在centos下很容易就可以搭建好一个HTTP代理服务器,搭建一个socks5代理更是简单的不用说

不管是测试用途还是自己使用,Squid都是一个很不错的代理工具!他支持正向代理,反向代理,还有透明代理!老高最近搭建了一个简单的squid的正向代理,随便记记笔记!

如果只是想使用代理而不需要认证功能,tinyproxy也是不错的选择!

安装

安装狠简单!

yum install squid -y
yum install httpd-tools -y

生成密码文件

mkdir /etc/squid3/
# laogao 是用户名
htpasswd -cd /etc/squid3/passwords laogao
# 提示输入密码,在此老高设密码为 phpgao
# 注意密码不要超过8位

测试密码文件

/usr/lib64/squid/basic_ncsa_auth /etc/squid3/passwords
# 输入 用户名 密码
laogao phpgao
# 提示OK说明成功,ERR是有问题,请检查一下之前步骤
OK

# 测试完成,crtl + c 打断

配置

vim /etc/squid/squid.conf

# 在最后添加

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid3/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

# 这里是端口号,可以按需修改
# http_port 3128 这样写会同时监听ipv6和ipv4的端口,推荐适应下面的配置方法。
http_port 0.0.0.0:3128

权限控制

squid的权限控制很灵活,具体配置方法可以参考官方文档,或者Squid中文权威指南,具体工作原理有点像iptables,用规则去卡控流量。默认的配置只能允许内网用户访问,如果有更多需求,你还可以指定很多规则!

acl Foo src 8.8.8.88
# 以下例子来自Squid中文权威指南
acl Foo src 172.16.44.21/255.255.255.255 
acl Foo src 172.16.44.21/32
acl Foo src 172.16.44.21
acl Xyz src 172.16.55.32/255.255.255.248   
acl Xyz src 172.16.55.32/28
acl Bar src 172.16.66.0/255.255.255.0
acl Bar src 172.16.66.0/24
acl Bar src 172.16.66.0

如果看不懂,并且只是想用暂时试试squid的功能,老高有一个万金油方法:

# 这个IP地址池匹配所有可能的IP地址,但是这样做是有风险的,因为所有人都可以使用你的代理了,不要怪老高没有提醒啊!
acl localnet src 0.0.0.1-255.255.255.255

日志

squid的日志默认是打开的,位于目录/var/log/squid/,当然这个地址还有日志的格式都是可以完全自定义的!具体还是看文档吧。

liguangping ll /var/log/squid/
total 52K
-rw-r----- 1 squid squid  14K May 25 11:50 access.log
-rw-r----- 1 squid squid 6.0K May 20 17:14 access.log-20160522.gz
-rw-r----- 1 squid squid  23K May 25 11:50 cache.log
-rw-r----- 1 squid squid 1.2K May 20 11:22 cache.log-20160522.gz

启动服务

# 启动
systemctl start squid.service
# 停止
systemctl stop squid.service
# 重启
systemctl restart squid.service

标签: proxy, squid

已有 8 条评论

  1. Jony Jony

    您好,问一下
    我可以正常启动,但是实际测试是无法联网的

    这是我的 squid.conf

    #
    # Recommended minimum configuration:
    #

    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7 # RFC 4193 local private network range
    acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT

    acl Foo src 8.8.8.88
    # 以下例子来自Squid中文权威指南
    acl Foo src 172.16.44.21/255.255.255.255
    acl Foo src 172.16.44.21/32
    acl Foo src 172.16.44.21
    acl Xyz src 172.16.55.32/255.255.255.248
    acl Xyz src 172.16.55.32/28
    acl Bar src 172.16.66.0/255.255.255.0
    acl Bar src 172.16.66.0/24
    acl Bar src 172.16.66.0
    #
    # Recommended minimum Access Permission configuration:
    #
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports

    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports

    # Only allow cachemgr access from localhost
    http_access allow localhost manager
    http_access deny manager

    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    #http_access deny to_localhost

    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #

    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow localnet
    http_access allow localhost

    # And finally deny all other access to this proxy
    http_access deny all

    # Squid normally listens to port 3128
    http_port 3128

    # Uncomment and adjust the following to add a disk cache directory.
    #cache_dir ufs /var/spool/squid 100 16 256

    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid

    #
    # Add any of your own refresh_pattern entries above these.
    #
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern . 0 20% 4320

    # 在最后添加

    auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid3/passwords
    auth_param basic realm proxy
    acl authenticated proxy_auth REQUIRED
    http_access allow authenticated

    回复
  2. 一个 一个

    问一下,您的squid 用的哪个版本? ncsa模块不需要编译吗?

    回复
    1. 老高 老高

      默认仓库里的

      回复
  3. 小李 小李

    squid服务启动不了啊

    回复
    1. 老高 老高

      看看错误日志

      回复
  4. axios axios

    内网代理是没问题的,但是外网好像就不行了额

    回复
    1. 老高 老高

      看你绑定的网卡和防火墙的设置了

      回复

添加新评论