Squid:修订间差异
(→範例) |
|||
(未显示同一用户的6个中间版本) | |||
第2行: | 第2行: | ||
== 安裝 == | == 安裝 == | ||
在[[Ubuntu]]上可以直接透過系統的套件裝Squid: | 在[[Ubuntu]]上可以直接透過系統的套件裝Squid: | ||
第11行: | 第9行: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
但如果需要讓Squid吃SSL Certificate提供HTTPS介面(像是需要密碼認證),可能會需要裝[[OpenSSL]]的版本(<code>squid</code>套件內使用的GnuTLS無法吃intermediate certificate<ref>{{Cite web |url=http://lists.squid-cache.org/pipermail/squid-users/2020-May/022180.html |title=[squid-users] HTTPS_PORT AND SSL CERT |language=en |accessdate=2023-06-09 |date=2020-05-26}}</ref>,對於現今大多數的憑證來說都是必要功能)。 | 但如果需要讓Squid吃SSL Certificate提供HTTPS介面(像是需要密碼認證),可能會需要裝[[OpenSSL]]的版本(<code>squid</code>套件內使用的GnuTLS無法吃intermediate certificate<ref>{{Cite web |url=http://lists.squid-cache.org/pipermail/squid-users/2020-May/022180.html |title=[squid-users] HTTPS_PORT AND SSL CERT |language=en |accessdate=2023-06-09 |date=2020-05-26}}</ref>,對於現今大多數的憑證來說都是必要功能 ,像是[[Let's Encrypt]] )。 | ||
而因為OpenSSL軟體授權的關係,在Ubuntu 22.04以後 | === Ubuntu 22.04 === | ||
而因為OpenSSL軟體授權的關係,在Ubuntu 22.04以後 包成 另外的套件: | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
第21行: | 第21行: | ||
=== Ubuntu 20.04 === | === Ubuntu 20.04 === | ||
如果 | 如果 是Ubuntu 20.04下 ,需 要自己編[[OpenSSL]]版本的Squid 。通常是 己拉下來改 好後 再打包成deb安裝。 | ||
這邊要注意要處理<code>debian/changelog</code>的版本資訊與<code>debian/control</code>的相依性資訊: | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
第69行: | 第71行: | ||
forwarded_for off | forwarded_for off | ||
http_port 3128 | http_port 3128 | ||
#https_port 4128 tls-cert=/etc/dehydrated/certs/proxy.example.com/fullchain.pem tls-key=/etc/dehydrated/certs/proxy.example.com/privkey.pem | |||
httpd_suppress_version_string on | httpd_suppress_version_string on | ||
request_header_access X-Forwarded-For deny all | |||
</syntaxhighlight> | </syntaxhighlight> | ||
其中有些欄位可以調整: | 其中有些欄位可以調整 ,像是把<code>acl whitelist</code>從目的的位置,改成用source IP address判斷 : | ||
<syntaxhighlight lang="squid"> | <syntaxhighlight lang="squid"> | ||
acl whitelist src 1.2.3.4/32 | acl whitelist src 1.2.3.4/32 | ||
</syntaxhighlight> | |||
以及留下access記錄: | |||
<syntaxhighlight lang="squid"> | |||
access_log daemon:/var/log/squid/access.log logformat=squid rotate=7 | access_log daemon:/var/log/squid/access.log logformat=squid rotate=7 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
在<code>/etc/squid/whitelist.txt</code>裡: | 在<code>/etc/squid/whitelist.txt</code>裡 是使用regex(從設定裡的<code>dstdom_regex</code>)應該可以看出來 : | ||
<syntaxhighlight lang="text"> | <syntaxhighlight lang="text"> | ||
第85行: | 第94行: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
如果有設定log的話,記得放一個<code>/etc/cron. | 如果有設定log的話,記得放一個<code>/etc/cron.daily/squid-log</code>並且設定為<code>0755</code>: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
第142行: | 第151行: | ||
minimum_object_size 1 KB # FIXME | minimum_object_size 1 KB # FIXME | ||
refresh_pattern . 60 90% 604800 override-expire ignore-reload ignore-no-cache ignore-no-store | refresh_pattern . 60 90% 604800 override-expire ignore-reload ignore-no-cache ignore-no-store | ||
request_header_access X-Forwarded-For deny all | |||
store_avg_object_size 10 MB # FIXME | store_avg_object_size 10 MB # FIXME | ||
</syntaxhighlight> | </syntaxhighlight> |
2024年2月17日 (六) 03:19的最新版本
Squid是一套Proxy软件。
安装
在Ubuntu上可以直接透过系统的套件装Squid:
sudo apt install -y squid; sudo apt clean
但如果需要让Squid吃SSL Certificate提供HTTPS界面(像是需要密码认证),可能会需要装OpenSSL的版本(squid
套件内使用的GnuTLS无法吃intermediate certificate[1],对于现今大多数的凭证来说都是必要功能,像是Let's Encrypt)。
Ubuntu 22.04
而因为OpenSSL软件授权的关系,在Ubuntu 22.04以后包成另外的套件:
sudo apt install -y squid-openssl; sudo apt clean
Ubuntu 20.04
如果是Ubuntu 20.04下,需要自己编OpenSSL版本的Squid。通常是己拉下来改好后再打包成deb安装。
这边要注意要处理debian/changelog
的版本资讯与debian/control
的相依性资讯:
sudo apt install -y ed libltdl-dev pkg-config build-essential cdbs debhelper dpkg-dev lsb-release dh-apparmor libcppunit-dev libcap2-dev libdb-dev libecap3-dev libexpat1-dev libgnutls28-dev libkrb5-dev comerr-dev libldap2-dev libnetfilter-conntrack-dev libpam0g-dev libsasl2-dev libxml2-dev nettle-dev libssl-dev
mkdir squid
cd squid
apt-get source squid
cd squid-4.10
sed -i -e 's/--with-gnutls/--with-openssl/' debian/rules
vim debian/changelog # add a new entry for "+1openssl1" version.
vim debian/control # add libssl1.1 & libssl-dev to dependency sections.
dpkg-buildpackage -rfakeroot -uc -b
编完以后再依序安装.deb
档(squid-common
与squid
),这边的档名可能会因为上游更新改变,仅供参考:
sudo dpkg -i squid-common_4.10-1ubuntu1.7+1openssl1_all.deb
sudo dpkg -i squid_4.10-1ubuntu1.7+1openssl1_amd64.deb
后续可以考虑用apt-mark避免自动升级:
sudo apt-mark manual squid squid-common
范例
Forward Proxy
Forward Proxy指的是浏览器端会以Proxy Protocol跟Squid连线,告诉Squid要跳连到的目的位置。
在/etc/squid/squid.conf
里:
#
acl whitelist dstdom_regex "/etc/squid/whitelist.txt"
http_access allow whitelist
http_access deny all
#
access_log none
cache deny all
cache_dir null /tmp
cache_log /dev/null
cache_mem 8 MB
forwarded_for off
http_port 3128
#https_port 4128 tls-cert=/etc/dehydrated/certs/proxy.example.com/fullchain.pem tls-key=/etc/dehydrated/certs/proxy.example.com/privkey.pem
httpd_suppress_version_string on
request_header_access X-Forwarded-For deny all
其中有些字段可以调整,像是把acl whitelist
从目的的位置,改成用source IP address判断:
acl whitelist src 1.2.3.4/32
以及留下access记录:
access_log daemon:/var/log/squid/access.log logformat=squid rotate=7
在/etc/squid/whitelist.txt
里是使用regex(从设定里的dstdom_regex
)应该可以看出来:
(^|.)archive\.ubuntu\.com$
如果有设定log的话,记得放一个/etc/cron.daily/squid-log
并且设定为0755
:
#!/bin/bash
/usr/sbin/squid -k rotate
Reverse Proxy
Reverse Proxy指的是浏览器端以HTTP/HTTPS Protocol连到Squid伪装的Web Server(所以浏览器端不会以Proxy Protocol沟通,而是以HTTP/HTTPS Protocol沟通),Squid会将流量导至设定的后端主机。
这个架构常见在load balancer或是cache server用途上,但因为nginx的兴起且设定弹性,取代了Squid在load balancer上的功能;目前Squid在Reverse Proxy架构上主要会拿来当作cache server使用。
在/etc/squid/squid.conf
里:
#
acl all src 0.0.0.0/0
acl PURGE method PURGE
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl localnet src 10.0.0.0/255.0.0.0
#
http_access allow manager localhost
http_access deny manager
http_access allow PURGE localhost
http_access allow PURGE localnet
http_access deny PURGE
http_access deny all
#
access_log daemon:/home/logs/squid/access.log squid
cache_dir aufs /big/cache 358400 32 256 # FIXME
cache_effective_group nogroup
cache_effective_user nobody
cache_log /home/logs/squid/cache.log
cache_mem 1024 MB
cache_peer 10.1.2.3 parent 80 0 no-query round-robin originserver monitorurl=http://host/robots.txt # FIXME
cache_peer 10.1.2.4 parent 80 0 no-query round-robin originserver monitorurl=http://host/robots.txt # FIXME
cache_replacement_policy heap LFUDA # FIXME
cache_store_log daemon:/home/logs/squid/store.log
cache_swap_high 95
cache_swap_low 80
client_db off
coredump_dir /home/logs
follow_x_forwarded_for allow localnet
forwarded_for on
half_closed_clients off
http_port 80 accel defaultsite=default.domain.tld # FIXME
httpd_suppress_version_string on
logfile_daemon /usr/local/squid/libexec/logfile-daemon
logfile_rotate 3
maximum_object_size 307200 KB # FIXME
maximum_object_size_in_memory 102400 KB # FIXME
memory_pools_limit 1331 MB # FIXME
minimum_expiry_time 604800 seconds
minimum_object_size 1 KB # FIXME
refresh_pattern . 60 90% 604800 override-expire ignore-reload ignore-no-cache ignore-no-store
request_header_access X-Forwarded-For deny all
store_avg_object_size 10 MB # FIXME
参考资料
- ↑ [squid-users] HTTPS_PORT AND SSL CERT. 2020-05-26 [2023-06-09] (English).
外部链接
- 官方网站 (英文)