Squid自编译快速安装指南-HTTPS&基础鉴权

T_C_XZYJS

已于 2024-04-18 12:54:18 修改

阅读量1k

点赞数 6

文章标签：服务器运维 bash

于 2023-12-14 16:03:26 首次发布

本文链接：https://blog.csdn.net/T_C_XZYJS/article/details/134997772

版权

安装系统：Ubuntu 22.04/20.04 64Bit Server

用户：root

由于ubuntu软件库的Squid没有编译SSL，无法代理HTTPS流量，所以需要自编译安装依赖：

apt-get update && apt-get install -y build-essential libssl-dev openssl libxml2-dev libexpat1-dev libsasl2-dev libpam0g-dev libkrb5-dev pkg-config apache2-utils net-tools

创建文件夹：

mkdir squid && cd squid

然后编译安装libecap

wget http://www.e-cap.org/archive/libecap-1.0.1.tar.gz && tar zxvf libecap-1.0.1.tar.gz && cd libecap-1.0.1 && ./configure && make && make install

编译安装完成后安装依赖libldap2-dev，libecap3-dev和krb5-user

apt-get install -y libldap2-dev libecap3-dev krb5-user

依赖和编译配置文件是高度相关的，如果新增了配置，可能会需要新的依赖

然后返回squid文件夹

cd ..

依赖安装完毕后从官网下载最新的版本并编译：

wget http://www.squid-cache.org/Versions/v6/squid-6.9.tar.gz && tar -xvzf squid-6.9.tar.gz && cd squid-6.9

以下我使用的配置文件

./configure \
--enable-arp-acl \
--enable-linux-netfilter \
--enable-linux-tproxy \
--enable-async-io=100 \
--enable-err-language="Simplify_Chinese" \
--enable-poll \
--enable-gnuregex \
--build=x86_64-linux-gnu \
--disable-maintainer-mode \
--disable-dependency-tracking \
--disable-silent-rules \
--enable-build-info="Ubuntu linux" \
--disable-translation \
--with-filedescriptors=65536 \
--with-large-files \
--with-openssl \
--enable-ssl \
--enable-ssl-crtd \
--enable-inline \
--disable-arch-native \
--enable-storeio=ufs,aufs,diskd,rock \
--enable-removal-policies=lru,heap \
--enable-delay-pools \
--enable-cache-digests \
--enable-follow-x-forwarded-for \
--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB \
--enable-auth-digest=file,LDAP \
--enable-auth-negotiate=kerberos,wrapper \
--enable-auth-ntlm=fake,SMB_LM \
--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,SQL_session,unix_group,wbinfo_group \
--enable-security-cert-validators=fake \
--enable-storeid-rewrite-helpers=file \
--enable-url-rewrite-helpers=fake \
--enable-eui \
--enable-esi \
--enable-icmp \
--enable-zph-qos \
--enable-ecap \
--enable-underscore

然后编译：

make && make install

配置文件复制时注意空格

然后等待很久很久编译完成

编辑配置

初始化创建log文件（如果没有自动创建）

touch /usr/local/squid/var/logs/access.log && chmod a+w /usr/local/squid/var/logs/access.log && touch /usr/local/squid/var/logs/cache.log && chmod a+w /usr/local/squid/var/logs/cache.log

编辑文件：

nano /usr/local/squid/etc/squid.conf

最基础的配置只需要打开http和https，SSL证书需要自己去生成

证书存放位置：

PEM /usr/local/squid/etc/ssl_cert/squid.pem 
KEY /usr/local/squid/etc/ssl_cert/squid.key

配置文件中配置基础鉴权

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed

acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
acl localnet src fc00::/7       	# RFC 4193 local private network range
acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# This default configuration only allows localhost requests because a more
# permissive Squid installation could introduce new attack vectors into the
# network by proxying external TCP connections to unprotected services.
http_access allow localhost

# The two deny rules below are unnecessary in this default configuration
# because they are followed by a "deny all" rule. However, they may become
# critically important when you start allowing external requests below them.

# Protect web applications running on the same server as Squid. They often
# assume that only local users can access them at "localhost" ports.
http_access deny to_localhost

# Protect cloud servers that provide local users with sensitive info about
# their server via certain well-known link-local (a.k.a. APIPA) addresses.
http_access deny to_linklocal

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# For example, to allow access from your local networks, you may uncomment the
# following rule (and/or add rules that match your definition of "local"):
# http_access allow localnet

# And finally deny all other access to this proxy
auth_param basic program /usr/local/squid/libexec/basic_ncsa_auth /usr/local/squid/etc/passwd
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED

http_access deny !authenticated
http_access allow authenticated

# Squid normally listens to port 3128
http_port [你的HTTP端口]

https_port [你的HTTPS端口] tls-cert=/usr/local/squid/etc/ssl_cert/squid.pem key=/usr/local/squid/etc/ssl_cert/squid.key generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

基础鉴权

htpasswd -c /usr/local/squid/etc/passwd [你的用户名]

回车后会让你输入密码

注意：

1. squid读取配置文件的方式是从头到尾顺序读取的，所以配置文件中的配置是有可能覆盖前面的配置的

2. 如果找不到basic_ncsa_auth，执行命令

find / -name basic_ncsa_auth

初始化缓存目录：

创建用户和链接

useradd -M -s /sbin/nologin squid
chown -R squid.squid /usr/local/squid/var
ln -s /usr/local/squid/sbin/squid  /usr/local/sbin/

添加squid运行的用户和组

echo 'cache_effective_user squid' >> /usr/local/squid/etc/squid.conf
echo 'cache_effective_group squid' >> /usr/local/squid/etc/squid.conf

初始化Squid的缓存目录。这一步骤通常在首次运行Squid之前进行。打开终端，执行：

squid -z

启动Squid：
缓存目录准备好后，可以启动Squid服务。在终端中执行，这将在后台运行：

squid

如果想以前台模式启动Squid服务。可以添加参数-N：

squid -N

查看squid监听状态

netstat -ntap | grep squid

查看squid的运行用户

 ps -ef|grep squid

停止Squid:
如果需要停止Squid服务，可以使用以下命令：

squid -k shutdown

自动化启动（可选）:

创建Squid服务文件：
打开终端，并使用你喜欢的文本编辑器（如nano或vi）创建一个新的systemd服务文件。以下示例中使用nano。
```
nano /etc/systemd/system/squid.service
```

编辑Squid服务文件：
在打开的文本编辑器中，粘贴以下内容。这是一个基本的服务文件模板，用于运行Squid。

[Unit]
Description=Squid Web Proxy Server
After=network.target

[Service]
Type=forking
ExecStart=/usr/local/squid/sbin/squid
ExecStartPre=/usr/local/squid/sbin/squid -z
ExecReload=/usr/local/squid/sbin/squid -k reconfigure
ExecStop=/usr/local/squid/sbin/squid -k shutdown
TimeoutSec=5min
Restart=always

[Install]
WantedBy=multi-user.target

重新加载systemd守护进程：
保存并关闭编辑器后，需要让systemd重新加载其配置文件，以便识别新的服务。
```
systemctl daemon-reload
```
启用Squid服务：
现在，你可以启用Squid服务，确保它在每次系统启动时自动启动。
```
systemctl enable squid.service
```
启动Squid服务：
要立即启动Squid服务（而不需要重启系统），使用以下命令：
```
systemctl start squid.service
```
检查Squid服务状态：
为了确认Squid服务正在运行，可以检查其状态。
```
systemctl status squid.service
```