我正在尝试使用在 Ubuntu 14.04.5 上运行的 Squid 3.3.8 设置用于内容过滤的透明代理服务器。
我想将它作为透明代理与客户端一起运行。即 Squid 服务器当前在 192.168.2.212 上运行,客户端也在 192.168.2.0 范围内。
其他网络地址:网关:192.168.2.254 主 DNS:192.168.2.12 辅助 DNS:192.168.2.6 DHCP 服务器:192.168.2.10
理想情况下,我想更改 DHCP 服务器设置,将 192.168.2.212 作为网关,允许 Squid 过滤请求,然后允许它们正常传递到路由器。
我确实设法通过 iptables 配置在测试服务器上部分实现了此功能。尽管它仅允许 http 流量,因为我使用的 Squid 版本没有配置 https。
这是我的 Squid 配置:
## Access Control Lists
acl localnet src 192.168.2.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl ads dstdomain "/etc/squid3/ads"
acl adsurl url_regex "/etc/squid3/adsurl"
acl aggressive dstdomain "/etc/squid3/aggressive"
acl aggressiveurl url_regex "/etc/squid3/aggressiveurl"
acl alcohol dstdomain "/etc/squid3/alcohol"
acl alcoholurl url_regex "/etc/squid3/alcoholurls"
acl anonvpn dstdomain "/etc/squid3/anonvpn"
acl anonvpnurl url_regex "/etc/squid3/anonvpnurl"
acl automobiles dstdomain "/etc/squid3/automobiles"
acl automobilesurl url_regex "/etc/squid3/automobilesurl"
acl chat dstdomain "/etc/squid3/chat"
acl chaturl url_regex "/etc/squid3/chaturl"
acl costtrap dstdomain "/etc/squid3/costtrap"
acl costtrapurl url_regex "/etc/squid3/costtrapurl"
acl dating dstdomain "/etc/squid3/dating"
acl datingurl url_regex "/etc/squid3/datingurl"
acl downloads dstdomain "/etc/squid3/downloads"
acl downloadsurl url_regex "/etc/squid3/downloadsurl"
acl drugs dstdomain "/etc/squid3/drugs"
acl drugsurl url_regex "/etc/squid3/drugsurl"
acl dynamicdns dstdomain "/etc/squid3/dynamicdns"
acl fortunetelling dstdomain "/etc/squid3/fortunetelling"
acl fortunetellingurl url_regex "/etc/squid3/fortunetellingurl"
acl forum dstdomain "/etc/squid3/forum"
acl forumurl url_regex "/etc/squid3/forumurl"
acl gambling dstdomain "/etc/squid3/gambling"
acl gamblingurl url_regex "/etc/squid3/gamblingurl"
acl hacking dstdomain "/etc/squid3/hacking"
acl hackingurl url_regex "/etc/squid3/hackingurl"
acl hobby_online_games dstdomain "/etc/squid3/hobby_online_games"
acl hobby_online_gamesurl url_regex "/etc/squid3/hobby_online_gamesurl"
acl games_misc dstdomain "/etc/squid3/games_misc"
acl games_miscurl url_regex "/etc/squid3/games_miscurl"
acl imagehosting dstdomain "/etc/squid3/imagehosting"
acl imagehostingurl url_regex "/etc/squid3/imagehostingurl"
acl models dstdomain "/etc/squid3/models"
acl modelsurl url_regex "/etc/squid3/modelsurl"
acl movies dstdomain "/etc/squid3/movies"
acl moviesurl url_regex "/etc/squid3/moviesurl"
acl music dstdomain "/etc/squid3/music"
acl musicurl url_regex "/etc/squid3/musicurl"
acl podcasts dstdomain "/etc/squid3/podca"
acl podcastsurl url_regex "/etc/squid3/podcastsurl"
acl radiotv dstdomain "/etc/squid3/radiotv"
acl radiotvurl url_regex "/etc/squid3/radiotvurl"
acl redirector dstdomain "/etc/squid3/redirector"
acl redirectorurl url_regex "/etc/squid3/redirectorurl"
acl ringtones dstdomain "/etc/squid3/ringtones"
acl ringtonesurl url_regex "/etc/squid3/ringtonesurl"
acl sex_lingerie dstdomain "/etc/squid3/sex_lingerie"
acl sex_lingerieurl url_regex "/etc/squid3/sex_lingerieurl"
acl shopping dstdomain "/etc/squid3/shopping"
acl shoppingurl url_regex "/etc/squid3/shoppingurl"
acl socialnet dstdomain "/etc/squid3/socialnet"
acl socialneturl url_regex "/etc/squid3/socialneturl"
acl spyware dstdomain "/etc/squid3/spyware"
acl spywareurl url_regex "/etc/squid3/spywareurl"
acl tracker dstdomain "/etc/squid3/tracker"
acl trackerurl url_regex "/etc/squid3/trackerurl"
acl violence dstdomain "/etc/squid3/violence"
acl violenceurl url_regex "/etc/squid3/violenceurl"
acl warez dstdomain "/etc/squid3/warez"
acl warezurl url_regex "/etc/squid3/warezurl"
acl weapons dstdomain "/etc/squid3/weapons"
acl weaponsurl url_regex "/etc/squid3/weaponsurl"
acl webmail dstdomain "/etc/squid3/webmail"
acl webmailurl url_regex "/etc/squid3/webmailurl"
acl webphone dstdomain "/etc/squid3/webphone"
acl webphoneurl url_regex "/etc/squid3/webphoneurl"
acl webradio dstdomain "/etc/squid3/webradio"
acl webradiourl url_regex "/etc/squid3/webradiourl"
acl webtv dstdomain "/etc/squid3/webtv"
acl webtvurl url_regex "/etc/squid3/webtvurl"
acl smluk src 192.168.0.0/24
acl humour dstdomain "/etc/squid3/humour"
acl humoururl url_regex "/etc/squid3/humoururl"
acl Proxy port "/etc/squid3/proxallow"
acl Allow url_regex "/etc/squid3/allow"
## Allow and Deny Lists
http_access allow Allow
http_access deny ads
http_access deny adsurl
http_access deny aggressive
http_access deny aggressiveurl
http_access deny alcohol
http_access deny alcoholurl
http_access deny anonvpn
http_access deny anonvpnurl
http_access deny automobiles
http_access deny automobilesurl
http_access deny chat
http_access deny chaturl
http_access deny costtrap
http_access deny costtrapurl
http_access deny dating
http_access deny datingurl
http_access deny downloads
http_access deny downloadsurl
http_access deny drugs
http_access deny drugsurl
http_access deny dynamicdns
http_access deny fortunetelling
http_access deny fortunetellingurl
http_access deny forum
http_access deny forumurl
http_access deny gambling
http_access deny gamblingurl
http_access deny hacking
http_access deny hackingurl
http_access deny hobby_online_games
http_access deny hobby_online_gamesurl
http_access deny games_misc
http_access deny games_miscurl
http_access deny imagehosting
http_access deny imagehostingurl
http_access deny models
http_access deny modelsurl
http_access deny warezurl
http_access deny weapons
http_access deny weaponsurl
http_access deny webmail
http_access deny webmailurl
http_access deny webphone
http_access deny movies
http_access deny moviesurl
http_access deny warezurl
http_access deny weapons
http_access deny weaponsurl
http_access deny webmail
http_access deny webmailurl
http_access deny webphone
http_access deny music
http_access deny musicurl
http_access deny podcasts
http_access deny podcastsurl
http_access deny radiotv
http_access deny radiotvurl
http_access deny redirector
http_access deny redirectorurl
http_access deny ringtones
http_access deny ringtonesurl
http_access deny sex_lingerie
http_access deny sex_lingerieurl
http_access deny shopping
http_access deny shoppingurl
http_access deny socialnet
http_access deny socialneturl
http_access deny warezurl
http_access deny weapons
http_access deny weaponsurl
http_access deny webmail
http_access deny webmailurl
http_access deny webphone
http_access deny spyware
http_access deny spywareurl
http_access deny tracker
http_access deny trackerurl
http_access deny violence
http_access deny violenceurl
http_access deny warez
http_access deny warezurl
http_access deny weapons
http_access deny weaponsurl
http_access deny webmail
http_access deny webmailurl
http_access deny webphone
http_access deny webphoneurl
http_access deny webradio
http_access deny webradiourl
http_access deny webtv
http_access deny webtvurl
http_access deny humour
http_access deny humoururl
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny manager
http_access allow Proxy
http_access allow localhost manager
http_access allow localhost
http_access allow localnet
http_access allow smluk
http_access deny all
acl ident_aware_hosts src 198.168.0.0/24
ident_lookup_access allow ident_aware_hosts
ident_lookup_access deny all
#http_port 3129
#http_port 3128 intercept
http_port 3129
http_port 0.0.0.0:3128 intercept
https_port 0.0.0.0:3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid3/ssl_certs/myCA.pem
cache_dir ufs /var/spool/squid3 100 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
cache_effective_user proxy
cache_effective_group proxy
## Cache Stuff
cache_dir ufs /var/spool/squid3 100 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
cache_effective_user proxy
cache_effective_group proxy
access_log daemon:/var/log/squid3/access.log squid
log_fqdn on
memory_pools on
memory_pools_limit none
## DNS Options
dns_timeout 10 seconds
dns_nameservers 192.168.2.12 192.168.2.6 192.168.2.3 # DNS Server
我暂时清除了任何类型的 iptables 规则。
查看 Netstat 我可以看到服务器正在监听 3128。我尝试打开 3130 但我想我没有使用正确的格式或其他什么。
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
我尝试在 iptables 中进行预路由,以拦截从端口 80 到端口 3128 以及从端口 443 到 3130 的流量,但似乎无法正常工作。
这是我尝试过的:
-A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
-A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3130
和:
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.212:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.2.212:3130
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130
-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
任何帮助都感激不尽。
另外,我对 Ubuntu/Linux 的经验总体上仅限于对我工作场所的服务器进行修改。
更新 1
我现在可以让 http 工作了。
我补充道
-A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
为什么这次成功了,而其他时候却不行,我不知道。
我尝试使用相同的方法将 443 重定向到 3130,但仍然无法连接到任何 https 网站。
答案1
您首先尝试的 iptables 设置是正确的。只需在端口 80 旁边添加端口 443 的 REDIRECT 行即可。不过,在 Squid 部分也正常工作之前,您很难看到它正常工作。
如果 squid.conf 中没有任何 ssl_bump 行来告知 Squid 如何增加流量 - SSL-Bumping 将被禁用。
此外,由于 TLS 变化如此频繁,Squid SSL-Bump 功能自 3.3.8 以来经历了多次更新,以便与当前的浏览器和服务器兼容。截至撰写本文时,需要 Squid-3.5.19 或更高版本。您可以从 Debian Sid 存储库中获取该版本的“squid”包副本,但您仍必须自行重建它以支持 OpenSSL。
这http://wiki.squid-cache.org/Features/SslPeekAndSplice解释 Squid-3.5 SSL-Bump 的工作原理以及如何设置其 ssl_bump 规则。