「Squid」:修訂間差異

出自Gea-Suan Lin's Wiki
跳至導覽 跳至搜尋
 
(未顯示同一使用者於中間所作的 38 次修訂)
行 6: 行 6:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo apt install -y squid
sudo apt install -y squid; sudo apt clean
</syntaxhighlight>
</syntaxhighlight>


 如果是要 [[OpenSSL]]版本 的Squid ,在Ubuntu 20.04下 可以 樣編
  如果 需要讓Squid吃SSL Certificate提供HTTPS介面(像 需要密碼認證),可能會需 [[OpenSSL]] 版本 (<code>squid</code>套件內使用的GnuTLS無法吃intermediate certificate<ref>{{Cite web |url=http://lists.squid-cache.org/pipermail/squid-users/2020-May/022180.html |title=[squid-users] HTTPS_PORT AND SSL CERT |language=en |accessdate=2023-06-09 |date=2020-05-26}}</ref>,對於現今大多數的憑證來說都是必要功能,像是[[Let's Encrypt]])。
 
=== Ubuntu 22.04 ===
 
而因為OpenSSL軟體授權的關係 ,在Ubuntu 22.04以後包成另外的套件:
 
<syntaxhighlight lang="bash">
sudo apt install -y squid-openssl; sudo apt clean
</syntaxhighlight>
 
=== Ubuntu 20.04 ===
 
如果是Ubuntu 20.04下 ,需要自己編[[OpenSSL]]版本的Squid。通常是己拉下來改好後再打包成deb安裝。
 
邊要注意要處理<code>debian/changelog</code>的版本資訊與<code>debian/control</code>的相依性資訊


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo apt install -y ed libltdl-dev pkg-config build-essential cdbs debhelper dpkg-dev lsb-release dh-apparmor libcppunit-dev libcap2-dev libdb-dev libecap3-dev libexpat1-dev libgnutls28-dev libkrb5-dev comerr-dev libldap2-dev libnetfilter-conntrack-dev libpam0g-dev libsasl2-dev libxml2-dev nettle-dev libssl-dev
sudo apt install -y ed libltdl-dev pkg-config build-essential cdbs debhelper dpkg-dev lsb-release dh-apparmor libcppunit-dev libcap2-dev libdb-dev libecap3-dev libexpat1-dev libgnutls28-dev libkrb5-dev comerr-dev libldap2-dev libnetfilter-conntrack-dev libpam0g-dev libsasl2-dev libxml2-dev nettle-dev libssl-dev
mkdir squid
cd squid
apt-get source squid
apt-get source squid
cd squid/squid-4.10
cd squid-4.10
sed -i -e 's/--with-gnutls/--with-openssl/' debian/rules
sed -i -e 's/--with-gnutls/--with-openssl/' debian/rules
vim debian/changelog # add a new entry for "+1openssl1" version.
vim debian/control # add libssl1.1 & libssl-dev to dependency sections.
dpkg-buildpackage -rfakeroot -uc -b
dpkg-buildpackage -rfakeroot -uc -b
</syntaxhighlight>
編完以後再依序安裝<code>.deb</code>檔(<code>squid-common</code>與<code>squid</code>),這邊的檔名可能會因為上游更新改變,僅供參考:
<syntaxhighlight lang="bash">
sudo dpkg -i squid-common_4.10-1ubuntu1.7+1openssl1_all.deb
sudo dpkg -i squid_4.10-1ubuntu1.7+1openssl1_amd64.deb
</syntaxhighlight>
後續可以考慮用apt-mark避免自動升級:
<syntaxhighlight lang="bash">
sudo apt-mark manual squid squid-common
</syntaxhighlight>
</syntaxhighlight>


行 22: 行 53:


=== Forward Proxy ===
=== Forward Proxy ===
Forward Proxy指的是瀏覽器端會以Proxy Protocol跟Squid連線,告訴Squid要跳連到的目的位置。


 在<code>/etc/squid/squid.conf</code>裡:
 在<code>/etc/squid/squid.conf</code>裡:
行 38: 行 71:
forwarded_for off
forwarded_for off
http_port 3128
http_port 3128
#https_port 4128 tls-cert=/etc/dehydrated/certs/proxy.example.com/fullchain.pem tls-key=/etc/dehydrated/certs/proxy.example.com/privkey.pem
httpd_suppress_version_string on
request_header_access X-Forwarded-For deny all
</syntaxhighlight>
</syntaxhighlight>


 其中有些欄位可以調整:
 其中有些欄位可以調整 ,像是把<code>acl whitelist</code>從目的的位置,改成用source IP address判斷


<syntaxhighlight lang="squid">
<syntaxhighlight lang="squid">
acl whitelist src 1.2.3.4/32
acl whitelist src 1.2.3.4/32
</syntaxhighlight>
以及留下access記錄:
<syntaxhighlight lang="squid">
access_log daemon:/var/log/squid/access.log logformat=squid rotate=7
access_log daemon:/var/log/squid/access.log logformat=squid rotate=7
</syntaxhighlight>
</syntaxhighlight>


 在<code>/etc/squid/whitelist.txt</code>裡:
 在<code>/etc/squid/whitelist.txt</code>裡 是使用regex(從設定裡的<code>dstdom_regex</code>)應該可以看出來


<syntaxhighlight lang="text">
<syntaxhighlight lang="text">
行 53: 行 94:
</syntaxhighlight>
</syntaxhighlight>


 如果有設定log的話,記得放一個<code>/etc/cron.d/squid-log</code>並且設定為<code>0755</code>:
 如果有設定log的話,記得放一個<code>/etc/cron.daily/squid-log</code>並且設定為<code>0755</code>:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
行 61: 行 102:


=== Reverse Proxy ===
=== Reverse Proxy ===
Reverse Proxy指的是瀏覽器端以HTTP/HTTPS Protocol連到Squid偽裝的Web Server(所以瀏覽器端不會以Proxy Protocol溝通,而是以HTTP/HTTPS Protocol溝通),Squid會將流量導至設定的後端主機。
這個架構常見在load balancer或是cache server用途上,但因為[[nginx]]的興起且設定彈性,取代了Squid在load balancer上的功能;目前Squid在Reverse Proxy架構上主要會拿來當作cache server使用。


 在<code>/etc/squid/squid.conf</code>裡:
 在<code>/etc/squid/squid.conf</code>裡:
行 97: 行 142:
half_closed_clients off
half_closed_clients off
http_port 80 accel defaultsite=default.domain.tld # FIXME
http_port 80 accel defaultsite=default.domain.tld # FIXME
httpd_suppress_version_string on
logfile_daemon /usr/local/squid/libexec/logfile-daemon
logfile_daemon /usr/local/squid/libexec/logfile-daemon
logfile_rotate 3
logfile_rotate 3
行 105: 行 151:
minimum_object_size 1 KB # FIXME
minimum_object_size 1 KB # FIXME
refresh_pattern . 60 90% 604800 override-expire ignore-reload ignore-no-cache ignore-no-store
refresh_pattern . 60 90% 604800 override-expire ignore-reload ignore-no-cache ignore-no-store
request_header_access X-Forwarded-For deny all
store_avg_object_size 10 MB # FIXME
store_avg_object_size 10 MB # FIXME
</syntaxhighlight>
</syntaxhighlight>
== 參考資料 ==
{{Reflist|2}}


== 外部連結 ==
== 外部連結 ==

於 2024年2月17日 (六) 03:19 的最新修訂

Squid是一套Proxy軟體。

安裝

Ubuntu上可以直接透過系統的套件裝Squid: 

sudo apt install -y squid; sudo apt clean

但如果需要讓Squid吃SSL Certificate提供HTTPS介面(像是需要密碼認證),可能會需要裝OpenSSL的版本(squid套件內使用的GnuTLS無法吃intermediate certificate[1],對於現今大多數的憑證來說都是必要功能,像是Let's Encrypt)。

Ubuntu 22.04

而因為OpenSSL軟體授權的關係,在Ubuntu 22.04以後包成另外的套件: 

sudo apt install -y squid-openssl; sudo apt clean

Ubuntu 20.04

如果是Ubuntu 20.04下,需要自己編OpenSSL版本的Squid。通常是己拉下來改好後再打包成deb安裝。

這邊要注意要處理debian/changelog的版本資訊與debian/control的相依性資訊: 

sudo apt install -y ed libltdl-dev pkg-config build-essential cdbs debhelper dpkg-dev lsb-release dh-apparmor libcppunit-dev libcap2-dev libdb-dev libecap3-dev libexpat1-dev libgnutls28-dev libkrb5-dev comerr-dev libldap2-dev libnetfilter-conntrack-dev libpam0g-dev libsasl2-dev libxml2-dev nettle-dev libssl-dev
mkdir squid
cd squid
apt-get source squid
cd squid-4.10
sed -i -e 's/--with-gnutls/--with-openssl/' debian/rules
vim debian/changelog # add a new entry for "+1openssl1" version.
vim debian/control # add libssl1.1 & libssl-dev to dependency sections.
dpkg-buildpackage -rfakeroot -uc -b

編完以後再依序安裝.deb檔(squid-commonsquid),這邊的檔名可能會因為上游更新改變,僅供參考: 

sudo dpkg -i squid-common_4.10-1ubuntu1.7+1openssl1_all.deb
sudo dpkg -i squid_4.10-1ubuntu1.7+1openssl1_amd64.deb

後續可以考慮用apt-mark避免自動升級: 

sudo apt-mark manual squid squid-common

範例

Forward Proxy

Forward Proxy指的是瀏覽器端會以Proxy Protocol跟Squid連線,告訴Squid要跳連到的目的位置。

/etc/squid/squid.conf裡: 

#
acl whitelist dstdom_regex "/etc/squid/whitelist.txt"
http_access allow whitelist
http_access deny all
#
access_log none
cache deny all
cache_dir null /tmp
cache_log /dev/null
cache_mem 8 MB
forwarded_for off
http_port 3128
#https_port 4128 tls-cert=/etc/dehydrated/certs/proxy.example.com/fullchain.pem tls-key=/etc/dehydrated/certs/proxy.example.com/privkey.pem
httpd_suppress_version_string on
request_header_access X-Forwarded-For deny all

其中有些欄位可以調整,像是把acl whitelist從目的的位置,改成用source IP address判斷: 

acl whitelist src 1.2.3.4/32

以及留下access記錄: 

access_log daemon:/var/log/squid/access.log logformat=squid rotate=7

/etc/squid/whitelist.txt裡是使用regex(從設定裡的dstdom_regex)應該可以看出來: 

(^|.)archive\.ubuntu\.com$

如果有設定log的話,記得放一個/etc/cron.daily/squid-log並且設定為0755

#!/bin/bash
/usr/sbin/squid -k rotate

Reverse Proxy

Reverse Proxy指的是瀏覽器端以HTTP/HTTPS Protocol連到Squid偽裝的Web Server(所以瀏覽器端不會以Proxy Protocol溝通,而是以HTTP/HTTPS Protocol溝通),Squid會將流量導至設定的後端主機。

這個架構常見在load balancer或是cache server用途上,但因為nginx的興起且設定彈性,取代了Squid在load balancer上的功能;目前Squid在Reverse Proxy架構上主要會拿來當作cache server使用。

/etc/squid/squid.conf裡: 

#
acl all src 0.0.0.0/0
acl PURGE method PURGE
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl localnet src 10.0.0.0/255.0.0.0
#
http_access allow manager localhost
http_access deny manager
http_access allow PURGE localhost
http_access allow PURGE localnet
http_access deny PURGE
http_access deny all
#
access_log daemon:/home/logs/squid/access.log squid
cache_dir aufs /big/cache 358400 32 256 # FIXME
cache_effective_group nogroup
cache_effective_user nobody
cache_log /home/logs/squid/cache.log
cache_mem 1024 MB
cache_peer 10.1.2.3 parent 80 0 no-query round-robin originserver monitorurl=http://host/robots.txt # FIXME
cache_peer 10.1.2.4 parent 80 0 no-query round-robin originserver monitorurl=http://host/robots.txt # FIXME
cache_replacement_policy heap LFUDA # FIXME
cache_store_log daemon:/home/logs/squid/store.log
cache_swap_high 95
cache_swap_low 80
client_db off
coredump_dir /home/logs
follow_x_forwarded_for allow localnet
forwarded_for on
half_closed_clients off
http_port 80 accel defaultsite=default.domain.tld # FIXME
httpd_suppress_version_string on
logfile_daemon /usr/local/squid/libexec/logfile-daemon
logfile_rotate 3
maximum_object_size 307200 KB # FIXME
maximum_object_size_in_memory 102400 KB # FIXME
memory_pools_limit 1331 MB # FIXME
minimum_expiry_time 604800 seconds
minimum_object_size 1 KB # FIXME
refresh_pattern . 60 90% 604800 override-expire ignore-reload ignore-no-cache ignore-no-store
request_header_access X-Forwarded-For deny all
store_avg_object_size 10 MB # FIXME

參考資料

  1. [squid-users] HTTPS_PORT AND SSL CERT. 2020-05-26 [2023-06-09] (English). 

外部連結

取自「https://wiki.gslin.org/index.php?title=Squid&oldid=5275