Squid

出自Gea-Suan Lin's Wiki
跳至導覽 跳至搜尋

Squid是一套Proxy軟體。

安裝

Ubuntu上可以直接透過系統的套件裝Squid:

sudo apt install -y squid; sudo apt clean

但如果需要讓Squid吃SSL Certificate提供HTTPS介面(像是需要密碼認證),可能會需要裝OpenSSL的版本(squid套件內使用的GnuTLS無法吃intermediate certificate[1],對於現今大多數的憑證來說都是必要功能,像是Let's Encrypt)。

Ubuntu 22.04

而因為OpenSSL軟體授權的關係,在Ubuntu 22.04以後包成另外的套件:

sudo apt install -y squid-openssl; sudo apt clean

Ubuntu 20.04

如果是Ubuntu 20.04下,需要自己編OpenSSL版本的Squid。通常是己拉下來改好後再打包成deb安裝。

這邊要注意要處理debian/changelog的版本資訊與debian/control的相依性資訊:

sudo apt install -y ed libltdl-dev pkg-config build-essential cdbs debhelper dpkg-dev lsb-release dh-apparmor libcppunit-dev libcap2-dev libdb-dev libecap3-dev libexpat1-dev libgnutls28-dev libkrb5-dev comerr-dev libldap2-dev libnetfilter-conntrack-dev libpam0g-dev libsasl2-dev libxml2-dev nettle-dev libssl-dev
mkdir squid
cd squid
apt-get source squid
cd squid-4.10
sed -i -e 's/--with-gnutls/--with-openssl/' debian/rules
vim debian/changelog # add a new entry for "+1openssl1" version.
vim debian/control # add libssl1.1 & libssl-dev to dependency sections.
dpkg-buildpackage -rfakeroot -uc -b

編完以後再依序安裝.deb檔(squid-commonsquid),這邊的檔名可能會因為上游更新改變,僅供參考:

sudo dpkg -i squid-common_4.10-1ubuntu1.7+1openssl1_all.deb
sudo dpkg -i squid_4.10-1ubuntu1.7+1openssl1_amd64.deb

後續可以考慮用apt-mark避免自動升級:

sudo apt-mark manual squid squid-common

範例

Forward Proxy

Forward Proxy指的是瀏覽器端會以Proxy Protocol跟Squid連線,告訴Squid要跳連到的目的位置。

/etc/squid/squid.conf裡:

#
acl whitelist dstdom_regex "/etc/squid/whitelist.txt"
http_access allow whitelist
http_access deny all
#
access_log none
cache deny all
cache_dir null /tmp
cache_log /dev/null
cache_mem 8 MB
forwarded_for off
http_port 3128
#https_port 4128 tls-cert=/etc/dehydrated/certs/proxy.example.com/fullchain.pem tls-key=/etc/dehydrated/certs/proxy.example.com/privkey.pem
httpd_suppress_version_string on
request_header_access X-Forwarded-For deny all

其中有些欄位可以調整,像是把acl whitelist從目的的位置,改成用source IP address判斷:

acl whitelist src 1.2.3.4/32

以及留下access記錄:

access_log daemon:/var/log/squid/access.log logformat=squid rotate=7

/etc/squid/whitelist.txt裡是使用regex(從設定裡的dstdom_regex)應該可以看出來:

(^|.)archive\.ubuntu\.com$

如果有設定log的話,記得放一個/etc/cron.daily/squid-log並且設定為0755

#!/bin/bash
/usr/sbin/squid -k rotate

Reverse Proxy

Reverse Proxy指的是瀏覽器端以HTTP/HTTPS Protocol連到Squid偽裝的Web Server(所以瀏覽器端不會以Proxy Protocol溝通,而是以HTTP/HTTPS Protocol溝通),Squid會將流量導至設定的後端主機。

這個架構常見在load balancer或是cache server用途上,但因為nginx的興起且設定彈性,取代了Squid在load balancer上的功能;目前Squid在Reverse Proxy架構上主要會拿來當作cache server使用。

/etc/squid/squid.conf裡:

#
acl all src 0.0.0.0/0
acl PURGE method PURGE
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl localnet src 10.0.0.0/255.0.0.0
#
http_access allow manager localhost
http_access deny manager
http_access allow PURGE localhost
http_access allow PURGE localnet
http_access deny PURGE
http_access deny all
#
access_log daemon:/home/logs/squid/access.log squid
cache_dir aufs /big/cache 358400 32 256 # FIXME
cache_effective_group nogroup
cache_effective_user nobody
cache_log /home/logs/squid/cache.log
cache_mem 1024 MB
cache_peer 10.1.2.3 parent 80 0 no-query round-robin originserver monitorurl=http://host/robots.txt # FIXME
cache_peer 10.1.2.4 parent 80 0 no-query round-robin originserver monitorurl=http://host/robots.txt # FIXME
cache_replacement_policy heap LFUDA # FIXME
cache_store_log daemon:/home/logs/squid/store.log
cache_swap_high 95
cache_swap_low 80
client_db off
coredump_dir /home/logs
follow_x_forwarded_for allow localnet
forwarded_for on
half_closed_clients off
http_port 80 accel defaultsite=default.domain.tld # FIXME
httpd_suppress_version_string on
logfile_daemon /usr/local/squid/libexec/logfile-daemon
logfile_rotate 3
maximum_object_size 307200 KB # FIXME
maximum_object_size_in_memory 102400 KB # FIXME
memory_pools_limit 1331 MB # FIXME
minimum_expiry_time 604800 seconds
minimum_object_size 1 KB # FIXME
refresh_pattern . 60 90% 604800 override-expire ignore-reload ignore-no-cache ignore-no-store
request_header_access X-Forwarded-For deny all
store_avg_object_size 10 MB # FIXME

參考資料

  1. [squid-users] HTTPS_PORT AND SSL CERT. 2020-05-26 [2023-06-09] (English). 

外部連結