在本教程中,我们将学习如何在 Debian 11/Debian 10上安装和设置Squid 代理。
Squid 是一个功能齐全的 Web 代理缓存应用程序,它为 HTTP、FTP、SSL 请求和 DNS 查找提供代理和缓存服务。它还执行透明缓存,通过缓存和重用经常请求的网页来减少带宽并缩短响应时间。
在 Debian 11/Debian 10 上安装和设置 Squid 代理
运行系统更新
首先,确保您的系统存储库是最新的。
apt update
在 Debian 11/Debian 10 上安装 Squid 代理
Squid 代理在默认的 Debian 11/Debian 10 存储库中可用。
apt-cache policy squid
Debian11上的示例输出
squid:
Installed: (none)
Candidate: 4.13-10
Version table:
4.13-10 500
500 http://deb.debian.org/debian bullseye/main amd64 Packages
因此,可以通过运行命令安装,运行命令即可安装;
apt install squid -y
在 Debian 11/Debian 10 上运行 Squid
安装后,Squid 启动并允许在系统启动时运行;
systemctl status squid
● squid.service - Squid Web Proxy Server
Loaded: loaded (/lib/systemd/system/squid.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-10-20 09:01:18 EAT; 38s ago
Docs: man:squid(8)
Process: 1718 ExecStartPre=/usr/sbin/squid --foreground -z (code=exited, status=0/SUCCESS)
Main PID: 1721 (squid)
Tasks: 4 (limit: 1133)
Memory: 15.6M
CPU: 156ms
CGroup: /system.slice/squid.service
├─1721 /usr/sbin/squid --foreground -sYC
├─1723 (squid-1) --kid squid-1 --foreground -sYC
├─1724 (logfile-daemon) /var/log/squid/access.log
└─1725 (pinger)
Oct 20 09:01:18 bullseye.kifarunix-demo.com squid[1723]: Using Least Load store dir selection
Oct 20 09:01:18 bullseye.kifarunix-demo.com squid[1723]: Set Current Directory to /var/spool/squid
Oct 20 09:01:18 bullseye.kifarunix-demo.com squid[1723]: Finished loading MIME types and icons.
Oct 20 09:01:18 bullseye.kifarunix-demo.com squid[1723]: HTCP Disabled.
Oct 20 09:01:18 bullseye.kifarunix-demo.com squid[1723]: Pinger socket opened on FD 14
Oct 20 09:01:18 bullseye.kifarunix-demo.com systemd[1]: Started Squid Web Proxy Server.
Oct 20 09:01:18 bullseye.kifarunix-demo.com squid[1723]: Squid plugin modules loaded: 0
Oct 20 09:01:18 bullseye.kifarunix-demo.com squid[1723]: Adaptation support is off.
Oct 20 09:01:18 bullseye.kifarunix-demo.com squid[1723]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9
Oct 20 09:01:19 bullseye.kifarunix-demo.com squid[1723]: storeLateRelease: released 0 objects
检查是否启用在系统启动时运行;
systemctl is-enabled squid
如果命令的输出不是,enabled,则通过运行启用它;
systemctl enable squid
在 Debian 11/Debian 10 上配置 Squid 代理服务器
/etc/squid/squid.conf
是默认的 Squid 代理配置。
该配置具有推荐的最低设置。但是,我们将修改此配置以进行一些更改。
您还可以在/etc/squid/conf.d/
目录下进行其他配置 。
在继续之前,请创建默认配置文件的备份。
cp /etc/squid/squid.conf{,.old}
默认情况下,Squid 配置文件如下所示(删除了注释行);
grep -vE "^#|^$" /etc/squid/squid.conf
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
配置 Squid 访问控制策略
如果您已经注意到,上面的配置文件具有针对特定网络和安全端口的 ACL。您可以修改它们以包括您的安全端口以及您的 Squid 应该代理的本地网络。
在定义ACL,它们中的每一个必须以开始 acl name
和 acl type
随后任一特定类型的参数或一个文件名引用它们从读取;
acl aclname acltype argument ...
acl aclname acltype "file" ...
使用“ file
”时,文件每行应包含一项。
vim /etc/squid/squid.conf
在本教程中,我们将为我们的 LAN 网络创建一个 ACL 192.168.58.0/24
。
我们将这一行附加在 SSL 端口 ACL 的正上方。
适当地替换 ACL 和源网络的名称。
...
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl kifarunix-demo-net src 192.168.58.0/24 # My LAN network ACL
acl SSL_ports port 443
...
在Squid Wiki 页面上阅读有关 ACL 配置指令的更多 信息。
您可以注释掉(在行的开头添加 #)默认 ACL。
#acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
#acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
#acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
#acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
#acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
#acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl kifarunix-demo-net src 192.168.58.0/24 # My LAN network ACL
...
根据定义的 ACL 允许或拒绝访问
设置好 ACL 后,您可以使用该 http_access
指令定义允许或拒绝使用代理访问外部网络的 ACL。
因此,要允许由我们的 ACL 定义的网络 kifarunix-demo-net 进行外部访问,请添加以下行;
...
#http_access allow localnet
http_access allow localhost
http_access allow kifarunix-demo-net # Allow kifarunix-demo-net
# And finally deny all other access to this proxy
http_access deny all
最后一个条目应始终为 http_access deny all
。
拒绝访问特定网站
使用 Squid 代理可以限制对特定网站的访问。例如阻止访问 youtube、facebook、netflix;
- 您必须创建一个文件来定义这些网站的域,如下所示。退出 squid.conf 并创建文件。
vim /etc/squid/denied-sites.squid
.youtube.com
.facebook.com
.netflix.com
接下来,在squid 配置文件中为上述受限站点创建一个ACL,并 为定义的ACL设置 拒绝规则。
acl deniedsites dstdomain "/etc/squid/denied-sites.squid"
- 或者您将列出域名,在 ACL 语句中以空格分隔。
acl deniedsites dstdomain youtube.com facebook.com netflix.com
更新代理配置文件。
...
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl kifarunix-demo-net src 192.168.58.0/24 # My LAN network ACL
acl deniedsites dstdomain "/etc/squid/denied-sites.squid" ## Sites to Block access to ###
...
http_access allow localhost
http_access deny deniedsites # Deny access to facebook, youtube, netflix
http_access allow kifarunix-demo-net # Allow kifarunix-demo-net
# And finally deny all other access to this proxy
http_access deny all
...
根据特定关键字阻止网站
您还可以通过使用关键字来限制对网站的访问。创建一个包含特定关键字的文件,如下所示;
vim /etc/squid/banned-keywords.squid
porn
ads
movie
gamble
通过为上述关键字添加 ACL 对 squid 配置文件进行必要的更改;
acl keyword-ban url_regex -i "/etc/squid/keyword-ban.squid"
...
acl kifarunix-demo-net src 192.168.58.0/24 # My LAN network ACL
acl deniedsites dstdomain "/etc/squid/denied-sites.squid" ## Sites to Block access to ###
acl keyword-ban url_regex -i "/etc/squid/keyword-ban.squid" ## Banned Keywords
...
http_access allow localhost
http_access deny deniedsites # Deny access to facebook, youtube, netflix
http_access deny keyword-ban # Deny access based on keywords
http_access allow kifarunix-demo-net # Allow kifarunix-demo-net
http_access deny all
...
注意: http_access
条目是从上到下处理的,根据哪个先出现,允许或拒绝访问。
屏蔽传出流量
尽管您使用代理服务器通过将代理的 IP 地址呈现给其他 Web 服务器来匿名化您的 IP 地址,但代理服务器可能会在传出的 HTTP 请求中暴露您的 IP 地址。但是,您可以通过在squid配置文件的末尾包含以下指令来禁用此功能。
使用指令 via off 禁用请求和回复中的 Via 标头。
via off
配置 Squid 在它转发的 HTTP 请求中不附加你的客户端的 IP 地址;
forwarded_for off
删除 Squid 代理标头以避免泄露 Squid 代理服务器的身份。
request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all
更改代理默认端口
Squid 代理TCP port 3128
默认侦听 。
要更改此端口,请打开 /etc/squid/squid.conf
配置文件并将 的值替换为 http_port
所需的端口号。
例如,将默认端口更改为 8888,只要没有其他应用程序在同一个端口上侦听;
...
# Squid normally listens to port 3128
# http_port 3128 << Comment the line by adding #
http_port 8888
...
您还可以将其设置为侦听特定 IP(相应地替换 IP 地址)
http_port 192.168.58.26:3128
完成配置后,保存并退出配置文件。
我们最终的 squid.conf 文件现在看起来像;
cat /etc/squid/squid.conf
#acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
#acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
#acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
#acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
#acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
#acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl kifarunix-demo-net src 192.168.58.0/24 # My LAN network ACL
acl deniedsites dstdomain "/etc/squid/denied-sites.squid" ## Sites to Block access to ###
acl keyword-ban url_regex -i "/etc/squid/keyword-ban.squid" ## Banned Keywords
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*
http_access allow localhost
http_access deny deniedsites # Deny access to facebook, youtube, netflix
http_access deny keyword-ban # Deny access based on keywords
http_access allow kifarunix-demo-net # Allow kifarunix-demo-net
http_access deny all
#http_port 3128
http_port 192.168.58.26:3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
via off
forwarded_for off
request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all
检查 Squid 配置文件是否有错误
squid -k parse
如果有任何语法错误,将显示错误的行。每次修改配置时,请务必运行此命令。
示例配置检查输出;
2021/10/20 09:40:17| Startup: Initializing Authentication Schemes ...
2021/10/20 09:40:17| Startup: Initialized Authentication Scheme 'basic'
2021/10/20 09:40:17| Startup: Initialized Authentication Scheme 'digest'
2021/10/20 09:40:17| Startup: Initialized Authentication Scheme 'negotiate'
2021/10/20 09:40:17| Startup: Initialized Authentication Scheme 'ntlm'
2021/10/20 09:40:17| Startup: Initialized Authentication.
2021/10/20 09:40:17| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2021/10/20 09:40:17| Processing: acl kifarunix-demo-net src 192.168.58.0/24 # My LAN network ACL
2021/10/20 09:40:17| Processing: acl deniedsites dstdomain "/etc/squid/denied-sites.squid" ## Sites to Block access to ###
2021/10/20 09:40:17| Processing: acl keyword-ban url_regex -i "/etc/squid/keyword-ban.squid" ## Banned Keywords
2021/10/20 09:40:17| Processing: acl SSL_ports port 443
2021/10/20 09:40:17| Processing: acl Safe_ports port 80 # http
2021/10/20 09:40:17| Processing: acl Safe_ports port 21 # ftp
2021/10/20 09:40:17| Processing: acl Safe_ports port 443 # https
2021/10/20 09:40:17| Processing: acl Safe_ports port 70 # gopher
2021/10/20 09:40:17| Processing: acl Safe_ports port 210 # wais
2021/10/20 09:40:17| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2021/10/20 09:40:17| Processing: acl Safe_ports port 280 # http-mgmt
2021/10/20 09:40:17| Processing: acl Safe_ports port 488 # gss-http
2021/10/20 09:40:17| Processing: acl Safe_ports port 591 # filemaker
2021/10/20 09:40:17| Processing: acl Safe_ports port 777 # multiling http
2021/10/20 09:40:17| Processing: acl CONNECT method CONNECT
2021/10/20 09:40:17| Processing: http_access deny !Safe_ports
2021/10/20 09:40:17| Processing: http_access deny CONNECT !SSL_ports
2021/10/20 09:40:17| Processing: http_access allow localhost manager
2021/10/20 09:40:17| Processing: http_access deny manager
2021/10/20 09:40:17| Processing: include /etc/squid/conf.d/*
2021/10/20 09:40:17| Processing Configuration File: /etc/squid/conf.d/debian.conf (depth 1)
2021/10/20 09:40:17| Processing: logfile_rotate 0
2021/10/20 09:40:17| Processing: http_access allow localhost
2021/10/20 09:40:17| Processing: http_access deny deniedsites # Deny access to facebook, youtube, netflix
2021/10/20 09:40:17| Processing: http_access deny keyword-ban # Deny access based on keywords
2021/10/20 09:40:17| Processing: http_access allow kifarunix-demo-net # Allow kifarunix-demo-net
2021/10/20 09:40:17| Processing: http_access deny all
2021/10/20 09:40:17| Processing: http_port 192.168.58.26:3128
2021/10/20 09:40:17| Processing: coredump_dir /var/spool/squid
2021/10/20 09:40:17| Processing: refresh_pattern ^ftp: 1440 20% 10080
2021/10/20 09:40:17| Processing: refresh_pattern ^gopher: 1440 0% 1440
2021/10/20 09:40:17| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2021/10/20 09:40:17| Processing: refresh_pattern . 0 20% 4320
2021/10/20 09:40:17| Processing: via off
2021/10/20 09:40:17| Processing: forwarded_for off
2021/10/20 09:40:17| Processing: request_header_access From deny all
2021/10/20 09:40:17| Processing: request_header_access Server deny all
2021/10/20 09:40:17| Processing: request_header_access WWW-Authenticate deny all
2021/10/20 09:40:17| Processing: request_header_access Link deny all
2021/10/20 09:40:17| Processing: request_header_access Cache-Control deny all
2021/10/20 09:40:17| Processing: request_header_access Proxy-Connection deny all
2021/10/20 09:40:17| Processing: request_header_access X-Cache deny all
2021/10/20 09:40:17| Processing: request_header_access X-Cache-Lookup deny all
2021/10/20 09:40:17| Processing: request_header_access Via deny all
2021/10/20 09:40:17| Processing: request_header_access X-Forwarded-For deny all
2021/10/20 09:40:17| Processing: request_header_access Pragma deny all
2021/10/20 09:40:17| Processing: request_header_access Keep-Alive deny all
2021/10/20 09:40:17| WARNING: HTTP requires the use of Via
2021/10/20 09:40:17| Initializing https:// proxy context
重启代理
完成配置后,保存文件并重新启动squid。
您可以使用命令重新加载 Squid 配置,而无需实际重新启动它;
squid -k reconfigure
如果要重启服务,那么;
systemctl restart squid
检查 Squid 是否正在侦听定义的端口。在这种情况下,我们没有更改默认值。
ss -altnp | grep 3128
LISTEN 0 256 192.168.58.26:3128 0.0.0.0:* users:(("squid",pid=1948,fd=12))
在防火墙上允许 Squid 端口
如果UFW正在运行,则允许打开squid代理端口;
ufw allow 3128/tcp
配置客户端通过代理服务器连接
要将端点配置为通过 Squid 代理服务器连接到 Internet,您可以设置系统范围的代理配置,将客户端配置为使用 Squid 代理作为网关或在浏览器上设置代理设置。
Debian 11/Debian 10 上的系统范围代理配置
要设置系统范围的代理配置,请在/etc/profile.d
定义 squid 代理服务器详细信息的环境变量下创建一个配置文件 ,如下所示;
vim /etc/profile.d/squid.sh
相应地替换 Squid 服务器的 IP 地址。
PROXY_URL="192.168.58.26:3128"
HTTP_PROXY=$PROXY_URL
HTTPS_PROXY=$PROXY_URL
FTP_PROXY=$PROXY_URL
http_proxy=$PROXY_URL
https_proxy=$PROXY_URL
ftp_proxy=$PROXY_URL
export HTTP_PROXY HTTPS_PROXY FTP_PROXY http_proxy https_proxy ftp_proxy
之后,获取新的配置文件。
source /etc/profile.d/squid.sh
为了测试这一点,尝试从客户端下载任何东西,同时在squid代理服务器上拖尾访问日志。
在客户端的终端上,运行;
wget google.com
--2021-10-20 02:46:02-- http://google.com/
Connecting to 192.168.58.26:3128... connected.
Proxy request sent, awaiting response... 301 Moved Permanently
Location: http://www.google.com/ [following]
--2021-10-20 02:46:02-- http://www.google.com/
Reusing existing connection to 192.168.58.26:3128.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’
index.html [ <=> ] 14.54K --.-KB/s in 0s
2021-10-20 02:46:03 (29.4 MB/s) - ‘index.html’ saved [14894]
在 Squid 代理服务器上;
tail -f /var/log/squid/access.log
1634712362.509 467 192.168.58.1 TCP_MISS/301 656 GET http://google.com/ - HIER_DIRECT/216.58.223.110 text/html
1634712363.038 526 192.168.58.1 TCP_MISS/200 15816 GET http://www.google.com/ - HIER_DIRECT/216.58.223.68 text/html
在 Firefox 浏览器上配置代理设置。
在您的 Firefox 上,将其配置为通过您的 Squid 服务器连接外部网络。 首选项 > 常规> 网络设置 > 手动代理配置。选中 对所有协议使用此代理服务器。
tail -f /var/log/squid/access.log
1634717782.953 0 192.168.58.12 TCP_DENIED/403 4007 CONNECT youtube.com:443 - HIER_NONE/- text/html
以及如何基本上配置squid代理来阻止或拒绝对外部资源的访问。这标志着我们关于如何在Debian 11/Debian10上安装和配置Squid代理的教程结束。