구차니의 잡동사니 모음

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320 

usage: refresh_pattern [-i] regex min percent max [options]

By default, regular expressions are CASE-SENSITIVE.  To make

them case-insensitive, use the -i option.

'Min' is the time (in minutes) an object without an explicit

expiry time should be considered fresh. The recommended

value is 0, any higher values may cause dynamic applications

to be erroneously cached unless the application designer

has taken the appropriate actions.

'Percent' is a percentage of the objects age (time since last

modification age) an object without explicit expiry time

will be considered fresh.

'Max' is an upper limit on how long objects without an explicit

expiry time will be considered fresh. The value is also used

to form Cache-Control: max-age header for a request sent from

Squid to origin/parent.

options: override-expire

override-lastmod

reload-into-ims

ignore-reload

ignore-no-store

ignore-private

max-stale=NN

refresh-ims

store-stale

#refresh_pattern .              0       20%     4320

refresh_pattern .               60      20%     4320 

# Only allow cachemgr access from localhost

http_access allow localhost manager

#http_access deny manager 

http://localhost.localdomain:3128/squid-internal-mgr/info 

# yum install bind squid openssl 

# mkdir /etc/squid/ssl_cert

# chown -R squid.squid /etc/squid/ssl_cert

# cd /etc/squid/ssl_cert

# openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout proxyCA.pem  -out proxyCA.pem

# openssl x509 -in proxyCA.pem -outform DER -out proxyCA.der  

# /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db

# chown -R squid.squid /var/lib/ssl_db

# vim /etc/named.conf

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

acl mynet {

    192.168.201.0/24; # test network

    127.0.0.1; # localhost

    };

options {

    listen-on { 

        mynet;

        };

    listen-on-v6 port 53 { ::1; };

    directory     "/var/named";

    dump-file     "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

    allow-query     { mynet; };

    recursion yes;

    forward only;

    forwarders {

        8.8.8.8;

        };

    dnssec-enable yes;

    dnssec-validation yes;

    dnssec-lookaside auto;

    /* Path to ISC DLV key */

    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

};

logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};

zone "." IN {

    type hint;

    file "named.ca";

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

#############################################

#    home.lan

#############################################

zone "home.lan" IN {

    type master;

    file "/var/named/home.lan/db.home";

    allow-query {

    mynet;

    };

    };

# mkdir /var/named/home.lan

# touch /var/named/home.lan/db.home

# chown -R named.named /var/named/home.lan

# vi /var/named/home.lan/db.home

$ORIGIN home.lan.

$TTL 86400

@    IN    SOA    proxy.home.lan.    proxy.home.lan. (

    2014032801 ; Serial

    28800 ; Refresh

    7200 ; Retry

    604800 ; Expire

    86400 ; Negative Cache TTL

    )

@    IN    NS    proxy.home.lan.

proxy    IN    A    192.168.201.250

# vi /etc/resolv.conf

search localdomain home.lan

nameserver 127.0.0.1 

# vim /etc/squid/squid.conf

#

# Recommended minimum configuration:

#

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

acl localnet src 172.16.0.0/12  # RFC1918 possible internal network

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl localnet src fc00::/7       # RFC 4193 local private network range

acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl localnet src 127.0.0.1

acl SSL_ports port 443

acl Safe_ports port 80      # http

acl Safe_ports port 21      # ftp

acl Safe_ports port 443     # https

acl Safe_ports port 70      # gopher

acl Safe_ports port 210     # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280     # http-mgmt

acl Safe_ports port 488     # gss-http

acl Safe_ports port 591     # filemaker

acl Safe_ports port 777     # multiling http

acl CONNECT method CONNECT

sslproxy_cert_error allow all

#disable this in production, it is dangerous but useful for testing

#sslproxy_flags DONT_VERIFY_PEER

#

# Recommended minimum Access Permission configuration:

#

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost

http_access allow localhost manager

http_access deny manager

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost

# And finally deny all other access to this proxy

http_access deny all

# Squid normally listens to port 3128

http_port 3128

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /var/cache/squid 100 16 256

# Leave coredumps in the first cache dir

coredump_dir /var/cache/squid

http_port x.x.x.x:3129 ssl-bump  \

  cert=/etc/squid/ssl_cert/myCA.pem \

  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

#this is what generates certs on the fly. Point to the CA you generated above.

https_port x.x.x.x:3130 ssl-bump intercept \

  cert=/etc/squid/ssl_cert/myCA.pem \

  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

acl step1 at_step SslBump1

ssl_bump peek step1

ssl_bump stare all

ssl_bump bump all

always_direct allow all

#

# Add any of your own refresh_pattern entries above these.

#

refresh_pattern ^ftp:       1440    20% 10080

refresh_pattern ^gopher:    1440    0%  1440

refresh_pattern -i (/cgi-bin/|\?) 0 0%  0

refresh_pattern .       0   20% 4320 

문서 상으로는 "Root Trusted Certificates" 에 등록하라는데 막상 수동으로 등록해 주어도 다른데서 나오네..

[링크 : http://roberts.bplaced.net/.../centos-6-guides/proxy-server/squid-transparent-proxy-http-https]

HTTP와 HTTPS를 다르게 설정했으니 포트도 서로 다르게 설정해야 한다.

$ ll /usr/lib64/squid

합계 872

-rwxr-xr-x 1 root root  5399  1월 30 02:50 basic_db_auth

-rwxr-xr-x 1 root root 11440  1월 30 02:51 basic_getpwnam_auth

-rwxr-xr-x 1 root root 23856  1월 30 02:51 basic_ldap_auth

-rwxr-xr-x 1 root root  5502  1월 30 02:50 basic_msnt_multi_domain_auth

-rwxr-xr-x 1 root root 24112  1월 30 02:51 basic_ncsa_auth

-rwxr-xr-x 1 root root 15568  1월 30 02:51 basic_nis_auth

-rwxr-xr-x 1 root root 19752  1월 30 02:51 basic_pam_auth

-rwxr-xr-x 1 root root  2975  1월 30 02:50 basic_pop3_auth

-rwxr-xr-x 1 root root 20136  1월 30 02:51 basic_radius_auth

-rwxr-xr-x 1 root root 15544  1월 30 02:51 basic_sasl_auth

-rwxr-xr-x 1 root root 15624  1월 30 02:51 basic_smb_auth

-rwxr-xr-x 1 root root  2657  1월 30 02:50 basic_smb_auth.sh

-rwxr-xr-x 1 root root 41584  1월 30 02:51 basic_smb_lm_auth

-rwxr-xr-x 1 root root 71424  1월 30 02:51 cachemgr.cgi

-rwxr-xr-x 1 root root  2515  1월 30 02:50 cert_tool

-rwxr-xr-x 1 root root 32272  1월 30 02:51 digest_edirectory_auth

-rwxr-xr-x 1 root root 24184  1월 30 02:51 digest_file_auth

-rwxr-xr-x 1 root root 28096  1월 30 02:51 digest_ldap_auth

-rwxr-xr-x 1 root root 20088  1월 30 02:51 diskd

-rwxr-xr-x 1 root root 15664  1월 30 02:51 ext_file_userip_acl

-rwxr-xr-x 1 root root 81984  1월 30 02:51 ext_kerberos_ldap_group_acl

-rwxr-xr-x 1 root root 23848  1월 30 02:51 ext_ldap_group_acl

-rwxr-xr-x 1 root root 11392  1월 30 02:51 ext_session_acl

-rwxr-xr-x 1 root root 15624  1월 30 02:51 ext_time_quota_acl

-rwxr-xr-x 1 root root 15608  1월 30 02:51 ext_unix_group_acl

-rwxr-xr-x 1 root root  5063  1월 30 02:50 ext_wbinfo_group_acl

-rwxr-xr-x 1 root root  5393  1월 30 02:50 helper-mux.pl

-rwxr-xr-x 1 root root 12449  1월 30 02:50 log_db_daemon

-rwxr-xr-x 1 root root 11400  1월 30 02:51 log_file_daemon

-rwxr-xr-x 1 root root 44760  1월 30 02:51 negotiate_kerberos_auth

-rwxr-xr-x 1 root root 15736  1월 30 02:51 negotiate_kerberos_auth_test

-rwxr-xr-x 1 root root 19832  1월 30 02:51 ntlm_fake_auth

-rwxr-xr-x 1 root root 63176  1월 30 02:51 ntlm_smb_lm_auth

-rwxr-xr-x 1 root root 87320  1월 30 02:51 ssl_crtd

-rwxr-xr-x 1 root root  3908  1월 30 02:50 storeid_file_rewrite

-rwxr-xr-x 1 root root 11312  1월 30 02:51 unlinkd

-rwxr-xr-x 1 root root 11368  1월 30 02:51 url_fake_rewrite

-rwxr-xr-x 1 root root  2526  1월 30 02:50 url_fake_rewrite.sh 

# ./ssl_crtd -c -s /var/lib/ssl_db

Initialization SSL db...

Done

# ll /var/lib/ssl_db/

합계 4

drwxr-xr-x 2 root root 6  2월 11 15:38 certs

-rw-r--r-- 1 root root 0  2월 11 15:38 index.txt

-rw-r--r-- 1 root root 1  2월 11 15:38 size 

cache_dir ufs /var/spool/squid 100 16 256 

This line specifies the default settings for the cache_dir directive to be used in this example; it consists of the Squid storage format (ufs), the directory on the system where the cache resides (/var/spool/squid), the amount of disk space in megabytes to be used for the cache (100), and finally the number of first-level and second-level cache directories to be created (16 and 256 respectively). 

# tree /var/spool/squid

/var/spool/squid

├── 00

│   ├── 00

│   │   ├── 00000000

│   │   ├── 00000001

│   │   ├── 00000002

│   │   ├── 00000003

...

│   │   ├── 0000005D

│   │   └── 0000005E

│   ├── 01

│   ├── 02

│   ├── 03

│   ├── 04

│   ├── 05

│   ├── 06

│   ├── 07

│   ├── 08

...

   └── FF

├── 01

│   ├── 00

│   ├── 01

...

│   └── FF

└── swap.state

# file /var/spool/squid/00/00/*

/var/spool/squid/00/00/00000000: DBase 3 data file (1049344 records)

/var/spool/squid/00/00/00000001: DBase 3 data file (1049344 records)

/var/spool/squid/00/00/00000002: DBase 3 data file (1049344 records)

/var/spool/squid/00/00/00000003: DBase 3 data file (1049344 records)

/var/spool/squid/00/00/00000004: DBase 3 data file (1049344 records)

/var/spool/squid/00/00/00000005: DBase 3 data file (1049344 records)

/var/spool/squid/00/00/00000006: little endian ispell hash file (?), 8-bit, no capitalization, 26 flags and 768 string characters

... 

# cat /etc/squid/squid.conf

#

# Recommended minimum configuration:

#

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

#

# Recommended minimum Access Permission configuration:

#

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost

http_access allow localhost manager

http_access deny manager

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost

# And finally deny all other access to this proxy

http_access deny all

# Squid normally listens to port 3128

http_port 3128

# Uncomment and adjust the following to add a disk cache directory.

cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir

coredump_dir /var/spool/squid

#

# Add any of your own refresh_pattern entries above these.

#

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320 

$ cat /var/log/squid/access.log | grep HIT

1549848287.564      0 10.0.0.4 TCP_INM_HIT/304 334 GET http://auction.co.kr/ - HIER_NONE/- text/html

1549848307.300      0 10.0.0.4 TCP_IMS_HIT/304 315 GET http://image.iacstatic.co.kr/allkill/item/2019/02/20190208084157581r.jpg - HIER_NONE/- image/jpeg

1549848307.301      0 10.0.0.4 TCP_IMS_HIT/304 315 GET http://image.iacstatic.co.kr/allkill/item/2019/02/20190208104540991r.jpg - HIER_NONE/- image/jpeg

1549848307.303      0 10.0.0.4 TCP_IMS_HIT/304 315 GET http://image.iacstatic.co.kr/allkill/item/2019/02/20190208120658951r.jpg - HIER_NONE/- image/jpeg

1549848308.566      0 10.0.0.4 TCP_INM_HIT/304 333 GET http://www.auction.co.kr/ - HIER_NONE/- text/html

1549848310.806      0 10.0.0.4 TCP_INM_HIT/304 333 GET http://www.auction.co.kr/ - HIER_NONE/- text/html

1549848311.449      0 10.0.0.4 TCP_IMS_HIT/304 315 GET http://image.iacstatic.co.kr/allkill/item/2019/02/20190208110027731r.jpg - HIER_NONE/- image/jpeg

1549848311.453      0 10.0.0.4 TCP_IMS_HIT/304 315 GET http://image.iacstatic.co.kr/allkill/item/2019/02/20190208105748851r.jpg - HIER_NONE/- image/jpeg

1549848311.453      0 10.0.0.4 TCP_IMS_HIT/304 315 GET http://image.iacstatic.co.kr/allkill/item/2019/02/20190208095050481r.jpg - HIER_NONE/- image/jpeg

1549848521.823      0 10.0.0.4 TCP_MEM_HIT/200 1013 GET http://ocsp.trust-provider.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEENSAj%2F6qJAfE5%2Fj9OXBRE4%3D - HIER_NONE/- application/ocsp-response

1549848521.832      0 10.0.0.4 TCP_MEM_HIT/200 852 GET http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D - HIER_NONE/- application/ocsp-response

1549848559.829      0 10.0.0.4 TCP_MEM_HIT/200 961 GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D - HIER_NONE/- application/ocsp-response

1549848559.835      0 10.0.0.4 TCP_MEM_HIT/200 961 GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D - HIER_NONE/- application/ocsp-response

1549848559.840      0 10.0.0.4 TCP_MEM_HIT/200 961 GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D - HIER_NONE/- application/ocsp-response

1549848559.846      0 10.0.0.4 TCP_MEM_HIT/200 961 GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D - HIER_NONE/- application/ocsp-response 

Such as when an allstaff email goes out saying "check this site out..."

• TCP_MISS/200 means that the requested document was not in the cache but it could fetch it OK from the web server. The direct at the end says that the file was fetched from the webserver.
• TCP_IMS_HIT/304 means that the client asked if the file has changed, and squid checked its date/time on the webserver and found it had not changed, so it gave a copy of the file to the client out of its local cache.