前言:
当前兄弟们对“linux系统终端透明设置”大体比较关注,你们都想要学习一些“linux系统终端透明设置”的相关知识。那么小编在网上网罗了一些对于“linux系统终端透明设置””的相关知识,希望看官们能喜欢,大家一起来了解一下吧!Centos7 Linux Squid 透明代理http https配置
Centos7 yum squid transparent https https
# cat /etc/redhat-releaseCentOS Linux release 7.5.1804 (Core)
启用路由转发功能:
echo "net.ipv4.ip_forward = 1">>/etc/sysctl.conf sysctl -psysctl -w net.ipv4.ip_forward=1
直接yum安装
# yum -y install squid
查看版本:
# squid -vSquid Cache: Version 3.5.20Service Name: squidconfigure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,rock,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
备份下默认squid.conf配置文件:
cat squid.conf|sed '/^#/d'|sed '/^$/d' > squid.default.conf
帮助文件中用得比较多的是-f -k
# squid -helpUsage: squid [-cdhvzCFNRVYX] [-n name] [-s | -l facility] [-f config-file] [-[au] port] [-k signal] -a port Specify HTTP port number (default: 3128). -d level Write debugging to stderr also. -f file Use given config-file instead of /etc/squid/squid.conf -h Print help message. -k reconfigure|rotate|shutdown|restart|interrupt|kill|debug|check|parse Parse configuration file, then send signal to running copy (except -k parse) and exit.
直接贴一个我的最终配置,这玩意我也是反复测试折腾了好一中午的结果
# cat /etc/squid/squid.confacl localnet src 10.0.0.0/8 # RFC1918 possible internal networkacl localnet src 172.16.0.0/12 # RFC1918 possible internal networkacl localnet src 192.168.0.0/16 # RFC1918 possible internal networkacl localnet src fc00::/7 # RFC 4193 local private network rangeacl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machinesacl SSL_ports port 443acl Safe_ports port 443 # httpsacl Safe_ports port 21 # ftpacl Safe_ports port 443 # httpsacl CONNECT method CONNECThttp_access allow localnethttp_access allow localhosthttp_access allow allhttp_port 3127http_port 3128 transparenthttps_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/1_ key=/etc/squid/2_ /var/spool/squidrefresh_pattern ^ftp: 1440 20% 10080refresh_pattern ^gopher: 1440 0% 1440refresh_pattern -i (/cgi-bin/|\?) 0 0% 0refresh_pattern . 0 20% 4320
几个关键点说明alc可以自己去修改,我是为了方便线给了allow all
http_port 3127
http_port 3128 transparent
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/1_ key=/etc/squid/2_
这三行都需要才能透明代理
其实通过正常的启动日志能够看到为什么要这么处理?
3127,3128,3128各承担的功能不一样
# tail -f /var/log/squid/cache.log2021/03/05 19:09:41 kid1| DNS Socket created at 0.0.0.0, FD 102021/03/05 19:09:41 kid1| Adding domain localdomain from /etc/resolv.conf2021/03/05 19:09:41 kid1| Adding nameserver 10.211.55.1 from /etc/resolv.conf2021/03/05 19:09:41 kid1| helperOpenServers: Starting 5/32 'ssl_crtd' processes2021/03/05 19:09:41 kid1| WARNING: No ssl_bump configured. Disabling ssl-bump on https_port [::]:31292021/03/05 19:09:41 kid1| HTCP Disabled.2021/03/05 19:09:41 kid1| Finished loading MIME types and icons.2021/03/05 19:09:41 kid1| Accepting HTTP Socket connections at local=[::]:3127 remote=[::] FD 22 flags=92021/03/05 19:09:41 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 23 flags=412021/03/05 19:09:41 kid1| Accepting NAT intercepted HTTPS Socket connections at local=[::]:3129 remote=[::] FD 24 flags=41
如果没有3127那么日志告警:
kid1ERROR: No forward-proxy ports configured.
ssl-bump 这里应该是有个告警
自己检索解决吧。关于key的那块我是随便找了一个我自己的,免得自己用命令openssl去生成了
配置防火墙:
iptables防火墙简单设置下:
--flush -F [chain] Delete all rules in chain or all chain
iptables -F
iptables -F -t nat
上面两个都是清空对应rules
那么我们需要将局域网或者说需要代理的网段的请求转发到对应的3128和3129端口
局域网内网访问的80端口映射到squid服务器的3128端口 443映射到3129
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-ports 3129
注意上面为什么是eth0 因为我的测试主机在这个网段上10.211.55.3
# ip a 简化的eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet 10.211.55.3/24 brd 10.211.55.255 scope global noprefixroute dynamic eth0
查看下nat表
iptables -t nat --list-rules
为了测试,在我的另个主机上删除默认的路由,把路由指到我的这个squid主机上,
route del default gw 10.211.55.1route add default gw 10.211.55.3
几个日志:
/var/log/squid/access.log
/var/log/squid/cache.log
启动错误看报错,看日志就够了
# /usr/sbin/squid -f /etc/squid/squid.conf -k check
# /usr/sbin/squid -f /etc/squid/squid.conf -k reconfigure
启动
/usr/sbin/squid -f /etc/squid/squid.conf# netstat -nltp|grep squidtcp6 0 0 :::3129 :::* LISTEN 5241/(squid-1)tcp6 0 0 :::3127 :::* LISTEN 5241/(squid-1)tcp6 0 0 :::3128 :::* LISTEN 5241/(squid-1)
也可以看下进程:
过程有的报错解决:
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
1806 2021-03-05 15:52:29:::/usr/lib64/squid/ssl_crtd 1807 2021-03-05 15:52:48:::/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db 1808 2021-03-05 15:52:57:::chown squid:squid /var/lib/ssl_db
测试我直接走curl
curl -klv
curl -klv
nginx配置SSL后报错nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl"
因为最新版本不支持ssl on;这个配置已失效 使用listen 443 ssl;替代
++++++++++++++++++++++++++++++++插播一段配置nginx的相关,假如这里需要用nginx来实现代理++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
关键点ssl on @版本原因已经为use the "listen ... ssl"
centos7 root@parallels:/usr/local/nginx/conf/vhosts# cat forward.conf server { listen 3128 ssl; access_log /usr/local/nginx/logs/proxy-access.log main; error_log /usr/local/nginx/logs/error.log; ssl_certificate /usr/local/nginx/conf/sslkey/bppstore.com.pem; ssl_certificate_key /usr/local/nginx/conf/sslkey/bppstore.com.key; ssl_session_timeout 5m; #ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; 这行和下行保留一个就行 ssl_protocols TLSv1; ssl_ciphers RC4:HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # dns resolver used by forward proxying resolver 119.29.29.29 valid=60s ipv6=off; # forward proxy for CONNECT request proxy_connect; proxy_connect_allow 443 563; 80补充进来 proxy_connect_connect_timeout 10s; proxy_connect_read_timeout 10s; proxy_connect_send_timeout 10s; # forward proxy for non-CONNECT request location / { proxy_pass ; proxy_set_header Host $host; } }reload nginx
/usr/local/nginx/sbin/nginx -s reload
配置一个支持ssl的配置:
centos7 root@parallels:/usr/local/nginx/conf/vhosts# tail -f /usr/local/nginx/logs/proxy-access.log 那么请求是OK的
node2 root@node2:~# curl -klv 10.211.55.6 - - [05/Mar/2021:14:47:53 +0800] "GET / HTTP/1.1" 200 2381 "-" "curl/7.29.0" "-"
标签: #linux系统终端透明设置
