Ubuntu

如何將執行 Squid 的 Ubuntu 伺服器配置為網關?

  • September 27, 2016

我正在嘗試使用在 Ubuntu 14.04.5 上執行的 Squid 3.3.8 為內容過濾設置透明代理伺服器。

我想將它作為與客戶端一起執行的透明代理。IE。Squid 伺服器目前在 192.168.2.212 上執行,客戶端也在 192.168.2.0 範圍內。

其他網路地址:網關:192.168.2.254 主 DNS:192.168.2.12 輔助 DNS:192.168.2.6 DHCP 伺服器:192.168.2.10

理想情況下,我想更改 DHCP 伺服器設置以將 192.168.2.212 作為網關,允許 Squid 過濾請求,然後允許它們正常傳遞到路由器。

我確實設法通過 iptables 配置使其在測試伺服器上部分工作。雖然它只允許 http 流量,因為我沒有配置 https 的 Squid 版本。

這是我的魷魚配置:

   ## Access Control Lists 

   acl localnet src 192.168.2.0/24 # RFC1918 possible internal network
   acl SSL_ports port 443
   acl Safe_ports port 80 # http
   acl Safe_ports port 21 # ftp
   acl Safe_ports port 443 # https
   acl Safe_ports port 70 # gopher
   acl Safe_ports port 210 # wais
   acl Safe_ports port 1025-65535 # unregistered ports
   acl Safe_ports port 280 # http-mgmt
   acl Safe_ports port 488 # gss-http
   acl Safe_ports port 591 # filemaker
   acl Safe_ports port 777 # multiling http
   acl CONNECT method CONNECT
   acl ads dstdomain "/etc/squid3/ads"
   acl adsurl url_regex "/etc/squid3/adsurl"
   acl aggressive dstdomain "/etc/squid3/aggressive"
   acl aggressiveurl url_regex "/etc/squid3/aggressiveurl"
   acl alcohol dstdomain "/etc/squid3/alcohol"
   acl alcoholurl url_regex "/etc/squid3/alcoholurls"
   acl anonvpn dstdomain "/etc/squid3/anonvpn"
   acl anonvpnurl url_regex "/etc/squid3/anonvpnurl"
   acl automobiles dstdomain "/etc/squid3/automobiles"
   acl automobilesurl url_regex "/etc/squid3/automobilesurl"
   acl chat dstdomain "/etc/squid3/chat"
   acl chaturl url_regex "/etc/squid3/chaturl"
   acl costtrap dstdomain "/etc/squid3/costtrap"
   acl costtrapurl url_regex "/etc/squid3/costtrapurl"
   acl dating dstdomain "/etc/squid3/dating"
   acl datingurl url_regex "/etc/squid3/datingurl"
   acl downloads dstdomain "/etc/squid3/downloads"
   acl downloadsurl url_regex "/etc/squid3/downloadsurl"
   acl drugs dstdomain "/etc/squid3/drugs"
   acl drugsurl url_regex "/etc/squid3/drugsurl"
   acl dynamicdns dstdomain "/etc/squid3/dynamicdns"
   acl fortunetelling dstdomain "/etc/squid3/fortunetelling"
   acl fortunetellingurl url_regex "/etc/squid3/fortunetellingurl"
   acl forum dstdomain "/etc/squid3/forum"
   acl forumurl url_regex "/etc/squid3/forumurl"
   acl gambling dstdomain "/etc/squid3/gambling"
   acl gamblingurl url_regex "/etc/squid3/gamblingurl"
   acl hacking dstdomain "/etc/squid3/hacking"
   acl hackingurl url_regex "/etc/squid3/hackingurl"
   acl hobby_online_games dstdomain "/etc/squid3/hobby_online_games"
   acl hobby_online_gamesurl url_regex "/etc/squid3/hobby_online_gamesurl"
   acl games_misc dstdomain "/etc/squid3/games_misc"
   acl games_miscurl url_regex "/etc/squid3/games_miscurl"
   acl imagehosting dstdomain "/etc/squid3/imagehosting"
   acl imagehostingurl url_regex "/etc/squid3/imagehostingurl"
   acl models dstdomain "/etc/squid3/models"
   acl modelsurl url_regex "/etc/squid3/modelsurl"
   acl movies dstdomain "/etc/squid3/movies"
   acl moviesurl url_regex "/etc/squid3/moviesurl"
   acl music dstdomain "/etc/squid3/music"
   acl musicurl url_regex "/etc/squid3/musicurl"
   acl podcasts dstdomain "/etc/squid3/podca"
   acl podcastsurl url_regex "/etc/squid3/podcastsurl"
   acl radiotv dstdomain "/etc/squid3/radiotv"
   acl radiotvurl url_regex "/etc/squid3/radiotvurl"
   acl redirector dstdomain "/etc/squid3/redirector"
   acl redirectorurl url_regex "/etc/squid3/redirectorurl"
   acl ringtones dstdomain "/etc/squid3/ringtones"
   acl ringtonesurl url_regex "/etc/squid3/ringtonesurl"
   acl sex_lingerie dstdomain "/etc/squid3/sex_lingerie"
   acl sex_lingerieurl url_regex "/etc/squid3/sex_lingerieurl"
   acl shopping dstdomain "/etc/squid3/shopping"
   acl shoppingurl url_regex "/etc/squid3/shoppingurl"
   acl socialnet dstdomain "/etc/squid3/socialnet"
   acl socialneturl url_regex "/etc/squid3/socialneturl"
   acl spyware dstdomain "/etc/squid3/spyware"
   acl spywareurl url_regex "/etc/squid3/spywareurl"
   acl tracker dstdomain "/etc/squid3/tracker"
   acl trackerurl url_regex "/etc/squid3/trackerurl"
   acl violence dstdomain "/etc/squid3/violence"
   acl violenceurl url_regex "/etc/squid3/violenceurl"
   acl warez dstdomain "/etc/squid3/warez"
   acl warezurl url_regex "/etc/squid3/warezurl"
   acl weapons dstdomain "/etc/squid3/weapons"
   acl weaponsurl url_regex "/etc/squid3/weaponsurl"
   acl webmail dstdomain "/etc/squid3/webmail"
   acl webmailurl url_regex "/etc/squid3/webmailurl"
   acl webphone dstdomain "/etc/squid3/webphone"
   acl webphoneurl url_regex "/etc/squid3/webphoneurl"
   acl webradio dstdomain "/etc/squid3/webradio"
   acl webradiourl url_regex "/etc/squid3/webradiourl"
   acl webtv dstdomain "/etc/squid3/webtv"
   acl webtvurl url_regex "/etc/squid3/webtvurl"
   acl smluk src 192.168.0.0/24
   acl humour dstdomain "/etc/squid3/humour"
   acl humoururl url_regex "/etc/squid3/humoururl"
   acl Proxy port "/etc/squid3/proxallow"
   acl Allow url_regex "/etc/squid3/allow"

   ## Allow and Deny Lists

   http_access allow Allow
   http_access deny ads
   http_access deny adsurl
   http_access deny aggressive
   http_access deny aggressiveurl
   http_access deny alcohol
   http_access deny alcoholurl
   http_access deny anonvpn
   http_access deny anonvpnurl
   http_access deny automobiles
   http_access deny automobilesurl
   http_access deny chat
   http_access deny chaturl
   http_access deny costtrap
   http_access deny costtrapurl
   http_access deny dating
   http_access deny datingurl
   http_access deny downloads
   http_access deny downloadsurl
   http_access deny drugs
   http_access deny drugsurl
   http_access deny dynamicdns
   http_access deny fortunetelling
   http_access deny fortunetellingurl
   http_access deny forum
   http_access deny forumurl
   http_access deny gambling
   http_access deny gamblingurl
   http_access deny hacking
   http_access deny hackingurl
   http_access deny hobby_online_games
   http_access deny hobby_online_gamesurl
   http_access deny games_misc
   http_access deny games_miscurl
   http_access deny imagehosting
   http_access deny imagehostingurl
   http_access deny models
   http_access deny modelsurl
   http_access deny warezurl
   http_access deny weapons
   http_access deny weaponsurl
   http_access deny webmail
   http_access deny webmailurl
   http_access deny webphone
   http_access deny movies
   http_access deny moviesurl
   http_access deny warezurl
   http_access deny weapons
   http_access deny weaponsurl
   http_access deny webmail
   http_access deny webmailurl
   http_access deny webphone
   http_access deny music
   http_access deny musicurl
   http_access deny podcasts
   http_access deny podcastsurl
   http_access deny radiotv
   http_access deny radiotvurl
   http_access deny redirector
   http_access deny redirectorurl
   http_access deny ringtones
   http_access deny ringtonesurl
   http_access deny sex_lingerie
   http_access deny sex_lingerieurl
   http_access deny shopping
   http_access deny shoppingurl
   http_access deny socialnet
   http_access deny socialneturl
   http_access deny warezurl
   http_access deny weapons
   http_access deny weaponsurl
   http_access deny webmail
   http_access deny webmailurl
   http_access deny webphone
   http_access deny spyware
   http_access deny spywareurl
   http_access deny tracker
   http_access deny trackerurl
   http_access deny violence
   http_access deny violenceurl
   http_access deny warez
   http_access deny warezurl
   http_access deny weapons
   http_access deny weaponsurl
   http_access deny webmail
   http_access deny webmailurl
   http_access deny webphone
   http_access deny webphoneurl
   http_access deny webradio
   http_access deny webradiourl
   http_access deny webtv
   http_access deny webtvurl
   http_access deny humour
   http_access deny humoururl
   http_access deny !Safe_ports
   http_access deny CONNECT !SSL_ports
   http_access deny manager
   http_access allow Proxy
   http_access allow localhost manager
   http_access allow localhost
   http_access allow localnet
   http_access allow smluk
   http_access deny all
   acl ident_aware_hosts src 198.168.0.0/24
       ident_lookup_access allow ident_aware_hosts
       ident_lookup_access deny all
   #http_port 3129
   #http_port 3128 intercept

   http_port 3129
   http_port 0.0.0.0:3128 intercept
   https_port 0.0.0.0:3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid3/ssl_certs/myCA.pem

   cache_dir ufs /var/spool/squid3 100 16 256
   coredump_dir /var/spool/squid3
   refresh_pattern ^ftp:       1440    20% 10080
   refresh_pattern ^gopher:    1440    0%  1440
   refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
   refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
   refresh_pattern .       0   20% 4320
   cache_effective_user proxy
   cache_effective_group proxy


   ## Cache Stuff
   cache_dir ufs /var/spool/squid3 100 16 256
   coredump_dir /var/spool/squid3
   refresh_pattern ^ftp:       1440    20% 10080
   refresh_pattern ^gopher:    1440    0%  1440
   refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
   refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
   refresh_pattern .       0   20% 4320
   cache_effective_user proxy
   cache_effective_group proxy

   access_log daemon:/var/log/squid3/access.log squid
   log_fqdn on


    memory_pools on
    memory_pools_limit none

   ## DNS Options

   dns_timeout 10 seconds
   dns_nameservers 192.168.2.12 192.168.2.6 192.168.2.3 # DNS Server

我暫時清除了任何類型的 iptables 規則。

查看 Netstat 我可以看到伺服器正在監聽 3128。我嘗試打開 3130 但我想我沒有使用正確的格式或其他東西。

   tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN  

我嘗試在 iptables 中進行預路由以攔截從埠 80 到埠 3128 和埠 443 到 3130,它似乎無法正常工作。

這是我嘗試過的:

   -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
   -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3130

和:

   -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.212:3128
   -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
   -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
   -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.2.212:3130
   -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130
   -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE

任何幫助都感激不盡。

此外,我對 Ubuntu/Linux 的總體經驗也僅限於為我的工作地點修改此伺服器。

更新 1

我現在有 http 工作。

我添加了

   -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

為什麼這次它起作用了,而不是其他我不知道的。

我嘗試使用相同的方法將 443 重定向到 3130,但我仍然無法連接到任何 https 網站。

您首先嘗試的 iptables 設置是正確的。只需在埠 80 旁邊為埠 443 添加一條 REDIRECT 行。在 Squid 部分也可以工作之前,你不會輕易看到它工作。

在 squid.conf 中沒有任何 ssl_bump 行通知 Squid 如何增加流量 - SSL-Bumping 將被禁用。

此外,由於 TLS 變化如此頻繁,Squid SSL-Bump 功能自 3.3.8 以來經歷了許多更新,只是為了與目前的瀏覽器和伺服器一起工作。在撰寫本文時,需要 Squid-3.5.19 或更高版本。您可以從 Debian Sid 儲存庫中以“squid”包的形式獲取該版本的副本,但您仍然需要使用 OpenSSL 支持自行重建它。

http://wiki.squid-cache.org/Features/SslPeekAndSplice解釋了 Squid-3.5 SSL-Bump的工作原理以及如何設置其 ssl_bump 規則。

引用自:https://serverfault.com/questions/804429