상태 : https proxy는 되나 , cache 까지 되는건 확인하지 못함(HIT가 드럽게 안뜸!!!)



Step 1. squid, openssl, bind 패키지를 설치

# yum install bind squid openssl 


Step 2. SSL 키를 생성(서버용, 클라이언트 용) - 1년짜리로 생성

# mkdir /etc/squid/ssl_cert

# chown -R squid.squid /etc/squid/ssl_cert

# cd /etc/squid/ssl_cert

# openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout proxyCA.pem  -out proxyCA.pem

# openssl x509 -in proxyCA.pem -outform DER -out proxyCA.der  


Step 3. SSL_DB를 생성

# /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db

# chown -R squid.squid /var/lib/ssl_db


Step 4. bind 설정

# vim /etc/named.conf

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//


acl mynet {

    192.168.201.0/24; # test network

    127.0.0.1; # localhost

    };


options {

    listen-on { 

        mynet;

        };

    listen-on-v6 port 53 { ::1; };

    directory     "/var/named";

    dump-file     "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

    allow-query     { mynet; };

    recursion yes;

    

    forward only;

    forwarders {

        8.8.8.8;

        };


    dnssec-enable yes;

    dnssec-validation yes;

    dnssec-lookaside auto;


    /* Path to ISC DLV key */

    bindkeys-file "/etc/named.iscdlv.key";


    managed-keys-directory "/var/named/dynamic";

};


logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};


zone "." IN {

    type hint;

    file "named.ca";

};


include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";


#############################################

#    home.lan

#############################################


zone "home.lan" IN {

    type master;

    file "/var/named/home.lan/db.home";

    allow-query {

    mynet;

    };

    };


# mkdir /var/named/home.lan

# touch /var/named/home.lan/db.home

# chown -R named.named /var/named/home.lan


# vi /var/named/home.lan/db.home

$ORIGIN home.lan.

$TTL 86400

@    IN    SOA    proxy.home.lan.    proxy.home.lan. (

    2014032801 ; Serial

    28800 ; Refresh

    7200 ; Retry

    604800 ; Expire

    86400 ; Negative Cache TTL

    )

@    IN    NS    proxy.home.lan.

proxy    IN    A    192.168.201.250

# vi /etc/resolv.conf

search localdomain home.lan

nameserver 127.0.0.1 


Step 5. squid 설정

x.x.x.x 부분에는 proxy 서버의 아이피를 반드시 넣어야 한다. 넣지 않으면 아래같은 에러 발생함.

Bungled /etc/squid/squid.conf line 70: generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

# vim /etc/squid/squid.conf

#

# Recommended minimum configuration:

#


# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

acl localnet src 172.16.0.0/12  # RFC1918 possible internal network

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl localnet src fc00::/7       # RFC 4193 local private network range

acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl localnet src 127.0.0.1


acl SSL_ports port 443

acl Safe_ports port 80      # http

acl Safe_ports port 21      # ftp

acl Safe_ports port 443     # https

acl Safe_ports port 70      # gopher

acl Safe_ports port 210     # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280     # http-mgmt

acl Safe_ports port 488     # gss-http

acl Safe_ports port 591     # filemaker

acl Safe_ports port 777     # multiling http

acl CONNECT method CONNECT


sslproxy_cert_error allow all

#disable this in production, it is dangerous but useful for testing

#sslproxy_flags DONT_VERIFY_PEER

#

# Recommended minimum Access Permission configuration:

#

# Deny requests to certain unsafe ports

http_access deny !Safe_ports


# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports


# Only allow cachemgr access from localhost

http_access allow localhost manager

http_access deny manager


# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost


#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#


# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost


# And finally deny all other access to this proxy

http_access deny all


# Squid normally listens to port 3128

http_port 3128


# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /var/cache/squid 100 16 256


# Leave coredumps in the first cache dir

coredump_dir /var/cache/squid


http_port x.x.x.x:3129 ssl-bump  \

  cert=/etc/squid/ssl_cert/myCA.pem \

  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB


#this is what generates certs on the fly. Point to the CA you generated above.


https_port x.x.x.x:3130 ssl-bump intercept \

  cert=/etc/squid/ssl_cert/myCA.pem \

  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB


acl step1 at_step SslBump1


ssl_bump peek step1

ssl_bump stare all

ssl_bump bump all

always_direct allow all


#

# Add any of your own refresh_pattern entries above these.

#

refresh_pattern ^ftp:       1440    20% 10080

refresh_pattern ^gopher:    1440    0%  1440

refresh_pattern -i (/cgi-bin/|\?) 0 0%  0

refresh_pattern .       0   20% 4320 


Step 6. 클라이언트 측 인증서 등록







문서 상으로는 "Root Trusted Certificates" 에 등록하라는데 막상 수동으로 등록해 주어도 다른데서 나오네..

[링크 : http://roberts.bplaced.net/.../centos-6-guides/proxy-server/squid-transparent-proxy-http-https]


Step 7. 클라이언트 측 Proxy 설정

HTTP와 HTTPS를 다르게 설정했으니 포트도 서로 다르게 설정해야 한다.

  


Step 8. 확인

네이버 인증서가 임의로 발급한 루트 인증서로 바뀌어치기 된걸 확인할 수 있다.


--------------

더보기



+

2019.02.12

[링크 : https://www.tekyhost.com/squid-proxy-squid-caching-and-filtering-proxy/]

'프로그램 사용 > squid' 카테고리의 다른 글

squid refresh_pattern  (0) 2019.02.12
squid cachemgr  (0) 2019.02.12
howto make squid as https proxy  (0) 2019.02.11
ssl_crtd : The ssl_crtd helpers are crashing too rapidly, need help!  (0) 2019.02.11
haproxy - https proxy  (0) 2019.02.11
squid cache directory  (0) 2019.02.11
Posted by 구차니

댓글을 달아 주세요