Squid,一个高性能的代理缓存服务器,支持ftp、gopher、HTTPHTTPS协议,不支持 socks4/5 协议。

acl SSL_ports port 443 
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

Squid,一个缓存Internet 数据的软件,其接收用户的下载申请(作为代理服务器),并自动处理所下载的数据,并返回给客户。

centos-7-install-squid-proxy-server-0

当一个用户想要下载一个主页(如米扑科技:https://mimvp.com)时,可以向Squid 发出一个申请,让Squid 代替其进行下载,然后Squid 连接所申请网站并请求该主页,接着把该主页传给用户同时保留一个备份,当别的用户申请同样的页面时,Squid 把保存的备份立即传给用户,使用户觉得速度相当快。Squid 可以代理HTTP、FTP、GOPHER、SSL和WAIS等协议并且Squid 可以自动地进行处理,可以根据自己的需要设置Squid,使之过滤掉不想要的东西。

centos-7-install-squid-proxy-server-00

Squid 是一个跨平台服务,可运行在大多数Unix和OS/2版本的系统之上,已知的可工作的有:

Windows,AIX,Digital Unix,FreeBSD,HP-UX,Irix,Linux,NetBSD,Nextstep,SCO,Solaris

Squid 官网http://www.squid-cache.org

 

 

1. 安装 squid

# rpm -qa | grep squid

squid-3.3.8-26.el7_2.4.x86_64            // 表示安装过

yum -y install squid                             // 安装

 

2. 设置开机自启动 squid

systemctl enable squid.service 

 

3. 配置文件 squid.conf

vim  /etc/squid/squid.conf

找到 

http_access deny all 

在之前添加下面数行内容:注意路径 

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm hello-mimvp
auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off
acl myproxy proxy_auth REQUIRED
http_access deny !myproxy

http_access allow myproxy

增加2句,隐藏真实ip变成匿名代理,否则就是透明代理,会显示客户机的真实IP

via off 
forwarded_for delete 

添加后配置如下:

############# mimvp start ############
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd 
auth_param basic children 5 
auth_param basic realm hello-mimvp 
auth_param basic credentialsttl 2 hours 
auth_param basic casesensitive off
acl myproxy proxy_auth REQUIRED 
http_access deny !myproxy
http_access allow myproxy 

via off 
forwarded_for delete 
############# mimvp end ##############

# And finally deny all other access to this proxy
http_access deny all

 

4. 用户名密码认证 squid

利用 apache 携带的工具 htpasswd 生成密码文件

htpasswd 是apache httpd自带工具,需要先安装 httpd,安装expect便于自动化交互设置密码

yum -y install httpd httpd-devel expect

并添加相应的用户信息

/usr/bin/htpasswd -c /etc/squid/passwd  mimvp-guest

根据提示输入密码:Mimvp-COM-2016

成功后将会在 /etc/squid/passwd 中写入:

# cat /etc/squid/passwd 
 mimvp-guest:$apr1$MsJeP9bZ$BLCJYnpQyFR.dV5SBDxMg0

第一列是用户名,第二列是密码

 

5. 参数检查和设置缓存

5.1 参数检查

squid -k parse 

5.2 设置缓存

vim /etc/squid/squid.conf

去掉下面一行的注释#,否则squid -z无法执行 

#cache_dir ufs /var/spool/squid 100 16 256 

去掉后,初始化缓存 

squid -z 

# squid -z
[root@mimvp-bj script]# 2017/09/29 18:35:26 kid1| Set Current Directory to /var/spool/squid
2017/09/29 18:35:26 kid1| Creating missing swap directories
2017/09/29 18:35:26 kid1| No cache_dir stores are configured.

 

6. 启动服务 squid

systemctl start squid.service

查看3128已经在运行服务了 

netstat -ntpl

# netstat -ntpl | grep 3128
tcp6       0      0 :::3128                 :::*                    LISTEN      29764/(squid-1)   

 

如果开启了防火墙iptables规则,则还需要在/etc/sysconfig/iptables里添加下面一行,允许3128端口访问

-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT

如果使用阿里云、腾讯云、AWS等云服务器搭建Squid,则需要在安全策略里,允许3128端口访问

 

7. 查看日志 squid

tail -f  /var/log/squid/access.log

tail -f /var/log/squid/cache.log

 

步骤 1 - 7 配置,是针对 HTTP 代理,下面将详细讲解如何配置 HTTPS 代理

 

8. 配置 HTTPS 代理

8.1 签发生成SSL证书

HTTPS 代理一定需要使用证书,可以购买付费证书、也可以申请免费证书,最简单的自己签发生成一个证书。

cd /etc/squid/

方式1:

openssl req -new -keyout server.key -nodes -x509 -days 3650 -out server.crt

需要手动输入国家、省市等参数,

方式2:

# cd /etc/squid/
# openssl req -new > server.csr
Generating a 2048 bit RSA private key
...........................................................................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:                  
# 输入密码,后面会用到,如 123456
Verifying - Enter PEM pass phrase:       # 确认密码,123456
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:mimvp.com
Organizational Unit Name (eg, section) []:R&D
Common Name (eg, your name or your server's hostname) []:mimvp
Email Address []:love@mimvp.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
12345678        # 证书请求密钥,CA读取证书的时候需要输入密码
An optional company name []:mimvp.com     # 公司名称,CA读取证书的时候需要输入名称

#
openssl rsa -in privkey.pem -out server.key
Enter pass phrase for privkey.pem:         # 上面设置的密码 123456
writing RSA key
#
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
Signature ok
subject=/C=CN/ST=beijing/L=beijing/O=mimvp.com/OU=R&D/CN=mimvp/emailAddress=love@mimvp.com
Getting Private key

也通过expect可以自动交互输入,下面直接给出expect脚本:

vim mimvp_squid.sh

#!/usr/bin/expect
#
# mimvp.com
# 2016.10.12


set timeout 30


set pem_pwd "123456"

set country_name "CN"
set province_name "beijing"
set locality_name "beijing"
set organization_name "mimvp.com"
set organizational_unit_name "research-development"
set common_name "mimvp"
set email_address "love@mimvp.com"

set challenge_password "12345678"
set company_name "mimvp.com"


## server.csr
spawn cd /etc/squid/
spawn openssl req -new -out server.csr 

expect "*Enter PEM*"
send "$pem_pwd\r"

expect "*Verifying - Enter PEM*"
send "$pem_pwd\r"

expect "*Country Name*"
send "$country_name\r"

expect "*State or Province Name*"
send "$province_name\n"

expect "*Locality Name*"
send "$locality_name\n"

expect "*Organization Name*"
send "$organization_name\n"

expect "*Organizational Unit Name*"
send "$organizational_unit_name\n"

expect "*Common Name*"
send "$common_name\r"

expect "*Email Address*"
send "$email_address\r"

expect "*challenge password*"
send "$challenge_password\r"

expect "*company name*"
send "$company_name\r"
expect eof


## server.key
spawn openssl rsa -in privkey.pem -out server.key

expect "*Enter pass phrase for privkey.pem*"
send "$pem_pwd\n"
expect eof


## server.crt
spawn openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
expect eof


puts ""
puts "thanks, i  love  mimvp.com"

学习expect脚本,可参见米扑博客Linux shell脚本通过expect实现自动输入密码 

 

8.2 修改配置文件 squid.conf

vim /etc/squid/squid.conf

SSL端口与证书将原来监听的 http_port 3128 端口改为 https_port 443并配置证书,如下:

#http_port 3128
https_port 443 cert=/etc/squid3/server.crt key=/etc/squid3/server.key

注意:如果不注释掉 http_port 3128,则表示同一台服务器同时支持 http 和 https 代理,米扑代理验证成功

 

8.3 开启端口 443

如果开启了防火墙iptables规则,则还需要在/etc/sysconfig/iptables里添加下面一行,允许443端口访问

-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

如果使用阿里云、腾讯云、AWS等云服务器搭建Squid,则需要在安全策略里,允许443端口访问

 

8.4 重启服务 squid

squid -k parse 
squid -z
squid reload
systemctl restart squid.service

 

8.5 客户端需配置 stunnel

1)下载 stunnel

stunnel 官网:http://www.stunnel.org/downloads.html

stunnel 下载: stunnel-5.42.tar.gz

 

2)解压安装

wget http://www.stunnel.org/downloads/stunnel-5.42.tar.gz
tar zxvf stunnel-5.42.tar.gz
cd stunnel-5.42/
./configure && make && make install

 

3)修改配置文件

cd /usr/local/etc/stunnel/
cp stunnel.conf-sample stunnel.conf

清空 stunnel.conf 文件内容,只写入以下内容:

client = yes
[https]
accept = 127.0.0.1:8088
connect = 58.87.90.149:443      

 

4)启动服务 stunnel

# /usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf
#
# ps -ef | grep stunnel                                     
mimvp      2137     1  0 18:31 ?        00:00:00 /usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf
mimvp      2141 15922  0 18:31 pts/0    00:00:00 grep --color=auto stunnel
#
#  lsof -i:8088
COMMAND  PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
stunnel 2137 root    7u  IPv4 12055049      0t0  TCP localhost:radan-http (LISTEN)

 

5)配置系统环境变量

vim /etc/profile 

添加两行内容,如下:

export http_proxy=http://58.87.90.149:3128    # 通过服务端A机器的3128端口的squid上网(http代理)
export https_proxy=http://127.0.0.1:8088    # 通过服务端B机器的443端口的squid上网(https代理)

# source /etc/profile        # 使配置生效

 

6)测试代理生效

# curl http://proxy.mimvp.com
# curl https://proxy.mimvp.com

或通过Chrome浏览器配置 http 代理,访问https网站

centos-7-install-squid-proxy-server-81

或直接通过 curl 配置 http代理,访问https网站

curl -m 30 --retry 3 -x http://127.0.0.1:8088 -k https://proxy.mimvp.com/exist.php

更多命令如下:

# http代理格式 		http_proxy=http://IP:Port
# https代理格式 		https_proxy=http://IP:Port

{'http': 'http://120.77.176.179:8888'}
curl -m 30 --retry 3 -x http://120.77.176.179:8888 http://proxy.mimvp.com/exist.php        				# http_proxy
wget -T 30 --tries 3 -e "http_proxy=http://120.77.176.179:8888" http://proxy.mimvp.com/exist.php  		# http_proxy

{'https': 'http://46.105.214.133:3128'}
curl -m 30 --retry 3 --proxy-insecure -x http://46.105.214.133:3128 -k https://proxy.mimvp.com/exist.php        			# https_proxy
wget -T 30 --tries 3 --no-check-certificate -e "https_proxy=http://46.105.214.133:3128" https://proxy.mimvp.com/exist.php	# https_proxy

    
# curl  支持socks
{'socks4': '101.255.17.145:1080'}
curl -m 30 --retry 3 --socks4 101.255.17.145:1080 http://proxy.mimvp.com/exist.php
    
{'socks5': '82.164.233.227:45454'}
curl -m 30 --retry 3 --socks5 82.164.233.227:45454 http://proxy.mimvp.com/exist.php


# wget 不支持socks

 

curl 和 wget 命令行直接使用代理,请参见米扑代理使用示例:

https://proxy.mimvp.com/demo2.php

 

米扑代理是百度、阿里、小米出来的技术大牛做的,质量高,推荐多学习、多使用、多研究

https://proxy.mimvp.com

 

 

9. 设置代理测试验证

操作系统:Mac OS X

代理服务器:58.87.90.149:3128

代理账号密码:mimvp-guest / mimvp.com

浏览器:Chrome Version 61.0.3163.100 (Official Build) (64-bit)

设置代理步骤:

1)浏览器设置系统级代理

Chrome —> 右上角  —> Settings  —> Advanced  —> Open proxy settings 

centos-7-install-squid-proxy-server-01

centos-7-install-squid-proxy-server-02

 

2)打开米扑代理的检测代理网页

检测代理https://proxy.mimvp.com/exist.php

centos-7-install-squid-proxy-server-03

如上图,检测出您当前IP为 58.87.90.149 ,其服务器位于北京,腾讯集团的云服务器

 

以上,是通过浏览器设置的系统级代理,即代理一旦设定,电脑上的全部网络链接都走的此代理

很多时候,我们不需要系统级代理,只是想在浏览器设置代理,其它网络链接仍然是正常的,怎么设置呢?

答案是通过浏览器的插件实现,本文后面会推荐Chrome 和 Firefox 的插件,下面先看效果:

1) Chrome Proxy SwitchySharp 插件设置代理

centos-7-install-squid-proxy-server-04

 

2)Firefox Proxy Switcher 插件设置代理

centos-7-install-squid-proxy-server-05

输入代理的用户名和密码

centos-7-install-squid-proxy-server-06

打开米扑代理的检测代理网页

检测代理https://proxy.mimvp.com/check.php

centos-7-install-squid-proxy-server-08

 

好了,squid代理的安装、配置,浏览器设置代理、插件设置代理、代理检测验证,都已经讲完了

上面,代理检测验证,用到了米扑代理,他们是一家由百度、阿里、小米等技术工程师创业做的产品,非常好用

 

10. 推荐米扑代理

如果,您不想自己搭建代理服务器,可以直接用米扑代理,非常靠谱的一家代理公司

米扑代理https://proxy.mimvp.com   (国内第一家使用 HTTPS 加密网站的代理服务商)

米扑代理价格也很便宜:https://proxy.mimvp.com/price.php

centos-7-install-squid-proxy-server-09

 

 

参考推荐

CentOS 7.3 安装配置Socks代理服务器

CentOS 7.3 安装配置Squid代理服务器

CentOS 7 安装 TinyProxy 代理服务器

五款浏览器设置代理教程

浏览器设置代理的插件

Squid代理http和https方式上网的操作记录