====== Squid Proxy Server 安裝設定 ======
* 因為在 OpenVAS 主機弱掃會出現 **Squid Multiple 0-Day Vulnerabilities (Oct 2023)**
* 目前改用 [[tech/tinyproxy]] 來替代 Squid
====== 使用 docker compose 方式 =====
* 採用 [[https://hub.docker.com/r/ubuntu/squid|ubuntu/squid 版本]]
vi docker-compose.yml
services:
squid:
image: ubuntu/squid:latest
hostname: squid
container_name: squid
environment:
- TZ=Asia/Taipei
ports:
- 3128:3128
# volumes:
# - './conf/squid.conf:/etc/squid/squid.conf:ro'
# - './conf/passwords:/etc/squid/passwords:ro'
restart: always
docker compose up -d
- 將 squid.conf 掛出來進行後續設定編輯
mkdir -p conf
docker cp squid:/etc/squid/squid.conf ./conf/
- 修改 docker-compose.yml
services:
squid:
image: ubuntu/squid:latest
hostname: squid
container_name: squid
environment:
- TZ=Asia/Taipei
ports:
- 3128:3128
volumes:
- './conf/squid.conf:/etc/squid/squid.conf:ro'
# - './conf/passwords:/etc/squid/passwords:ro'
restart: always
- 修改 squid.conf
vi ./conf/squid.conf
:
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443 8006
acl Safe_ports port 8006 # PVE manager
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
:
# For example, to allow access from your local networks, you may uncomment the
# following rule (and/or add rules that match your definition of "local"):
http_access allow localnet
:
* 重新啟動 docker compose
docker compose restart
==== Q1 : 如果要修改 container 內的 /etc/hosts ====
* 參考 - https://stackoverflow.com/questions/74014600/custom-etc-hosts-file-in-dockerfile
- 將 docker-compose.yml 內加上 extra_hosts:
- 加上要指定的 hostname 與 IP 資訊 Exp. "www.ichiayi.com:192.168.11.133" "web.ichiayi.com:192.168.11.134"
- 範例如下:
services:
squid:
image: ubuntu/squid:latest
hostname: squid
container_name: squid
environment:
- TZ=Asia/Taipei
extra_hosts:
- "www.ichiayi.com:192.168.11.133"
- "web.ichiayi.com:192.168.11.134"
ports:
- 3128:3128
volumes:
- './conf/squid.conf:/etc/squid/squid.conf:ro'
# - './conf/passwords:/etc/squid/passwords:ro'
restart: always
- 重啟 docker compose
docker compose up -d
====== 一般安裝程序 ======
以下是在 CentOS 7 與 Ubuntu 20.04 底下安裝與設定 Squid Proxy Server
==== Ubuntu 20.04 ====
sudo -i
apt install squid
apt list -a squid
root@iiidevops1:~# apt list -a squid
Listing... Done
squid/focal-updates,focal-security,now 4.10-1ubuntu1.2 amd64 [installed]
squid/focal 4.10-1ubuntu1 amd64
==== CentOS 7 ====
su - root
yum install -y squid httpd-tools
[root@ct-squid ~]# rpm -q squid
squid-3.5.20-12.el7.x86_64
===== 設定參數檔 =====
* 允許 ftp 的 Proxy 功能
* 允許 https 使用 port 7443 的 SSL Proxy 功能
* 允許 Google Talk 使用 port 5222 的 http Proxy 功能
* 假設指定只有 來自 61.67.71.0/24 與 220.130.131.238 的 IP 範圍才可以使用
* 允許接受 SVN 的延伸指令 REPORT MERGE MKACTIVITY CHECKOUT
:
ftp_user wwwuser@ichiayi.com
:
acl SSL_ports port 443 7443
:
acl Safe_ports port 443 # https
acl Safe_ports port 7443 # https-g2b2c
acl Safe_ports port 5222 # GoogleTalk
:
acl our_networks src 61.67.71.0/24 220.130.131.238/32
http_access allow our_networks
:
* 如果要讓所有的 IP (公開的 proxy) 都可存取, 可以增加以下的設定
:
# all networks
acl all_networks src all
:
# allow all
http_access allow all_networks
# And finally deny all other access to this proxy
:
* 如果需要設定 Proxy 使用者的帳號密碼, 就執行以下這部分
vi /etc/squid/squid.conf
:
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
:
acl password proxy_auth REQUIRED
http_access allow password
:
* 第一次建立帳號
htpasswd -c /etc/squid/passwd jonathan
* 之後建立帳號或修改密碼
htpasswd /etc/squid/passwd tryweb
===== 第一次啟動與設定自動啟動 =====
systemctl restart squid.service
systemctl enable squid.service
* 要瞭解 Proxy 被存取狀況可以看 /var/log/squid/access.log 內容紀錄
* 通常無法正常啟動可以依據 systemctl status squid.service 的顯示看到問題與解決方案
===== 相關參考資料 =====
* http://spyker729.blogspot.com/2011/01/ubuntusquid-proxy-server.html
* https://hub.docker.com/r/ubuntu/squid
* https://www.gushiciku.cn/pl/pXRg/zh-tw
{{tag>squid proxy 安裝}}