid3

# based on http://code.google.com/p/ghebhes/downloads/detail?name=tunning.conf&can=2&q=

#All File
refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|rpm|divx|dvr-ms)      1440 100% 129600 reload-into-ims
refresh_pattern -i \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 1440 100% 129600 reload-into-ims
refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)         1440 100% 129600 reload-into-ims
refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p))                   1440 100% 129600 reload-into-ims
refresh_pattern -i \.(og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav)                  1440 100% 129600 reload-into-ims
refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t))               1440 100% 129600 reload-into-ims

refresh_pattern -i \.(doc|pdf)$           1440   50% 43200 reload-into-ims
refresh_pattern -i \.(html|htm)$          1440   50% 40320 reload-into-ims

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

# http options
via off

# memory cache options
cache_mem 512 MB
maximum_object_size_in_memory 256 KB

# disk cache
#cache_dir diskd /var/spool/squid3 10240 16 256
#maximum_object_size 20480 KB

# timeouts
# forward_timeout 10 seconds
# connect_timeout 10 seconds
# read_timeout 10 seconds
# write_timeout 10 seconds
# client_lifetime 59 minutes
# request_timeout 30 seconds
half_closed_clients off

#
forwarded_for delete
dns_v4_first on
ipcache_size 4096
dns_nameservers 223.5.5.5, 114.114.114.114

# error page
cache_mgr admin@example.com
visible_hostname example.com
email_err_data off
err_page_stylesheet none

使用 SwitchyOmega 的话,可以配置如下

var outDomains = [
    "example.com",
    ... more domain
];

function isOutDomain(host) {
    for (var i = 0; i < outDomains.length; i++) {
        if (dnsDomainIs(host, outDomains[i])) {
            return true;
        }
    }
    return false;
}

function FindProxyForURL(url, host) {
    if (isOutDomain(host)) {
        return "DIRECT";
    }
    return "HTTPS xxx.xxx.xxx.xxx:3129";
}