使用squid搭建https透明代理

#

# Recommended minimum configuration:

#


# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 10.0.0.0/8    # RFC1918 possible internal network

acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

acl localnet src 192.168.0.0/24# RFC1918 possible internal network

acl localnet src fc00::/7      # RFC 4193 local private network range

acl localnet src fe80::/10     # RFC 4291 link-local (directly plugged) machines


acl SSL_ports port443

acl Safe_ports port80         # http

acl Safe_ports port21         # ftp

acl Safe_ports port443        # https

acl Safe_ports port70         # gopher

acl Safe_ports port210        # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port280        # http-mgmt

acl Safe_ports port488        # gss-http

acl Safe_ports port591        # filemaker

acl Safe_ports port777        # multiling http

acl CONNECT method CONNECT


#

# Recommended minimum Access Permission configuration:

#

# Deny requests to certain unsafe ports

http_access deny !Safe_ports


# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports


# Only allow cachemgr access from localhost

http_access allow localhost manager

http_access deny manager


# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost


#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

                                      

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost


# And finally deny all other access to this proxy

http_access denyall


# Squid normally listens to port 3128

http_port 3128


http_port 3129 intercept

https_port 3130 intercept cert=/usr/local/squid/etc/cert/server.crt key=/usr/local/squid/etc/cert/server.key version=1 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

#https_port 3130 transparent cert=/usr/local/squid/etc/cert/selfca.der key=/usr/local/squid/etc/cert/selfca.pem

ftp_port 3131 intercept


ssl_bump server-first all

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 8 startup=1 idle=1


# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256


# Leave coredumps in the first cache dir

coredump_dir /usr/local/squid/var/cache/squid


#

# Add any of your own refresh_pattern entries above these.

#

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320


visible_hostname test.com



[root@dev etc]# iptables-save

# Generated by iptables-save v1.4.7 on Fri Oct 28 14:58:10 2016

*filter

:INPUT ACCEPT [11287:1837455]

:FORWARD DROP [627:37845]

:OUTPUT ACCEPT [12229:3244822]

-A FORWARD -p udp -m udp --dport 53 -j ACCEPT 

-A FORWARD -p udp -m udp --sport 53 -j ACCEPT 

COMMIT

# Completed on Fri Oct 28 14:58:10 2016

# Generated by iptables-save v1.4.7 on Fri Oct 28 14:58:10 2016

*nat

:PREROUTING ACCEPT [832:59702]

:POSTROUTING ACCEPT [3:144]

:OUTPUT ACCEPT [2469:119333]

-A PREROUTING -s 192.168.0.0/24 -i wlan0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129 

-A PREROUTING -s 192.168.0.0/24 -i wlan0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130 

-A POSTROUTING -o eth0 -j MASQUERADE 

COMMIT

# Completed on Fri Oct 28 14:58:10 2016

# Generated by iptables-save v1.4.7 on Fri Oct 28 14:58:10 2016

*mangle

:PREROUTING ACCEPT [95433:29957319]

:INPUT ACCEPT [88691:28329249]

:FORWARD ACCEPT [6644:1618880]

:OUTPUT ACCEPT [81571:24890703]

:POSTROUTING ACCEPT [86820:26418963]

-A PREROUTING -p tcp -m tcp --dport 3129 -j DROP 

-A PREROUTING -p tcp -m tcp --dport 3130 -j DROP 

COMMIT

# Completed on Fri Oct 28 14:58:10 2016


[root@dev etc]# sysctl -w net.ipv4.ip_forward=1

net.ipv4.ip_forward = 1


参考链接:

http://wiki.squid-cache.org/Features/HTTPS

https://www.tectut.com/2015/08/configure-squid-as-http-and-https-transparent-proxy/

你可能感兴趣的:(使用squid搭建https透明代理)