在本指南中,我们将学习如何在 Rocky Linux 8 上安装和配置 Squid 代理。
在 Rocky Linux 8 上安装和配置 Squid 代理
运行系统更新
更新您的系统包缓存:
dnf update
在 Rocky Linux 8 上安装 Squid 代理
Squid 代理在默认的 Rocky Linux 8 存储库中可用,可以通过运行命令进行安装;
dnf install squid
Dependencies resolved.
============================================================================================================================================================================
Package Architecture Version Repository Size
============================================================================================================================================================================
Installing:
squid x86_64 7:4.11-4.module+el8.4.0+404+316a0dc5.2 appstream 3.6 M
Installing dependencies:
libecap x86_64 1.0.1-2.module+el8.4.0+404+316a0dc5 appstream 28 k
perl-DBI x86_64 1.641-3.module+el8.4.0+509+59a8d9b3 appstream 739 k
perl-Digest-SHA x86_64 1:6.02-1.el8 appstream 65 k
perl-Math-BigInt noarch 1:1.9998.11-7.el8 baseos 194 k
perl-Math-Complex noarch 1.59-419.el8_4.1 baseos 108 k
Enabling module streams:
perl-DBI 1.641
squid 4
Transaction Summary
============================================================================================================================================================================
Install 6 Packages
Total download size: 4.7 M
Installed size: 14 M
Is this ok [y/N]: y
在 Rocky Linux 8 上运行 Squid
安装完成后,启动并启用 Squid 以在系统引导时运行。
systemctl enable --now squid
在 Rocky Linux 8 上配置 Squid 代理
/etc/squid/squid.conf
是默认的 Squid 代理配置文件。
它附带推荐的最低配置设置。
以下是该文件的内容,删除了注释行;
grep -vE "^#|^$" /etc/squid/squid.conf
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
在开始自定义 Squid 配置以满足您的需要之前,请创建配置文件备份。
cp /etc/squid/squid.conf{,.bak}
配置 Squid 访问策略
创建一个访问控制列表来定义应该使用 Squid 作为代理的本地网络。
每个 ACL 由名称、类型和值组成,并使用acl
选项进行定义 。
例如,要将网络 192.168.60.0/24 中的主机配置为使用 Squid 作为代理服务器,您将使用类似的 ACL;
acl mylocalnet src 192.168.60.0/24
相应地更换您的网络。
这将创建一个名为的 ACL mylocalnet
,用于指定指定网络上的主机。
定义 ACL 后,您需要添加一行引用定义的 ACL 以允许或拒绝访问缓存的功能。
例如,用于 http_access
允许或拒绝网络浏览器访问网络缓存;
http_access allow mylocalnet
Squid 从上到下读取配置,因此配置选项的顺序很重要。
您可以通过在这些行的开头添加哈希 (#) 并添加您的自定义 ACL 来注释现有的网络 ACL
...
### Adding Custom ACL #######
acl mylocalnet src 192.168.60.0/24
http_access allow mylocalnet
#
#acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
#acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
#acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
#acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
#acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
#acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
...
阻止特定网站
Squid 代理可用于限制对特定网站的访问。例如,要阻止对 youtube、facebook、netflix 的访问,您必须创建一个文件来定义这些网站的域,如下所示;
vim /etc/squid/restricted-sites.squid
.youtube.com
.facebook.com
.netflix.com
之后,在squid配置文件中为上述受限站点创建ACL,并 为定义的ACL设置 拒绝规则。
...
### Adding Custom ACL #######
acl mylocalnet src 192.168.60.0/24
## Adding Sites to Block access to ###
acl blockedsites dstdomain "/etc/squid/restricted-sites.squid"
http_access deny blockedsites
http_access allow mylocalnet
...
您可以将域放在以 ACL 语句分隔的 squid.conf 文件空间中,而不是使用文件来定义要阻止的站点。
acl blockedsites dstdomain youtube.com facebook.com netflix.com
根据特定关键字阻止网站
您还可以通过使用关键字来限制对网站的访问。创建一个包含特定关键字的文件,如下所示;
vim /etc/squid/banned-keywords.squid
porn
ads
movie
gamble
对代理配置文件进行必要的更改。
...
### Adding Custom ACL #######
acl mylocalnet src 192.168.100.0/24
## Adding Sites to Block access to ###
acl blockedsites dstdomain "/etc/squid/restricted-sites.squid"
acl keyword-ban url_regex "/etc/squid/keyword-ban.squid"
http_access deny blockedsites
http_access deny keyword-ban
http_access allow mylocalnet
...
注释下面的行,因为我们已经注释了本地网络 ACL。
还要注释 localnet 的访问规则。
#http_access allow localnet
屏蔽传出流量
为了防止代理服务器在传出的 HTTP 请求中暴露您的 IP 地址的可能性,请在您的 squid 配置文件的末尾包含以下指令。
...
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Anonymize Traffic
via off
forwarded_for off
request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all
更改代理默认端口
Squid 代理TCP port 3128
默认侦听 。如果要更改此端口,只需打开 /etc/squid/squid.conf
配置文件并将 的值替换为 http_port
所需的端口号。
例如,将默认端口更改为 8888,只要没有其他应用程序在同一个端口上侦听;
...
# Squid normally listens to port 3128
# http_port 3128 << Comment the line by adding #
http_port 8888
...
您还可以将其设置为侦听特定 IP(相应地替换 IP 地址)
http_port 192.168.60.19.50:8888
一般来说,我们的配置是这样的;
grep -vE "^#|^$" /etc/squid/squid.conf
acl mylocalnet src 192.168.60.0/24
acl blockedsites dstdomain "/etc/squid/restricted-sites.squid"
http_access deny blockedsites
http_access allow mylocalnet
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny all
http_port 8888
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
via off
forwarded_for off
request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all
验证 Squid 配置是否有任何错误;
squid -k parse
2021/10/20 13:42:46| Startup: Initializing Authentication Schemes ...
2021/10/20 13:42:46| Startup: Initialized Authentication Scheme 'basic'
2021/10/20 13:42:46| Startup: Initialized Authentication Scheme 'digest'
2021/10/20 13:42:46| Startup: Initialized Authentication Scheme 'negotiate'
2021/10/20 13:42:46| Startup: Initialized Authentication Scheme 'ntlm'
2021/10/20 13:42:46| Startup: Initialized Authentication.
2021/10/20 13:42:46| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2021/10/20 13:42:46| Processing: acl mylocalnet src 192.168.58.0/24
2021/10/20 13:42:46| Processing: acl blockedsites dstdomain "/etc/squid/restricted-sites.squid"
2021/10/20 13:42:46| Processing: http_access deny blockedsites
2021/10/20 13:42:46| Processing: http_access allow mylocalnet
2021/10/20 13:42:46| Processing: acl SSL_ports port 443
2021/10/20 13:42:46| Processing: acl Safe_ports port 80 # http
2021/10/20 13:42:46| Processing: acl Safe_ports port 21 # ftp
2021/10/20 13:42:46| Processing: acl Safe_ports port 443 # https
2021/10/20 13:42:46| Processing: acl Safe_ports port 70 # gopher
2021/10/20 13:42:46| Processing: acl Safe_ports port 210 # wais
2021/10/20 13:42:46| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2021/10/20 13:42:46| Processing: acl Safe_ports port 280 # http-mgmt
2021/10/20 13:42:46| Processing: acl Safe_ports port 488 # gss-http
2021/10/20 13:42:46| Processing: acl Safe_ports port 591 # filemaker
2021/10/20 13:42:46| Processing: acl Safe_ports port 777 # multiling http
2021/10/20 13:42:46| Processing: acl CONNECT method CONNECT
2021/10/20 13:42:46| Processing: http_access deny !Safe_ports
2021/10/20 13:42:46| Processing: http_access deny CONNECT !SSL_ports
2021/10/20 13:42:46| Processing: http_access allow localhost manager
2021/10/20 13:42:46| Processing: http_access deny manager
2021/10/20 13:42:46| Processing: http_access allow localhost
2021/10/20 13:42:46| Processing: http_access deny all
2021/10/20 13:42:46| Processing: http_port 8888
2021/10/20 13:42:46| Processing: coredump_dir /var/spool/squid
2021/10/20 13:42:46| Processing: refresh_pattern ^ftp: 1440 20% 10080
2021/10/20 13:42:46| Processing: refresh_pattern ^gopher: 1440 0% 1440
2021/10/20 13:42:46| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2021/10/20 13:42:46| Processing: refresh_pattern . 0 20% 4320
2021/10/20 13:42:46| Processing: via off
2021/10/20 13:42:46| Processing: forwarded_for off
2021/10/20 13:42:46| Processing: request_header_access From deny all
2021/10/20 13:42:46| Processing: request_header_access Server deny all
2021/10/20 13:42:46| Processing: request_header_access WWW-Authenticate deny all
2021/10/20 13:42:46| Processing: request_header_access Link deny all
2021/10/20 13:42:46| Processing: request_header_access Cache-Control deny all
2021/10/20 13:42:46| Processing: request_header_access Proxy-Connection deny all
2021/10/20 13:42:46| Processing: request_header_access X-Cache deny all
2021/10/20 13:42:46| Processing: request_header_access X-Cache-Lookup deny all
2021/10/20 13:42:46| Processing: request_header_access Via deny all
2021/10/20 13:42:46| Processing: request_header_access X-Forwarded-For deny all
2021/10/20 13:42:46| Processing: request_header_access Pragma deny all
2021/10/20 13:42:46| Processing: request_header_access Keep-Alive deny all
2021/10/20 13:42:46| WARNING: HTTP requires the use of Via
2021/10/20 13:42:46| Initializing https:// proxy context
重启代理
通过运行以下命令重新配置 Squid;
squid -k reconfigure
或通过重新启动其服务:
systemctl restart squid
检查 Squid 是否正在监听新端口;
ss -altnp | grep 8888
LISTEN 0 1024 *:8888 *:* users:(("squid",pid=37669,fd=13))
在防火墙上允许 Squid 端口
如果启用了防火墙,则允许该 Squid
端口。 如果您更改了默认值,请更换端口。
firewall-cmd --add-port=8888/tcp --permanent
firewall-cmd --reload
配置代理客户端以连接到代理服务器
要配置客户端连接到 Squid 代理服务器,您可以设置系统范围的代理配置,配置客户端使用 Squid 代理作为网关或在浏览器上设置代理设置。
系统范围的代理配置
要设置系统范围的代理配置,请在/etc/profile.d
定义 squid 代理服务器详细信息的环境变量下创建一个配置文件 ,如下所示;
vim /etc/profile.d/squid.sh
相应地替换 Squid 服务器的 IP 地址。
PROXY_URL="192.168.60.19:8888"
HTTP_PROXY=$PROXY_URL
HTTPS_PROXY=$PROXY_URL
FTP_PROXY=$PROXY_URL
http_proxy=$PROXY_URL
https_proxy=$PROXY_URL
ftp_proxy=$PROXY_URL
export HTTP_PROXY HTTPS_PROXY FTP_PROXY http_proxy https_proxy ftp_proxy
之后,获取新的配置文件。
source /etc/profile.d/squid.sh
为了测试这一点,尝试从客户端下载任何东西,同时在鱿鱼代理服务器上拖尾访问日志。
在客户端的终端上,运行;
wget google.com
--2021-10-20 13:47:46-- http://google.com/
Connecting to 192.168.60.19:8888... connected.
Proxy request sent, awaiting response... 301 Moved Permanently
Location: http://www.google.com/ [following]
--2021-10-20 13:47:47-- http://www.google.com/
Reusing existing connection to 192.168.60.19:8888.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’
index.html [ <=> ] 14.58K --.-KB/s in 0s
2021-10-20 13:47:47 (45.7 MB/s) - ‘index.html’ saved [14933]
在 Squid 代理服务器上;
tail -f /var/log/squid/access.log
...
1634726867.006 626 192.168.60.19 TCP_MISS/301 618 GET http://google.com/ - HIER_DIRECT/172.217.170.206 text/html
1634726867.537 530 192.168.60.19 TCP_MISS/200 15804 GET http://www.google.com/ - HIER_DIRECT/216.58.223.68 text/html
尝试访问被阻止的站点;
wget youtube.com
--2021-10-20 13:48:50-- http://youtube.com/
Connecting to 192.168.60.19:8888... connected.
Proxy request sent, awaiting response... 403 Forbidden
2021-10-20 13:48:50 ERROR 403: Forbidden.
tail -f /var/log/squid/access.log
1634726930.663 0 192.168.60.19 TCP_DENIED/403 3903 GET http://youtube.com/ - HIER_NONE/- text/html
您也可以将 Squid 服务器设置为默认网关。
在您的 Firefox 上,将其配置为通过您的 Squid 服务器连接外部网络。 首选项 > 常规> 网络设置 > 手动代理配置。选中 对所有协议使用此代理服务器。
这标志着我们关于如何在 Rocky Linux 8 上安装和配置 Squid 代理的教程结束。
阅读更多
在Squid wiki上阅读更多内容 。