如何將執行 Squid 的 Ubuntu 伺服器配置為網關?
我正在嘗試使用在 Ubuntu 14.04.5 上執行的 Squid 3.3.8 為內容過濾設置透明代理伺服器。
我想將它作為與客戶端一起執行的透明代理。IE。Squid 伺服器目前在 192.168.2.212 上執行,客戶端也在 192.168.2.0 範圍內。
其他網路地址:網關:192.168.2.254 主 DNS:192.168.2.12 輔助 DNS:192.168.2.6 DHCP 伺服器:192.168.2.10
理想情況下,我想更改 DHCP 伺服器設置以將 192.168.2.212 作為網關,允許 Squid 過濾請求,然後允許它們正常傳遞到路由器。
我確實設法通過 iptables 配置使其在測試伺服器上部分工作。雖然它只允許 http 流量,因為我沒有配置 https 的 Squid 版本。
這是我的魷魚配置:
## Access Control Lists acl localnet src 192.168.2.0/24 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl ads dstdomain "/etc/squid3/ads" acl adsurl url_regex "/etc/squid3/adsurl" acl aggressive dstdomain "/etc/squid3/aggressive" acl aggressiveurl url_regex "/etc/squid3/aggressiveurl" acl alcohol dstdomain "/etc/squid3/alcohol" acl alcoholurl url_regex "/etc/squid3/alcoholurls" acl anonvpn dstdomain "/etc/squid3/anonvpn" acl anonvpnurl url_regex "/etc/squid3/anonvpnurl" acl automobiles dstdomain "/etc/squid3/automobiles" acl automobilesurl url_regex "/etc/squid3/automobilesurl" acl chat dstdomain "/etc/squid3/chat" acl chaturl url_regex "/etc/squid3/chaturl" acl costtrap dstdomain "/etc/squid3/costtrap" acl costtrapurl url_regex "/etc/squid3/costtrapurl" acl dating dstdomain "/etc/squid3/dating" acl datingurl url_regex "/etc/squid3/datingurl" acl downloads dstdomain "/etc/squid3/downloads" acl downloadsurl url_regex "/etc/squid3/downloadsurl" acl drugs dstdomain "/etc/squid3/drugs" acl drugsurl url_regex "/etc/squid3/drugsurl" acl dynamicdns dstdomain "/etc/squid3/dynamicdns" acl fortunetelling dstdomain "/etc/squid3/fortunetelling" acl fortunetellingurl url_regex "/etc/squid3/fortunetellingurl" acl forum dstdomain "/etc/squid3/forum" acl forumurl url_regex "/etc/squid3/forumurl" acl gambling dstdomain "/etc/squid3/gambling" acl gamblingurl url_regex "/etc/squid3/gamblingurl" acl hacking dstdomain "/etc/squid3/hacking" acl hackingurl url_regex "/etc/squid3/hackingurl" acl hobby_online_games dstdomain "/etc/squid3/hobby_online_games" acl hobby_online_gamesurl url_regex "/etc/squid3/hobby_online_gamesurl" acl games_misc dstdomain "/etc/squid3/games_misc" acl games_miscurl url_regex "/etc/squid3/games_miscurl" acl imagehosting dstdomain "/etc/squid3/imagehosting" acl imagehostingurl url_regex "/etc/squid3/imagehostingurl" acl models dstdomain "/etc/squid3/models" acl modelsurl url_regex "/etc/squid3/modelsurl" acl movies dstdomain "/etc/squid3/movies" acl moviesurl url_regex "/etc/squid3/moviesurl" acl music dstdomain "/etc/squid3/music" acl musicurl url_regex "/etc/squid3/musicurl" acl podcasts dstdomain "/etc/squid3/podca" acl podcastsurl url_regex "/etc/squid3/podcastsurl" acl radiotv dstdomain "/etc/squid3/radiotv" acl radiotvurl url_regex "/etc/squid3/radiotvurl" acl redirector dstdomain "/etc/squid3/redirector" acl redirectorurl url_regex "/etc/squid3/redirectorurl" acl ringtones dstdomain "/etc/squid3/ringtones" acl ringtonesurl url_regex "/etc/squid3/ringtonesurl" acl sex_lingerie dstdomain "/etc/squid3/sex_lingerie" acl sex_lingerieurl url_regex "/etc/squid3/sex_lingerieurl" acl shopping dstdomain "/etc/squid3/shopping" acl shoppingurl url_regex "/etc/squid3/shoppingurl" acl socialnet dstdomain "/etc/squid3/socialnet" acl socialneturl url_regex "/etc/squid3/socialneturl" acl spyware dstdomain "/etc/squid3/spyware" acl spywareurl url_regex "/etc/squid3/spywareurl" acl tracker dstdomain "/etc/squid3/tracker" acl trackerurl url_regex "/etc/squid3/trackerurl" acl violence dstdomain "/etc/squid3/violence" acl violenceurl url_regex "/etc/squid3/violenceurl" acl warez dstdomain "/etc/squid3/warez" acl warezurl url_regex "/etc/squid3/warezurl" acl weapons dstdomain "/etc/squid3/weapons" acl weaponsurl url_regex "/etc/squid3/weaponsurl" acl webmail dstdomain "/etc/squid3/webmail" acl webmailurl url_regex "/etc/squid3/webmailurl" acl webphone dstdomain "/etc/squid3/webphone" acl webphoneurl url_regex "/etc/squid3/webphoneurl" acl webradio dstdomain "/etc/squid3/webradio" acl webradiourl url_regex "/etc/squid3/webradiourl" acl webtv dstdomain "/etc/squid3/webtv" acl webtvurl url_regex "/etc/squid3/webtvurl" acl smluk src 192.168.0.0/24 acl humour dstdomain "/etc/squid3/humour" acl humoururl url_regex "/etc/squid3/humoururl" acl Proxy port "/etc/squid3/proxallow" acl Allow url_regex "/etc/squid3/allow" ## Allow and Deny Lists http_access allow Allow http_access deny ads http_access deny adsurl http_access deny aggressive http_access deny aggressiveurl http_access deny alcohol http_access deny alcoholurl http_access deny anonvpn http_access deny anonvpnurl http_access deny automobiles http_access deny automobilesurl http_access deny chat http_access deny chaturl http_access deny costtrap http_access deny costtrapurl http_access deny dating http_access deny datingurl http_access deny downloads http_access deny downloadsurl http_access deny drugs http_access deny drugsurl http_access deny dynamicdns http_access deny fortunetelling http_access deny fortunetellingurl http_access deny forum http_access deny forumurl http_access deny gambling http_access deny gamblingurl http_access deny hacking http_access deny hackingurl http_access deny hobby_online_games http_access deny hobby_online_gamesurl http_access deny games_misc http_access deny games_miscurl http_access deny imagehosting http_access deny imagehostingurl http_access deny models http_access deny modelsurl http_access deny warezurl http_access deny weapons http_access deny weaponsurl http_access deny webmail http_access deny webmailurl http_access deny webphone http_access deny movies http_access deny moviesurl http_access deny warezurl http_access deny weapons http_access deny weaponsurl http_access deny webmail http_access deny webmailurl http_access deny webphone http_access deny music http_access deny musicurl http_access deny podcasts http_access deny podcastsurl http_access deny radiotv http_access deny radiotvurl http_access deny redirector http_access deny redirectorurl http_access deny ringtones http_access deny ringtonesurl http_access deny sex_lingerie http_access deny sex_lingerieurl http_access deny shopping http_access deny shoppingurl http_access deny socialnet http_access deny socialneturl http_access deny warezurl http_access deny weapons http_access deny weaponsurl http_access deny webmail http_access deny webmailurl http_access deny webphone http_access deny spyware http_access deny spywareurl http_access deny tracker http_access deny trackerurl http_access deny violence http_access deny violenceurl http_access deny warez http_access deny warezurl http_access deny weapons http_access deny weaponsurl http_access deny webmail http_access deny webmailurl http_access deny webphone http_access deny webphoneurl http_access deny webradio http_access deny webradiourl http_access deny webtv http_access deny webtvurl http_access deny humour http_access deny humoururl http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny manager http_access allow Proxy http_access allow localhost manager http_access allow localhost http_access allow localnet http_access allow smluk http_access deny all acl ident_aware_hosts src 198.168.0.0/24 ident_lookup_access allow ident_aware_hosts ident_lookup_access deny all #http_port 3129 #http_port 3128 intercept http_port 3129 http_port 0.0.0.0:3128 intercept https_port 0.0.0.0:3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid3/ssl_certs/myCA.pem cache_dir ufs /var/spool/squid3 100 16 256 coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 cache_effective_user proxy cache_effective_group proxy ## Cache Stuff cache_dir ufs /var/spool/squid3 100 16 256 coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 cache_effective_user proxy cache_effective_group proxy access_log daemon:/var/log/squid3/access.log squid log_fqdn on memory_pools on memory_pools_limit none ## DNS Options dns_timeout 10 seconds dns_nameservers 192.168.2.12 192.168.2.6 192.168.2.3 # DNS Server
我暫時清除了任何類型的 iptables 規則。
查看 Netstat 我可以看到伺服器正在監聽 3128。我嘗試打開 3130 但我想我沒有使用正確的格式或其他東西。
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
我嘗試在 iptables 中進行預路由以攔截從埠 80 到埠 3128 和埠 443 到 3130,它似乎無法正常工作。
這是我嘗試過的:
-A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3130
和:
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.212:3128 -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.2.212:3130 -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130 -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
任何幫助都感激不盡。
此外,我對 Ubuntu/Linux 的總體經驗也僅限於為我的工作地點修改此伺服器。
更新 1
我現在有 http 工作。
我添加了
-A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
為什麼這次它起作用了,而不是其他我不知道的。
我嘗試使用相同的方法將 443 重定向到 3130,但我仍然無法連接到任何 https 網站。
您首先嘗試的 iptables 設置是正確的。只需在埠 80 旁邊為埠 443 添加一條 REDIRECT 行。在 Squid 部分也可以工作之前,你不會輕易看到它工作。
在 squid.conf 中沒有任何 ssl_bump 行通知 Squid 如何增加流量 - SSL-Bumping 將被禁用。
此外,由於 TLS 變化如此頻繁,Squid SSL-Bump 功能自 3.3.8 以來經歷了許多更新,只是為了與目前的瀏覽器和伺服器一起工作。在撰寫本文時,需要 Squid-3.5.19 或更高版本。您可以從 Debian Sid 儲存庫中以“squid”包的形式獲取該版本的副本,但您仍然需要使用 OpenSSL 支持自行重建它。
http://wiki.squid-cache.org/Features/SslPeekAndSplice解釋了 Squid-3.5 SSL-Bump的工作原理以及如何設置其 ssl_bump 規則。