安装Squid:
opkg update opkg install squid cd /etc/squid mv squid.conf squid.conf.back vim squid.conf
squid相关指令:
squid -k reconfigure #重置 squid -k parse #检测配置文件 squid -k shutdown #关闭 squid -k rotate #分割日记
iptables
# Rules for transparent proxying iptables -N NO_PROXY -t nat iptables -A NO_PROXY -t nat -d 0.0.0.0/8 -j ACCEPT iptables -A NO_PROXY -t nat -d 10.0.0.0/8 -j ACCEPT iptables -A NO_PROXY -t nat -d 127.0.0.0/8 -j ACCEPT iptables -A NO_PROXY -t nat -d 169.254.0.0/16 -j ACCEPT iptables -A NO_PROXY -t nat -d 172.16.0.0/12 -j ACCEPT iptables -A NO_PROXY -t nat -d 192.168.0.0/16 -j ACCEPT iptables -A NO_PROXY -t nat -d 224.0.0.0/4 -j ACCEPT iptables -A NO_PROXY -t nat -d 240.0.0.0/4 -j ACCEPT iptables -A NO_PROXY -t nat -j RETURN iptables -A PREROUTING -t nat -p tcp --dport 80 -j NO_PROXY iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 3129 iptables -A PREROUTING -t nat -p tcp --dport 443 -j NO_PROXY iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-ports 3130
squid.conf
ssl_bump splice all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER # Squid normally listens to port 3128 http_port 3128 http_port 3129 intercept https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/ca.crt key=/etc/squid/ssl/ca.key sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid never_direct allow all cache_peerparent 0 no-query no-digest default
生成证书文件
$ openssl genrsa -des3 -out squid-server.key 2048 Generating RSA private key, 1024 bit long modulus ............................++++++ ...........................................................++++++ e is 65537 (0x10001) Enter pass phrase for squid-server.key: Verifying - Enter pass phrase for squid-server.key: pass phrase 必須要打一串密碼進去,不可以留空
$ openssl req -new -key squid-server.key -out squid-server.csr Enter pass phrase for squid-server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:TW State or Province Name (full name) [Some-State]:Taiwan Locality Name (eg, city) []:Hsichu Organization Name (eg, company) [Internet Widgits Pty Ltd]:NTHU Organizational Unit Name (eg, section) []:SSLab Common Name (e.g. server FQDN or YOUR name) []:maple52046.twbbs.org.tw Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
後面 extra 這邊全部直接按 enter 跳過。
然後接下來還有兩個指令:
$ openssl rsa -in squid-server.key -out squid-proxy.key Enter pass phrase for squid-server.key: writing RSA key $ openssl x509 -req -days 365 -in squid-server.csr -signkey squid-proxy.key -out squid-proxy.crt Signature ok subject=/C=TW/ST=Taiwan/L=Hsichu/O=NTHU/OU=SSLab/CN=maple52046.twbbs.org.tw/[email protected] Getting Private key
完成之後,在當前目錄下,會產生4個檔案:
$ ls squid-proxy.crt squid-proxy.key squid-server.csr squid-server.key
將 squid-proxy.crt 與 squid-proxy.key 放到 container 可以讀取到的地方,例如:/etc/squid3
评论抢沙发