https代理ip，Linux Squid 透明代理http https配置

Centos7 Linux Squid 透明代理配置https代理ip，Linux Squid 透明代理http https配置Centos7 yum squid transparent # cat /etc/redhat-releaseCentOS Linux release 7.5.1804 (Core)启用路由转发功能快速备案网站快速备案代理ip：echo "net.ipv4.ip_forward = 1">>/etc/sysctl.conf sysctl -psysctl -w net.ipv4.ip_forward=1直接yum安装# yum -y install squid查看版本：# squid -vSquid Cache: Version 3.5.20Service Name: squidconfigure options: '–build=x86_64-redhat-linux-gnu' '–host=x86_64-redhat-linux-gnu' '–program-prefix=' '–prefix=/usr' '–exec-prefix=/usr' '–bindir=/usr/bin' '–sbindir=/usr/sbin' '–sysconfdir=/etc' '–datadir=/usr/share' '–includedir=/usr/include' '–libdir=/usr/lib64' '–libexecdir=/usr/libexec' '–sharedstatedir=/var/lib' '–mandir=/usr/share/man' '–infodir=/usr/share/info' '–disable-strict-error-checking' '–exec_prefix=/usr' '–libexecdir=/usr/lib64/squid' '–localstatedir=/var' '–datadir=/usr/share/squid' '–sysconfdir=/etc/squid' '–with-logdir=$(localstatedir)/log/squid' '–with-pidfile=$(localstatedir)/run/squid.pid' '–disable-dependency-tracking' '–enable-eui' '–enable-follow-x-forwarded-for' '–enable-auth' '–enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' '–enable-auth-ntlm=smb_lm,fake' '–enable-auth-digest=file,LDAP,eDirectory' '–enable-auth-negotiate=kerberos' '–enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '–enable-cache-digests' '–enable-cachemgr-hostname=localhost' '–enable-delay-pools' '–enable-epoll' '–enable-ident-lookups' '–enable-linux-netfilter' '–enable-removal-policies=heap,lru' '–enable-snmp' '–enable-ssl-crtd' '–enable-storeio=aufs,diskd,rock,ufs' '–enable-wccpv2' '–enable-esi' '–enable-ecap' '–with-aio' '–with-default-user=squid' '–with-dl' '–with-openssl' '–with-pthreads' '–disable-arch-native' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'备份下默认squid.conf配置文件：cat squid.conf|sed '/^#/d'|sed '/^$/d' > squid.default.conf帮助文件中用得比较多的是-f -k # squid -helpUsage: squid [-cdhvzCFNRVYX] [-n name] [-s | -l facility] [-f config-file] [-[au] port] [-k signal] -a port Specify number (default: 3128). -d level Write debugging to stderr also. -f file Use given config-file instead of /etc/squid/squid.conf -h Print help message. -k reconfigure|rotate|shutdown|restart|interrupt|kill|debug|check|parse Parse configuration file, then send signal to running copy (except -k parse) and exit.直接贴一个我的最终配置，这玩意我也是反复测试折腾了好一中午的结果# cat /etc/squid/squid.confacl localnet src 10.0.0.0/8# RFC1918 possible internal networkacl localnet src 172.16.0.0/12# RFC1918 possible internal networkacl localnet src 192.168.0.0/16# RFC1918 possible internal networkacl localnet src fc00::/7 # RFC 4193 local private network rangeacl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machinesacl SSL_ports port 443acl Safe_ports port 443# Safe_ports port 21# ftpacl Safe_ports port 443# CONNECT method CONNECT allow localnet allow localhost allow all 3127 3128 transparent 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/1_ key=/etc/squid/2_ /var/spool/squidrefresh_pattern ^ftp:144020%10080refresh_pattern ^gopher:14400%1440refresh_pattern -i (/cgi-bin/|\?) 00%0refresh_pattern .020%4320几个关键点说明alc可以自己去修改，我是为了方便线给了allow all 3127 3128 transparent 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/1_ key=/etc/squid/2_这三行都需要才能透明代理其实通过正常的启动日志能够看到为什么要这么处理？3127，3128，3128各承担的功能不一样# tail -f /var/log/squid/cache.log2021/03/05 19:09:41 kid1| DNS Socket created at 0.0.0.0, FD 102021/03/05 19:09:41 kid1| Adding domain localdomain from /etc/resolv.conf2021/03/05 19:09:41 kid1| Adding nameserver 10.211.55.1 from /etc/resolv.conf2021/03/05 19:09:41 kid1| helperOpenServers: Starting 5/32 'ssl_crtd' processes2021/03/05 19:09:41 kid1| WARNING: No ssl_bump configured. Disabling ssl-bump on [::]:31292021/03/05 19:09:41 kid1| HTCP Disabled.2021/03/05 19:09:41 kid1| Finished loading MIME types and icons.2021/03/05 19:09:41 kid1| Accepting connections at local=[::]:3127 remote=[::] FD 22 flags=92021/03/05 19:09:41 kid1| Accepting NAT intercepted connections at local=[::]:3128 remote=[::] FD 23 flags=412021/03/05 19:09:41 kid1| Accepting NAT intercepted Socket connections at local=[::]:3129 remote=[::] FD 24 flags=41如果没有3127那么日志告警： kid1ERROR: No forward-proxy ports configured.ssl-bump 这里应该是有个告警自己检索解决吧。关于key的那块我是随便找了一个我自己的，免得自己用命令openssl去生成了配置防火墙：iptables防火墙简单设置下：–flush -F [chain]Delete all rules in chain or all chainiptables -Fiptables -F -t nat上面两个都是清空对应rules那么我们需要将局域网或者说需要代理的网段的请求转发到对应的3128和3129端口局域网内网访问的80端口映射到squid服务器的3128端口 443映射到3129iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-ports 3128iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 443 -j REDIRECT –to-ports 3129注意上面为什么是eth0 因为我的测试主机在这个网段上10.211.55.3# ip a 简化的eth0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 inet 10.211.55.3/24 brd 10.211.55.255 scope global noprefixroute dynamic eth0查看下nat表iptables -t nat –list-rules为了测试，在我的另个主机上删除默认的路由，把路由指到我的这个squid主机上，route del default gw 10.211.55.1route add default gw 10.211.55.3几个日志：/var/log/squid/access.log/var/log/squid/cache.log启动错误看报错，看日志就够了# /usr/sbin/squid -f /etc/squid/squid.conf -k check# /usr/sbin/squid -f /etc/squid/squid.conf -k reconfigure启动/usr/sbin/squid -f /etc/squid/squid.conf# netstat -nltp|grep squidtcp6 0 0 :::3129 :::* LISTEN 5241/(squid-1)tcp6 0 0 :::3127 :::* LISTEN 5241/(squid-1)tcp6 0 0 :::3128 :::* LISTEN 5241/(squid-1)也可以看下进程：过程有的报错解决：FATAL: The ssl_crtd helpers are crashing too rapidly, need help! 1806 2021-03-05 15:52:29:::/usr/lib64/squid/ssl_crtd 1807 2021-03-05 15:52:48:::/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db 1808 2021-03-05 15:52:57:::chown squid:squid /var/lib/ssl_db测试我直接走curlcurl -klv curl -klv ://nginx配置SSL后报错nginx: [warn] the "ssl" directive is deprecated, use the "listen … ssl"因为最新版本不支持ssl on;这个配置已失效 使用listen 443 ssl;替代 插播一段配置nginx的相关，假如这里需要用nginx来实现代理 关键点ssl on @版本原因已经为use the "listen … ssl"centos7 root@parallels:/usr/local/nginx/conf/vhosts# cat forward.conf server { listen 3128 ssl; access_log /usr/local/nginx/logs/proxy-access.log main; error_log /usr/local/nginx/logs/error.log; ssl_certificate /usr/local/nginx/conf/sslkey/bppstore.com.pem; ssl_certificate_key /usr/local/nginx/conf/sslkey/bppstore.com.key; ssl_session_timeout 5m; #ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; 这行和下行保留一个就行 ssl_protocols TLSv1; ssl_ciphers RC4:HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # dns resolver used by forward proxying resolver 119.29.29.29 valid=60s ipv6=off; # forward proxy for CONNECT request proxy_connect; proxy_connect_allow 443 563; 80补充进来 proxy_connect_connect_timeout 10s; proxy_connect_read_timeout 10s; proxy_connect_send_timeout 10s; # forward proxy for non-CONNECT request location / { proxy_pass ; proxy_set_header Host $host; } }reload nginx /usr/local/nginx/sbin/nginx -s reload 配置一个支持ssl的配置： centos7 root@parallels:/usr/local/nginx/conf/vhosts# tail -f /usr/local/nginx/logs/proxy-access.log 那么请求://是OK的 node2 root@node2:~# curl -klv :// 10.211.55.6 – – [05/Mar/2021:14:47:53 0800] "GET / " 200 2381 "-" "curl/7.29.0" "-"