安装系统:Ubuntu 22.04/20.04 64Bit Server
用户:root
由于ubuntu软件库的Squid没有编译SSL,无法代理HTTPS流量,所以需要自编译安装依赖:
apt-get update && apt-get install -y build-essential libssl-dev openssl libxml2-dev libexpat1-dev libsasl2-dev libpam0g-dev libkrb5-dev pkg-config apache2-utils net-tools
创建文件夹:
mkdir squid && cd squid
然后编译安装libecap
wget http://www.e-cap.org/archive/libecap-1.0.1.tar.gz && tar zxvf libecap-1.0.1.tar.gz && cd libecap-1.0.1 && ./configure && make && make install
编译安装完成后安装依赖libldap2-dev,libecap3-dev和krb5-user
apt-get install -y libldap2-dev libecap3-dev krb5-user
依赖和编译配置文件是高度相关的,如果新增了配置,可能会需要新的依赖
然后返回squid文件夹
cd ..
依赖安装完毕后从官网下载最新的版本并编译:
wget http://www.squid-cache.org/Versions/v6/squid-6.9.tar.gz && tar -xvzf squid-6.9.tar.gz && cd squid-6.9
以下我使用的配置文件
./configure \
--enable-arp-acl \
--enable-linux-netfilter \
--enable-linux-tproxy \
--enable-async-io=100 \
--enable-err-language="Simplify_Chinese" \
--enable-poll \
--enable-gnuregex \
--build=x86_64-linux-gnu \
--disable-maintainer-mode \
--disable-dependency-tracking \
--disable-silent-rules \
--enable-build-info="Ubuntu linux" \
--disable-translation \
--with-filedescriptors=65536 \
--with-large-files \
--with-openssl \
--enable-ssl \
--enable-ssl-crtd \
--enable-inline \
--disable-arch-native \
--enable-storeio=ufs,aufs,diskd,rock \
--enable-removal-policies=lru,heap \
--enable-delay-pools \
--enable-cache-digests \
--enable-follow-x-forwarded-for \
--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB \
--enable-auth-digest=file,LDAP \
--enable-auth-negotiate=kerberos,wrapper \
--enable-auth-ntlm=fake,SMB_LM \
--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,SQL_session,unix_group,wbinfo_group \
--enable-security-cert-validators=fake \
--enable-storeid-rewrite-helpers=file \
--enable-url-rewrite-helpers=fake \
--enable-eui \
--enable-esi \
--enable-icmp \
--enable-zph-qos \
--enable-ecap \
--enable-underscore
然后编译:
make && make install
配置文件复制时注意空格
然后等待很久很久编译完成
编辑配置
初始化创建log文件(如果没有自动创建)
touch /usr/local/squid/var/logs/access.log && chmod a+w /usr/local/squid/var/logs/access.log && touch /usr/local/squid/var/logs/cache.log && chmod a+w /usr/local/squid/var/logs/cache.log
编辑文件:
nano /usr/local/squid/etc/squid.conf
最基础的配置只需要打开http和https,SSL证书需要自己去生成
证书存放位置:
PEM /usr/local/squid/etc/ssl_cert/squid.pem
KEY /usr/local/squid/etc/ssl_cert/squid.key
配置文件中配置基础鉴权
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# This default configuration only allows localhost requests because a more
# permissive Squid installation could introduce new attack vectors into the
# network by proxying external TCP connections to unprotected services.
http_access allow localhost
# The two deny rules below are unnecessary in this default configuration
# because they are followed by a "deny all" rule. However, they may become
# critically important when you start allowing external requests below them.
# Protect web applications running on the same server as Squid. They often
# assume that only local users can access them at "localhost" ports.
http_access deny to_localhost
# Protect cloud servers that provide local users with sensitive info about
# their server via certain well-known link-local (a.k.a. APIPA) addresses.
http_access deny to_linklocal
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# For example, to allow access from your local networks, you may uncomment the
# following rule (and/or add rules that match your definition of "local"):
# http_access allow localnet
# And finally deny all other access to this proxy
auth_param basic program /usr/local/squid/libexec/basic_ncsa_auth /usr/local/squid/etc/passwd
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access deny !authenticated
http_access allow authenticated
# Squid normally listens to port 3128
http_port [你的HTTP端口]
https_port [你的HTTPS端口] tls-cert=/usr/local/squid/etc/ssl_cert/squid.pem key=/usr/local/squid/etc/ssl_cert/squid.key generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
基础鉴权
htpasswd -c /usr/local/squid/etc/passwd [你的用户名]
回车后会让你输入密码
注意:
1. squid读取配置文件的方式是从头到尾顺序读取的,所以配置文件中的配置是有可能覆盖前面的配置的
2. 如果找不到basic_ncsa_auth,执行命令
find / -name basic_ncsa_auth
初始化缓存目录:
创建用户和链接
useradd -M -s /sbin/nologin squid
chown -R squid.squid /usr/local/squid/var
ln -s /usr/local/squid/sbin/squid /usr/local/sbin/
添加squid运行的用户和组
echo 'cache_effective_user squid' >> /usr/local/squid/etc/squid.conf
echo 'cache_effective_group squid' >> /usr/local/squid/etc/squid.conf
初始化Squid的缓存目录。这一步骤通常在首次运行Squid之前进行。打开终端,执行:
squid -z
启动Squid:
缓存目录准备好后,可以启动Squid服务。在终端中执行,这将在后台运行:
squid
如果想以前台模式启动Squid服务。可以添加参数-N
:
squid -N
查看squid监听状态
netstat -ntap | grep squid
查看squid的运行用户
ps -ef|grep squid
停止Squid:
如果需要停止Squid服务,可以使用以下命令:
squid -k shutdown
自动化启动(可选):
-
创建Squid服务文件:
打开终端,并使用你喜欢的文本编辑器(如nano
或vi
)创建一个新的systemd服务文件。以下示例中使用nano
。nano /etc/systemd/system/squid.service
-
编辑Squid服务文件:
在打开的文本编辑器中,粘贴以下内容。这是一个基本的服务文件模板,用于运行Squid。[Unit] Description=Squid Web Proxy Server After=network.target [Service] Type=forking ExecStart=/usr/local/squid/sbin/squid ExecStartPre=/usr/local/squid/sbin/squid -z ExecReload=/usr/local/squid/sbin/squid -k reconfigure ExecStop=/usr/local/squid/sbin/squid -k shutdown TimeoutSec=5min Restart=always [Install] WantedBy=multi-user.target
-
重新加载systemd守护进程:
保存并关闭编辑器后,需要让systemd重新加载其配置文件,以便识别新的服务。systemctl daemon-reload
-
启用Squid服务:
现在,你可以启用Squid服务,确保它在每次系统启动时自动启动。systemctl enable squid.service
-
启动Squid服务:
要立即启动Squid服务(而不需要重启系统),使用以下命令:systemctl start squid.service
-
检查Squid服务状态:
为了确认Squid服务正在运行,可以检查其状态。systemctl status squid.service