海运的博客

Openwrt下使用Stunnel加密Squid取代SSH转发

发布时间:September 3, 2012 // 分类:Squid,OpenWrt // No Comments

Stunnel真是个好东西,可以使用SSL加密任意两点间的TCP连接,本文记录使用Stunnel加密Squid代理服务器来代替SSH数据转发
服务器端配置Squid正向代理:

#https://www.haiyun.me
http_port 127.0.0.1:8080
icp_port 0
visible_hostname proxy.www.haiyun.me
cache_mgr  admin@www.haiyun.me
cache_effective_user squid
cache_effective_group  squid 
via off     
forwarded_for off
acl localnet src 127.0.0.0/24
http_access allow localnet

生成OpenSSL证书:

openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
chmod 400 stunnel.pem

服务器端Stunnel安装配置:

yum install stunnel
compression=zlib
syslog=no
debug=7
output=/var/log/stunnel.log
setuid=nobody
setgid=nobody
pid=/var/run/stunnel.pid
cert=/etc/stunnel/stunnel.pem
key=/etc/stunnel/stunnel.pem
client=no
[squid]
accept=8000
connect=127.0.0.1:8080

Openwrt下安装配置Stunnel客户端:

opkg update
opkg install stunnel
compression=zlib
syslog=no
debug=7
output=/var/log/stunnel.log
pid=/var/run/stunnel.pid
client=yes
[squid]
accept=8080
connect=www.haiyun.me:8000

客户端服务器端启动Stunnel:

stunnel

此时客户端和Squid代理服务器之间的数据是使用SSL加密的,其它HTTP代理服务器也同样适用此方法,如Kingate代理服务器

Squid安全设置隐藏版本及Header信息

发布时间:August 4, 2012 // 分类:Squid // No Comments

配置文件ACL后添加:

header_access X-Cache deny all
header_access X-Squid-Error deny all
header_access Via deny all
header_access Server deny all
header_access X-Cache deny all
header_access X-Cache-Lookup deny all

其它Header也可隐藏:

Accept         HTTP_ACCEPT
Accept-Charset         HTTP_ACCEPT-CHARSET
Accept-Encoding         HTTP_ACCEPT-ENCODING
Accept-Language         HTTP_ACCEPT-LANGUAGE
Accept-Ranges         HTTP_ACCEPT-RANGES
Age         HTTP_AGE
Allow         HTTP_ALLOW
Authorization         HTTP_AUTHORIZATION
Cache-Control         HTTP_CACHE-CONTROL
Connection         HTTP_CONNECTION
Content-Base         HTTP_CONTENT-BASE
Content-Disposition         HTTP_CONTENT-DISPOSITION
Content-Encoding         HTTP_CONTENT-ENCODING
Content-Language         HTTP_CONTENT-LANGUAGE
Content-Length         HTTP_CONTENT-LENGTH
Content-Location         HTTP_CONTENT-LOCATION
Content-MD5         HTTP_CONTENT-MD5
Content-Range         HTTP_CONTENT-RANGE
Content-Type         HTTP_CONTENT-TYPE
Cookie         HTTP_COOKIE
Date         HTTP_DATE
ETag         HTTP_ETAG
Expires         HTTP_EXPIRES
From         HTTP_FROM
Host         HTTP_HOST
If-Match         HTTP_IF-MATCH
If-Modified-Since         HTTP_IF-MODIFIED-SINCE
If-None-Match         HTTP_IF-NONE-MATCH
If-Range         HTTP_IF-RANGE
Last-Modified         HTTP_LAST-MODIFIED
Link         HTTP_LINK
Location         HTTP_LOCATION
Max-Forwards         HTTP_MAX-FORWARDS
Mime-Version         HTTP_MIME-VERSION
Pragma         HTTP_PRAGMA
Proxy-Authenticate         HTTP_PROXY-AUTHENTICATE
Proxy-Authentication-Info         HTTP_PROXY-AUTHENTICATION-INFO
Proxy-Authorization         HTTP_PROXY-AUTHORIZATION
Proxy-Connection         HTTP_PROXY-CONNECTION
Public         HTTP_PUBLIC
Range         HTTP_RANGE
Referer         HTTP_REFERER
Request-Range         HTTP_REQUEST-RANGE
Retry-After         HTTP_RETRY-AFTER
Server         HTTP_SERVER
Set-Cookie         HTTP_SET-COOKIE
Title         HTTP_TITLE
Transfer-Encoding         HTTP_TRANSFER-ENCODING
Upgrade         HTTP_UPGRADE
User-Agent         HTTP_USER-AGENT
Vary         HTTP_VARY
Via         HTTP_VIA
Warning         HTTP_WARNING
WWW-Authenticate         HTTP_WWW-AUTHENTICATE
Authentication-Info         HTTP_AUTHENTICATION-INFO
X-Cache         HTTP_X-CACHE
X-Cache-Lookup         HTTP_X-CACHE-LOOKUP
X-Forwarded-For         HTTP_X-FORWARDED-FOR
X-Request-URI         HTTP_X-REQUEST-URI
X-Squid-Error         HTTP_X-SQUID-ERROR
Negotiate         HTTP_NEGOTIATE
X-Accelerator-Vary         HTTP_X-ACCELERATOR-VARY
Other:         HTTP_OTHER:

Squid3.0版本使用参数:

reply_header_access Server deny all
reply_header_access X-Cache deny all
reply_header_access Warning deny all
reply_header_access Expires deny all
reply_header_access Cache-Control deny all
reply_header_access age deny all

参考:http://bbs.linuxtone.org/thread-131-1-1.html

Squid关闭磁盘缓存

发布时间:August 4, 2012 // 分类:Squid // No Comments

在Openwrt下使用USB外挂存储磁盘IO会成为瓶颈,如果带宽足够纯粹做为透明代理可以关闭磁盘缓存功能。
1.修改缓存策略为null

cache_dir null /tmp

2.或者定义禁止缓存GET请求:

acl NCACHE method GET
no_cache deny NCACHE

3.缓存到/dev/shm目录,相当于ramdisk,openwrt无此设备。

cache_dir ufs /mnt/cache 256 16 256

Squid代理添加用户、密码认证

发布时间:June 27, 2012 // 分类:Squid // No Comments

架设Squid代理服务器为防止别人扫描到后滥用,可配置Squid基于用户认证方式代理上网。
1.创建密钥认证文件:

htpasswd -c /etc/squid/passwd user

2.使用ncsa_auth认证,编辑squid配置文件添加:

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
acl auth_user proxy_auth REQUIRED
http_access allow ncsa_users
http_access deny all

重新加载配置文件生效:

squid -k reconfig

squid用户认证.png

Openwrt/Linux安装squid做透明代理缓存服务器

发布时间:April 21, 2012 // 分类:Squid,OpenWrt,Linux服务 // 3 Comments

安装Squid:

opkg update
opkg install squid
cd /etc/squid
mv squid.conf squid.conf.back
vim squid.conf

配置文件:

visible_hostname proxy.www.haiyun.me #主机名
cache_mgr onovps@www.haiyun.me #管理员邮箱
http_port 3128 transparent #监听端口3128,透明代理
icp_port 0 #单机模式
dns_nameservers 192.168.1.1 #DNS
#cache_effective_user squid #运行用户
#cache_effective_group squid #运行用户组
pid_filename /tmp/squid.pid #pid文件
error_directory /usr/share/squid/errors/Simplify_Chinese #错误提示文件
emulate_httpd_log on #开启httpd日记格式
#logformat log %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh #自定义日记模式
cache_access_log /mnt/log/access.log #日记路径
cache_log none #无cache日记
cache_store_log none #无store日记
cache_dir ufs /mnt/cache/ 2048 16 256 #硬盘缓存2G,一级目录16,二级目录256
cache_mem 16 MB #内存缓存16M
cache_swap_low 90
cache_swap_high 95
minimum_object_size 0 KB #最小缓存不限制
maximum_object_size 4096 KB #最大缓存4M
cache_vary on #开启vary缓存
connect_timeout 1 minute #连接超时1分
request_timeout 1 minutes #请求超时1分

acl QUERY urlpath_regex -i cgi-bin \?
cache deny QUERY #不缓存cgin-bin

acl bt url_regex -i ^http://.*\.torrent$
http_access deny bt    #禁止下载torrent
acl files urlpath_regex -i "/etc/squid/files.txt" #过滤下载文件后缀
acl sites dstdom_regex "/etc/squid/sites.txt"   #过滤特定网址
acl keys url_regex -i "/etc/squid/keys.txt"  #过滤特定关键词
acl nocache_sites dstdom_regex "/etc/squid/nocache_sites.txt" #指定不缓存网址
acl nocache_files urlpath_regex -i "/etc/squid/nocache_files.txt" #指定不缓存文件后缀
http_access deny files             
http_access deny sites
http_access deny keys   
cache deny nocache_sites
cache deny nocache_files

acl all src 0.0.0.0/0.0.0.0 
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl localnet src 192.168.1.0/255.255.255.0
acl SSL_ports port 443 563 10000
acl Safe_ports port 80 21 443 56370 210 1025-65535 280 488 591

http_access allow manager localhost
http_access deny manager
http_access allow localnet
http_access deny all

#acl apache rep_header Server ^Apache
broken_vary_encoding allow all #开启压缩
header_access X-Forwarded-For deny all #禁止 X-Forwarded头
header_access HTTP_VIA deny all   #禁止HTTP_VIA
header_access Via deny all #禁止Via头
refresh_pattern -i \.css$ 1440 50% 129600 reload-into-ims 
refresh_pattern -i \.xml$ 1440 50% 129600 reload-into-ims
refresh_pattern -i \.htm$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.html$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.shtml$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.png$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.jpg$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.jpeg$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.gif$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.bmp$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.js$ 1440 90% 129600 reload-into-ims

refresh_pattern -i \.mp3$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.wmv$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.rm$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.swf$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.mpeg$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.wma$ 1440 50% 2880 ignore-reload

refresh_pattern -i \.exe$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.rar$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.zip$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.gz$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.bz2$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.7z$ 1440 50% 2880 ignore-reload

squid相关指令:

squid -k reconfigure #重置
squid -k parse  #检测配置文件
squid -k shutdown #关闭
squid -k rotate  #分割日记

Openwrt下安装squid后无init脚本,管理不方便,自己简单写了个。

#/bin/bash
#Create by www.haiyun.me
case $1 in
stop)
  squid -k shutdown
  ;;
start)
  squid
  ;;
restart)
  squid -k reconfigure
  ;;
check)
  squid -k parse
  ;;
*)
  echo "Please use restart|start|stop|check"
  ;;
esac

iptables配置:

opkg install iptables-utils iptables-mod-nat-extra
iptables -t nat -A PREROUTING -i br-lan -p tcp  --dport 80 -j REDIRECT --to-ports 3128
分类
最新文章
最近回复
  • opnfense: 谢谢博主!!!解决问题了!!!我之前一直以为内置的odhcp6就是唯一管理ipv6的方式
  • liyk: 这个方法获取的IPv6大概20分钟之后就会失效,默认路由先消失,然后Global IPV6再消失
  • 海运: 不好意思,没有。
  • zongboa: 您好,請問一下有immortalwrt設定guest Wi-Fi的GUI教學嗎?感謝您。
  • 海运: 恩山有很多。
  • swsend: 大佬可以分享一下固件吗,谢谢。
  • Jimmy: 方法一 nghtp3步骤需要改成如下才能编译成功: git clone https://git...
  • 海运: 地址格式和udpxy一样,udpxy和msd_lite能用这个就能用。
  • 1: 怎么用 编译后的程序在家里路由器内任意一台设备上运行就可以吗?比如笔记本电脑 m参数是笔记本的...
  • 孤狼: ups_status_set: seems that UPS [BK650M2-CH] is ...