squid ssl

最新推荐文章于 2023-12-14 10:12:31 发布

dongzi321

最新推荐文章于 2023-12-14 10:12:31 发布

阅读量112

点赞数

文章标签： ssl 网络协议网络

本文链接：https://blog.csdn.net/dongzi321/article/details/133863457

版权

1.configure enable ssl :

[root@vm1 squid-4.15]# cat install.sh
./configure \
'--prefix=/usr/local/squid' \
'--bindir=/usr/local/squid' \
'--sbindir=/usr/local/squid/sbin' \
'--datadir=/usr/local/squid/data' \
'--includedir=/usr/local/squid/include' \
'--libdir=/usr/local/squid/lib/' \
'--libexecdir=/usr/local/squid' \
'--localstatedir=/usr/local/squid' \
'--sharedstatedir=/usr/local/squid' \
'--infodir=/usr/share/info' \
'--libexecdir=/usr/local/squid/libexec' \
'--sysconfdir=/usr/local/squid/etc' \
'--with-logdir=/usr/local/squid/log/' \
'--with-pidfile=/usr/local/squid/run/squid.pid' \
'--disable-dependency-tracking' \
'--enable-eui' \
'--enable-follow-x-forwarded-for' \
'--enable-auth' \
'--enable-auth-ntlm=SMB_LM,fake' \
'--enable-auth-negotiate=kerberos' \
'--enable-storeid-rewrite-helpers=file' \
'--enable-cache-digests' \
'--enable-cachemgr-hostname=localhost' \
'--enable-delay-pools' \
'--enable-epoll' \
'--enable-icap-client' \
'--enable-ident-lookups' \
'--enable-linux-netfilter' \
'--enable-removal-policies=heap,lru' \
'--enable-snmp' \
'--enable-ssl' \
'--enable-ssl-crtd' \
'--enable-storeio=aufs,diskd,ufs,rock' \
'--enable-diskio' \
'--enable-wccpv2' \
'--enable-esi' \
'--enable-ecap' \
'--with-aio' \
'--with-default-user=squid' \
'--with-dl' \
'--with-openssl' \
'--with-pthreads' \
'--disable-arch-native' \
'--disable-security-cert-validators' \
'--disable-strict-error-checking' \
'--with-swapdir=/var/spool/squid'

2. squid.conf

acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl intermediate_fetching transaction_initiator certificate-fetching
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/ssldb/ssl_db -M 20MB
sslproxy_cert_error allow all
ssl_bump stare all
http_port 3128 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/squid/ssl/bump.crt key=/usr/local/squid/ssl/bump.key cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,NO_SSLv2,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/usr/local/squid/ssl/bump_dhparam.pem
http_access allow intermediate_fetching
http_access allow localhost manager
http_access allow localnet
http_access allow localhost
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
logformat squid %tl.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
access_log /usr/local/squid/log/access.log combined

3.ssl config

root@vm1 squid]# history | grep openssl
329 openssl req -new -newkey rsa:2048 -days 36500 -nodes -x509 -keyout bump.key -out bump.crt
331 openssl x509 -in bump.crt -outform DER -out bump.der
337 openssl req -new -x509 -key bump.key > bump_dhparam.pem.pem
340 openssl req -new -x509 -key bump.key > bump_dhparam.pem
377 openssl s_client -connect localhost:3128 --proxy localhost:3128
402 openssl x509 -in bump.crt -outform DER -out bump.der
430 openssl x509 -in bump.crt -outform DER -out firefox.der

use:

import firefox.der to firefox.