顯示頁面舊版反向連結Fold/unfold all回到頁頂 本頁是唯讀的,您可以看到原始碼,但不能更動它。您如果覺得它不應被鎖上,請詢問管理員。 ====== Squid Proxy Server 安裝設定 ====== <WRAP center round important 60%> * 因為在 OpenVAS 主機弱掃會出現 **Squid Multiple 0-Day Vulnerabilities (Oct 2023)** * 目前改用 [[tech/tinyproxy]] 來替代 Squid </WRAP> ====== 使用 docker compose 方式 ===== * 採用 [[https://hub.docker.com/r/ubuntu/squid|ubuntu/squid 版本]] <cli> vi docker-compose.yml </cli><file> services: squid: image: ubuntu/squid:latest hostname: squid container_name: squid environment: - TZ=Asia/Taipei ports: - 3128:3128 # volumes: # - './conf/squid.conf:/etc/squid/squid.conf:ro' # - './conf/passwords:/etc/squid/passwords:ro' restart: always </file><cli> docker compose up -d </cli> - 將 squid.conf 掛出來進行後續設定編輯 <cli> mkdir -p conf docker cp squid:/etc/squid/squid.conf ./conf/ </cli> - 修改 docker-compose.yml <file> services: squid: image: ubuntu/squid:latest hostname: squid container_name: squid environment: - TZ=Asia/Taipei ports: - 3128:3128 volumes: - './conf/squid.conf:/etc/squid/squid.conf:ro' # - './conf/passwords:/etc/squid/passwords:ro' restart: always </file> - 修改 squid.conf <cli> vi ./conf/squid.conf</cli><file> : acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 8006 acl Safe_ports port 8006 # PVE manager acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https : # For example, to allow access from your local networks, you may uncomment the # following rule (and/or add rules that match your definition of "local"): http_access allow localnet : </file> * 重新啟動 docker compose <cli> docker compose restart </cli> ==== Q1 : 如果要修改 container 內的 /etc/hosts ==== * 參考 - https://stackoverflow.com/questions/74014600/custom-etc-hosts-file-in-dockerfile - 將 docker-compose.yml 內加上 extra_hosts: - 加上要指定的 hostname 與 IP 資訊 Exp. "www.ichiayi.com:192.168.11.133" "web.ichiayi.com:192.168.11.134" - 範例如下:<file> services: squid: image: ubuntu/squid:latest hostname: squid container_name: squid environment: - TZ=Asia/Taipei extra_hosts: - "www.ichiayi.com:192.168.11.133" - "web.ichiayi.com:192.168.11.134" ports: - 3128:3128 volumes: - './conf/squid.conf:/etc/squid/squid.conf:ro' # - './conf/passwords:/etc/squid/passwords:ro' restart: always </file> - 重啟 docker compose <cli> docker compose up -d </cli> ====== 一般安裝程序 ====== 以下是在 CentOS 7 與 Ubuntu 20.04 底下安裝與設定 Squid Proxy Server ==== Ubuntu 20.04 ==== <cli> sudo -i apt install squid apt list -a squid </cli> <cli> root@iiidevops1:~# apt list -a squid Listing... Done squid/focal-updates,focal-security,now 4.10-1ubuntu1.2 amd64 [installed] squid/focal 4.10-1ubuntu1 amd64 </cli> ==== CentOS 7 ==== <cli> su - root yum install -y squid httpd-tools </cli> <cli> [root@ct-squid ~]# rpm -q squid squid-3.5.20-12.el7.x86_64 </cli> ===== 設定參數檔 ===== * 允許 ftp 的 Proxy 功能 * 允許 https 使用 port 7443 的 SSL Proxy 功能 * 允許 Google Talk 使用 port 5222 的 http Proxy 功能 * 假設指定只有 來自 61.67.71.0/24 與 220.130.131.238 的 IP 範圍才可以使用 * 允許接受 SVN 的延伸指令 REPORT MERGE MKACTIVITY CHECKOUT <code |h vi /etc/squid/squid.conf> : ftp_user wwwuser@ichiayi.com : acl SSL_ports port 443 7443 : acl Safe_ports port 443 # https acl Safe_ports port 7443 # https-g2b2c acl Safe_ports port 5222 # GoogleTalk : acl our_networks src 61.67.71.0/24 220.130.131.238/32 http_access allow our_networks : </code> * 如果要讓所有的 IP (公開的 proxy) 都可存取, 可以增加以下的設定<file> : # all networks acl all_networks src all : # allow all http_access allow all_networks # And finally deny all other access to this proxy : </file> * 如果需要設定 Proxy 使用者的帳號密碼, 就執行以下這部分<cli> vi /etc/squid/squid.conf </cli><file> : auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd : acl password proxy_auth REQUIRED http_access allow password : </file> * 第一次建立帳號<cli> htpasswd -c /etc/squid/passwd jonathan </cli> * 之後建立帳號或修改密碼<cli> htpasswd /etc/squid/passwd tryweb </cli> ===== 第一次啟動與設定自動啟動 ===== <cli> systemctl restart squid.service systemctl enable squid.service </cli> <WRAP center round tip 60%> * 要瞭解 Proxy 被存取狀況可以看 /var/log/squid/access.log 內容紀錄 * 通常無法正常啟動可以依據 systemctl status squid.service 的顯示看到問題與解決方案 </WRAP> ===== 相關參考資料 ===== * http://spyker729.blogspot.com/2011/01/ubuntusquid-proxy-server.html * https://hub.docker.com/r/ubuntu/squid * https://www.gushiciku.cn/pl/pXRg/zh-tw {{tag>squid proxy 安裝}} tech/squid.txt 上一次變更: 2024/09/26 17:57由 jonathan