|
楼主 |
发表于 2019-6-12 21:53
|
显示全部楼层
本帖最后由 loveqianool 于 2019-6-12 22:16 编辑
闲着没事还是照网上教程搭了个,使用体验就是经常无缘无故的卡一会儿,这里发一下过程吧。
- opkg update && opkg install libustream-openssl ca-bundle ca-certificates luci-app-squid
复制代码 #现在安装的 squid 版本是 3.5.27
#创建缓存目录
#设置权限
#初始化缓存目录
#自签证书, z.der 需要客户端导入,以便代理 https
- openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout z.pem -out z.pem
复制代码- openssl x509 -in z.pem -outform DER -out z.der
复制代码- openssl dhparam -dsaparam -out z.dh 2048
复制代码
#编辑 /etc/config/squid 取消所有注释
- config squid 'squid'
- option config_file '/etc/squid/squid.conf'
- option http_port '3128'
- option coredump_dir '/tmp/squid'
- option visible_hostname 'OpenWrt'
- option mime_table '/etc/squid/mime.conf'
- option http_port_options 'intercept'
- option ssldb '/mnt/squid/ssldb'
- option ssldb_options '-M 32MB'
复制代码
#编辑 /etc/squid/squid.conf 或者在 luci 界面 - 服务 - squid - 高级设置 中填入以下配置
- #设置路由 ip 及端口和自签证书位置
- http_port 192.168.1.233:3131 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/etc/squid/z.pem capath=/etc/ssl/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/squid/z.dh options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
- http_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/etc/squid/z.pem capath=/etc/ssl/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/squid/z.dh options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
- https_port 127.0.0.1:3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/etc/squid/z.pem capath=/etc/ssl/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/squid/z.dh options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
- icp_port 0
- digest_generation off
- dns_v4_first on
- pid_filename /var/run/squid.pid
- #cache_effective_user squid
- #cache_effective_group proxy
- #error_default_language zh-cn
- icon_directory /usr/share/squid/icons
- #visible_hostname z_Squid
- cache_mgr <a href="mailto:z@qq.com">z@qq.com</a>
- logfile_daemon /dev/null
- access_log /var/squid/access.log
- cache_log /var/squid/cache.log
- cache_store_log none
- netdb_filename /var/squid/netdb.state
- #sslcrtd_program /usr/lib/squid/ssl_crtd -s /mnt/squid/squid_ssldb -M 10MB -b 2048
- sslcrtd_children 5
- sslproxy_capath /etc/ssl/certs/
- sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
- sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
- sslproxy_cert_error allow all
- sslproxy_flags DONT_VERIFY_PEER
- sslproxy_cert_adapt setValidAfter all
- sslproxy_cert_adapt setValidBefore all
- logfile_rotate 2
- debug_options rotate=2
- shutdown_lifetime 3 seconds
- # Allow local network(s) on interface(s)
- #设置连接网段
- acl localnet src 192.168.0.0/16
- forwarded_for delete
- #via off
- uri_whitespace strip
- #设置 dns 服务器
- dns_nameservers 192.168.1.233
- #设置内存缓存大小 1G
- cache_mem 1024 MB
- maximum_object_size_in_memory 4096 KB
- #memory_replacement_policy heap GDSF
- #cache_replacement_policy heap LFUDA
- minimum_object_size 0 KB
- maximum_object_size 16 MB
- #设置磁盘缓存大小 10G
- cache_dir aufs /mnt/squid/cache 10240 16 256
- offline_mode off
- cache_swap_low 90
- cache_swap_high 95
- cache allow all
- refresh_pattern -i (\.|-)(ico(.*)?|pn[pg]|(g|t)iff?|jpe?g(2|3|4)?|psd|c(d|b)r|cad|bmp|img)(\?.*)?$ 21600 100% 43200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth
- refresh_pattern -i (\.|-)(webm|(x-)?swf|mp(eg)?(3|4)|mpe?g(av)?|(x-)?f(l|4)v|divx?|rmvb?|mov|trp|ts|avi|m38u|wmv|wmp|m4v|mkv|asf|dv|vob|3gp?2?)(\?.*)?$ 21600 100% 43200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth
- refresh_pattern -i (\.|-)(xml|js|jsp|txt|css)(\?.*)?$ 360 40% 1440 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth
- refresh_pattern -i .index.(html|htm)$ 0 40% 1440
- # Add any of your own refresh_pattern entries above these.
- refresh_pattern ^ftp: 1440 20% 10080
- refresh_pattern ^gopher: 1440 0% 1440
- refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
- refresh_pattern . 0 20% 4320
- #Remote proxies
- # Setup some default acls
- # ACLs all, manager, localhost, and to_localhost are predefined.
- acl allsrc src all
- acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3129 1025-65535
- acl sslports port 443 563
- acl purge method PURGE
- acl connect method CONNECT
- # Define protocols used for redirects
- acl HTTP proto HTTP
- acl HTTPS proto HTTPS
- # SslBump Peek and Splice
- # <a href="http://wiki.squid-cache.org/Features/SslPeekAndSplice" target="_blank">http://wiki.squid-cache.org/Features/SslPeekAndSplice</a>
- # <a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit" target="_blank">http://wiki.squid-cache.org/Conf ... ept/SslBumpExplicit</a>
- # Match against the current step during ssl_bump evaluation [fast]
- # Never matches and should not be used outside the ssl_bump context.
- #
- # At each SslBump step, Squid evaluates ssl_bump directives to find
- # the next bumping action (e.g., peek or splice). Valid SslBump step
- # values and the corresponding ssl_bump evaluation moments are:
- # SslBump1: After getting TCP-level and HTTP CONNECT info.
- # SslBump2: After getting TLS Client Hello info.
- # SslBump3: After getting TLS Server Hello info.
- # These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that
- # they can be used there for custom configuration.
- acl step1 at_step SslBump1
- acl step2 at_step SslBump2
- acl step3 at_step SslBump3
- http_access allow manager localhost
- http_access deny manager
- http_access allow purge localhost
- http_access deny purge
- http_access deny !safeports
- http_access deny CONNECT !sslports
- # Always allow localhost connections
- http_access allow localhost
- quick_abort_min -1 KB
- quick_abort_max 0 KB
- request_body_max_size 0 KB
- delay_pools 1
- delay_class 1 2
- delay_parameters 1 -1/-1 -1/-1
- delay_initial_bucket_level 100
- delay_access 1 allow allsrc
- # Reverse Proxy settings
- # Custom options before auth
- ssl_bump peek step1
- ssl_bump bump all
- # Setup allowed ACLs
- # Allow local network(s) on interface(s)
- http_access allow localnet
- # Default block all to be sure
- http_access deny allsrc
- #上面有中文注释的都要改一下。
复制代码 # 检查配置,没有报错就启动。
- /etc/init.d/squid restart
复制代码 # 客户端设置代理后,以下命令查看经过 squid 的链接
- tail -f /var/squid/access.log
复制代码 # 以下命令查看命中缓存的连接
- tail -f /var/squid/access.log | grep HIT
复制代码
使用这个代理访问 https 网站有安全风险,好像是说所有 https 网站都不加密了?我也不懂,反正不要使用代理访问银行网站之类的。
|
|