구차니의 잡동사니 모음

# Only allow cachemgr access from localhost

http_access allow localhost manager

#http_access deny manager 

http://localhost.localdomain:3128/squid-internal-mgr/info 

# yum install bind squid openssl 

# mkdir /etc/squid/ssl_cert

# chown -R squid.squid /etc/squid/ssl_cert

# cd /etc/squid/ssl_cert

# openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout proxyCA.pem  -out proxyCA.pem

# openssl x509 -in proxyCA.pem -outform DER -out proxyCA.der  

# /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db

# chown -R squid.squid /var/lib/ssl_db

# vim /etc/named.conf

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

acl mynet {

    192.168.201.0/24; # test network

    127.0.0.1; # localhost

    };

options {

    listen-on { 

        mynet;

        };

    listen-on-v6 port 53 { ::1; };

    directory     "/var/named";

    dump-file     "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

    allow-query     { mynet; };

    recursion yes;

    forward only;

    forwarders {

        8.8.8.8;

        };

    dnssec-enable yes;

    dnssec-validation yes;

    dnssec-lookaside auto;

    /* Path to ISC DLV key */

    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

};

logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};

zone "." IN {

    type hint;

    file "named.ca";

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

#############################################

#    home.lan

#############################################

zone "home.lan" IN {

    type master;

    file "/var/named/home.lan/db.home";

    allow-query {

    mynet;

    };

    };

# mkdir /var/named/home.lan

# touch /var/named/home.lan/db.home

# chown -R named.named /var/named/home.lan

# vi /var/named/home.lan/db.home

$ORIGIN home.lan.

$TTL 86400

@    IN    SOA    proxy.home.lan.    proxy.home.lan. (

    2014032801 ; Serial

    28800 ; Refresh

    7200 ; Retry

    604800 ; Expire

    86400 ; Negative Cache TTL

    )

@    IN    NS    proxy.home.lan.

proxy    IN    A    192.168.201.250

# vi /etc/resolv.conf

search localdomain home.lan

nameserver 127.0.0.1 

# vim /etc/squid/squid.conf

#

# Recommended minimum configuration:

#

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

acl localnet src 172.16.0.0/12  # RFC1918 possible internal network

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl localnet src fc00::/7       # RFC 4193 local private network range

acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl localnet src 127.0.0.1

acl SSL_ports port 443

acl Safe_ports port 80      # http

acl Safe_ports port 21      # ftp

acl Safe_ports port 443     # https

acl Safe_ports port 70      # gopher

acl Safe_ports port 210     # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280     # http-mgmt

acl Safe_ports port 488     # gss-http

acl Safe_ports port 591     # filemaker

acl Safe_ports port 777     # multiling http

acl CONNECT method CONNECT

sslproxy_cert_error allow all

#disable this in production, it is dangerous but useful for testing

#sslproxy_flags DONT_VERIFY_PEER

#

# Recommended minimum Access Permission configuration:

#

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost

http_access allow localhost manager

http_access deny manager

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost

# And finally deny all other access to this proxy

http_access deny all

# Squid normally listens to port 3128

http_port 3128

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /var/cache/squid 100 16 256

# Leave coredumps in the first cache dir

coredump_dir /var/cache/squid

http_port x.x.x.x:3129 ssl-bump  \

  cert=/etc/squid/ssl_cert/myCA.pem \

  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

#this is what generates certs on the fly. Point to the CA you generated above.

https_port x.x.x.x:3130 ssl-bump intercept \

  cert=/etc/squid/ssl_cert/myCA.pem \

  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

acl step1 at_step SslBump1

ssl_bump peek step1

ssl_bump stare all

ssl_bump bump all

always_direct allow all

#

# Add any of your own refresh_pattern entries above these.

#

refresh_pattern ^ftp:       1440    20% 10080

refresh_pattern ^gopher:    1440    0%  1440

refresh_pattern -i (/cgi-bin/|\?) 0 0%  0

refresh_pattern .       0   20% 4320 

문서 상으로는 "Root Trusted Certificates" 에 등록하라는데 막상 수동으로 등록해 주어도 다른데서 나오네..

[링크 : http://roberts.bplaced.net/.../centos-6-guides/proxy-server/squid-transparent-proxy-http-https]

HTTP와 HTTPS를 다르게 설정했으니 포트도 서로 다르게 설정해야 한다.

$ ll /usr/lib64/squid

합계 872

-rwxr-xr-x 1 root root  5399  1월 30 02:50 basic_db_auth

-rwxr-xr-x 1 root root 11440  1월 30 02:51 basic_getpwnam_auth

-rwxr-xr-x 1 root root 23856  1월 30 02:51 basic_ldap_auth

-rwxr-xr-x 1 root root  5502  1월 30 02:50 basic_msnt_multi_domain_auth

-rwxr-xr-x 1 root root 24112  1월 30 02:51 basic_ncsa_auth

-rwxr-xr-x 1 root root 15568  1월 30 02:51 basic_nis_auth

-rwxr-xr-x 1 root root 19752  1월 30 02:51 basic_pam_auth

-rwxr-xr-x 1 root root  2975  1월 30 02:50 basic_pop3_auth

-rwxr-xr-x 1 root root 20136  1월 30 02:51 basic_radius_auth

-rwxr-xr-x 1 root root 15544  1월 30 02:51 basic_sasl_auth

-rwxr-xr-x 1 root root 15624  1월 30 02:51 basic_smb_auth

-rwxr-xr-x 1 root root  2657  1월 30 02:50 basic_smb_auth.sh

-rwxr-xr-x 1 root root 41584  1월 30 02:51 basic_smb_lm_auth

-rwxr-xr-x 1 root root 71424  1월 30 02:51 cachemgr.cgi

-rwxr-xr-x 1 root root  2515  1월 30 02:50 cert_tool

-rwxr-xr-x 1 root root 32272  1월 30 02:51 digest_edirectory_auth

-rwxr-xr-x 1 root root 24184  1월 30 02:51 digest_file_auth

-rwxr-xr-x 1 root root 28096  1월 30 02:51 digest_ldap_auth

-rwxr-xr-x 1 root root 20088  1월 30 02:51 diskd

-rwxr-xr-x 1 root root 15664  1월 30 02:51 ext_file_userip_acl

-rwxr-xr-x 1 root root 81984  1월 30 02:51 ext_kerberos_ldap_group_acl

-rwxr-xr-x 1 root root 23848  1월 30 02:51 ext_ldap_group_acl

-rwxr-xr-x 1 root root 11392  1월 30 02:51 ext_session_acl

-rwxr-xr-x 1 root root 15624  1월 30 02:51 ext_time_quota_acl

-rwxr-xr-x 1 root root 15608  1월 30 02:51 ext_unix_group_acl

-rwxr-xr-x 1 root root  5063  1월 30 02:50 ext_wbinfo_group_acl

-rwxr-xr-x 1 root root  5393  1월 30 02:50 helper-mux.pl

-rwxr-xr-x 1 root root 12449  1월 30 02:50 log_db_daemon

-rwxr-xr-x 1 root root 11400  1월 30 02:51 log_file_daemon

-rwxr-xr-x 1 root root 44760  1월 30 02:51 negotiate_kerberos_auth

-rwxr-xr-x 1 root root 15736  1월 30 02:51 negotiate_kerberos_auth_test

-rwxr-xr-x 1 root root 19832  1월 30 02:51 ntlm_fake_auth

-rwxr-xr-x 1 root root 63176  1월 30 02:51 ntlm_smb_lm_auth

-rwxr-xr-x 1 root root 87320  1월 30 02:51 ssl_crtd

-rwxr-xr-x 1 root root  3908  1월 30 02:50 storeid_file_rewrite

-rwxr-xr-x 1 root root 11312  1월 30 02:51 unlinkd

-rwxr-xr-x 1 root root 11368  1월 30 02:51 url_fake_rewrite

-rwxr-xr-x 1 root root  2526  1월 30 02:50 url_fake_rewrite.sh 

# ./ssl_crtd -c -s /var/lib/ssl_db

Initialization SSL db...

Done

# ll /var/lib/ssl_db/

합계 4

drwxr-xr-x 2 root root 6  2월 11 15:38 certs

-rw-r--r-- 1 root root 0  2월 11 15:38 index.txt

-rw-r--r-- 1 root root 1  2월 11 15:38 size 

cache_dir ufs /var/spool/squid 100 16 256 

This line specifies the default settings for the cache_dir directive to be used in this example; it consists of the Squid storage format (ufs), the directory on the system where the cache resides (/var/spool/squid), the amount of disk space in megabytes to be used for the cache (100), and finally the number of first-level and second-level cache directories to be created (16 and 256 respectively). 

# tree /var/spool/squid

/var/spool/squid

├── 00

│   ├── 00

│   │   ├── 00000000

│   │   ├── 00000001

│   │   ├── 00000002

│   │   ├── 00000003

...

│   │   ├── 0000005D

│   │   └── 0000005E

│   ├── 01

│   ├── 02

│   ├── 03

│   ├── 04

│   ├── 05

│   ├── 06

│   ├── 07

│   ├── 08

...

   └── FF

├── 01

│   ├── 00

│   ├── 01

...

│   └── FF

└── swap.state

# file /var/spool/squid/00/00/*

/var/spool/squid/00/00/00000000: DBase 3 data file (1049344 records)

/var/spool/squid/00/00/00000001: DBase 3 data file (1049344 records)

/var/spool/squid/00/00/00000002: DBase 3 data file (1049344 records)

/var/spool/squid/00/00/00000003: DBase 3 data file (1049344 records)

/var/spool/squid/00/00/00000004: DBase 3 data file (1049344 records)

/var/spool/squid/00/00/00000005: DBase 3 data file (1049344 records)

/var/spool/squid/00/00/00000006: little endian ispell hash file (?), 8-bit, no capitalization, 26 flags and 768 string characters

... 

# cat /etc/squid/squid.conf

#

# Recommended minimum configuration:

#

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

#

# Recommended minimum Access Permission configuration:

#

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost

http_access allow localhost manager

http_access deny manager

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost

# And finally deny all other access to this proxy

http_access deny all

# Squid normally listens to port 3128

http_port 3128

# Uncomment and adjust the following to add a disk cache directory.

cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir

coredump_dir /var/spool/squid

#

# Add any of your own refresh_pattern entries above these.

#

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320 

$ cat /var/log/squid/access.log | grep HIT

1549848287.564      0 10.0.0.4 TCP_INM_HIT/304 334 GET http://auction.co.kr/ - HIER_NONE/- text/html

1549848307.300      0 10.0.0.4 TCP_IMS_HIT/304 315 GET http://image.iacstatic.co.kr/allkill/item/2019/02/20190208084157581r.jpg - HIER_NONE/- image/jpeg

1549848307.301      0 10.0.0.4 TCP_IMS_HIT/304 315 GET http://image.iacstatic.co.kr/allkill/item/2019/02/20190208104540991r.jpg - HIER_NONE/- image/jpeg

1549848307.303      0 10.0.0.4 TCP_IMS_HIT/304 315 GET http://image.iacstatic.co.kr/allkill/item/2019/02/20190208120658951r.jpg - HIER_NONE/- image/jpeg

1549848308.566      0 10.0.0.4 TCP_INM_HIT/304 333 GET http://www.auction.co.kr/ - HIER_NONE/- text/html

1549848310.806      0 10.0.0.4 TCP_INM_HIT/304 333 GET http://www.auction.co.kr/ - HIER_NONE/- text/html

1549848311.449      0 10.0.0.4 TCP_IMS_HIT/304 315 GET http://image.iacstatic.co.kr/allkill/item/2019/02/20190208110027731r.jpg - HIER_NONE/- image/jpeg

1549848311.453      0 10.0.0.4 TCP_IMS_HIT/304 315 GET http://image.iacstatic.co.kr/allkill/item/2019/02/20190208105748851r.jpg - HIER_NONE/- image/jpeg

1549848311.453      0 10.0.0.4 TCP_IMS_HIT/304 315 GET http://image.iacstatic.co.kr/allkill/item/2019/02/20190208095050481r.jpg - HIER_NONE/- image/jpeg

1549848521.823      0 10.0.0.4 TCP_MEM_HIT/200 1013 GET http://ocsp.trust-provider.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEENSAj%2F6qJAfE5%2Fj9OXBRE4%3D - HIER_NONE/- application/ocsp-response

1549848521.832      0 10.0.0.4 TCP_MEM_HIT/200 852 GET http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D - HIER_NONE/- application/ocsp-response

1549848559.829      0 10.0.0.4 TCP_MEM_HIT/200 961 GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D - HIER_NONE/- application/ocsp-response

1549848559.835      0 10.0.0.4 TCP_MEM_HIT/200 961 GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D - HIER_NONE/- application/ocsp-response

1549848559.840      0 10.0.0.4 TCP_MEM_HIT/200 961 GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D - HIER_NONE/- application/ocsp-response

1549848559.846      0 10.0.0.4 TCP_MEM_HIT/200 961 GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D - HIER_NONE/- application/ocsp-response 

Such as when an allstaff email goes out saying "check this site out..."

• TCP_MISS/200 means that the requested document was not in the cache but it could fetch it OK from the web server. The direct at the end says that the file was fetched from the webserver.
• TCP_IMS_HIT/304 means that the client asked if the file has changed, and squid checked its date/time on the webserver and found it had not changed, so it gave a copy of the file to the client out of its local cache. 

# squidclient -h localhost cache_object://localhost/ mgr:utilization 

# squidclient -h localhost cache_object://localhost/counters 

HTTP/1.1 200 OK

Server: squid/3.5.20

Mime-Version: 1.0

Date: Mon, 11 Feb 2019 08:04:04 GMT

Content-Type: text/plain;charset=utf-8

Expires: Mon, 11 Feb 2019 08:04:04 GMT

Last-Modified: Mon, 11 Feb 2019 08:04:04 GMT

X-Cache: MISS from localhost.localdomain

X-Cache-Lookup: MISS from localhost.localdomain:3128

Via: 1.1 localhost.localdomain (squid/3.5.20)

Connection: close

sample_time = 1549872194.638742 (Mon, 11 Feb 2019 08:03:14 GMT)

client_http.requests = 1074

client_http.hits = 0

client_http.errors = 5

client_http.kbytes_in = 977

client_http.kbytes_out = 4855

client_http.hit_kbytes_out = 0

server.all.requests = 707

server.all.errors = 0

server.all.kbytes_in = 4728

server.all.kbytes_out = 1001

server.http.requests = 707

server.http.errors = 0

server.http.kbytes_in = 4728

server.http.kbytes_out = 1001

server.ftp.requests = 0

server.ftp.errors = 0

server.ftp.kbytes_in = 0

server.ftp.kbytes_out = 0

server.other.requests = 0

server.other.errors = 0

server.other.kbytes_in = 0

server.other.kbytes_out = 0

icp.pkts_sent = 0

icp.pkts_recv = 0

icp.queries_sent = 0

icp.replies_sent = 0

icp.queries_recv = 0

icp.replies_recv = 0

icp.query_timeouts = 0

icp.replies_queued = 0

icp.kbytes_sent = 0

icp.kbytes_recv = 0

icp.q_kbytes_sent = 0

icp.r_kbytes_sent = 0

icp.q_kbytes_recv = 0

icp.r_kbytes_recv = 0

icp.times_used = 0

cd.times_used = 0

cd.msgs_sent = 0

cd.msgs_recv = 0

cd.memory = 0

cd.local_memory = 7

cd.kbytes_sent = 0

cd.kbytes_recv = 0

unlink.requests = 843

page_faults = 0

select_loops = 25783

cpu_time = 8.574439

wall_time = 49.492095

swap.outs = 216

swap.ins = 0

swap.files_cleaned = 0

aborted_requests = 4

# squidclient -h localhost mgr:info

HTTP/1.1 200 OK

Server: squid/3.5.20

Mime-Version: 1.0

Date: Mon, 11 Feb 2019 08:02:00 GMT

Content-Type: text/plain;charset=utf-8

Expires: Mon, 11 Feb 2019 08:02:00 GMT

Last-Modified: Mon, 11 Feb 2019 08:02:00 GMT

X-Cache: MISS from localhost.localdomain

X-Cache-Lookup: MISS from localhost.localdomain:3128

Via: 1.1 localhost.localdomain (squid/3.5.20)

Connection: close

Squid Object Cache: Version 3.5.20

Build Info:

Service Name: squid

Start Time:     Mon, 11 Feb 2019 07:51:14 GMT

Current Time:   Mon, 11 Feb 2019 08:02:00 GMT

Connection information for squid:

        Number of clients accessing cache:      2

        Number of HTTP requests received:       1018

        Number of ICP messages received:        0

        Number of ICP messages sent:    0

        Number of queued ICP replies:   0

        Number of HTCP messages received:       0

        Number of HTCP messages sent:   0

        Request failure ratio:   0.00

        Average HTTP requests per minute since start:   94.5

        Average ICP messages per minute since start:    0.0

        Select loop called: 23961 times, 26.970 ms avg

Cache information for squid:

        Hits as % of all requests:      5min: 0.0%, 60min: 0.0%

        Hits as % of bytes sent:        5min: 1.9%, 60min: 2.1%

        Memory hits as % of hit requests:       5min: 0.0%, 60min: 0.0%

        Disk hits as % of hit requests: 5min: 0.0%, 60min: 0.0%

        Storage Swap size:      91804 KB

        Storage Swap capacity:  89.7% used, 10.3% free

        Storage Mem size:       3860 KB

        Storage Mem capacity:    1.5% used, 98.5% free

        Mean Object Size:       135.20 KB

        Requests given to unlinkd:      843

Median Service Times (seconds)  5 min    60 min:

        HTTP Requests (All):   0.04277  0.05633

        Cache Misses:          0.03241  0.03829

        Cache Hits:            0.00000  0.00000

        Near Hits:             0.00000  0.00000

        Not-Modified Replies:  0.00000  0.00000

        DNS Lookups:           0.11405  0.11926

        ICP Queries:           0.00000  0.00000

Resource usage for squid:

        UP Time:        646.235 seconds

        CPU Time:       8.031 seconds

        CPU Usage:      1.24%

        CPU Usage, 5 minute avg:        1.71%

        CPU Usage, 60 minute avg:       1.32%

        Maximum Resident Size: 237808 KB

        Page faults with physical i/o: 0

Memory accounted for:

        Total accounted:         7691 KB

        memPoolAlloc calls:    224798

        memPoolFree calls:     231466

File descriptor usage for squid:

        Maximum number of file descriptors:   16384

        Largest file desc currently in use:     69

        Number of file desc currently in use:   31

        Files queued for open:                   0

        Available number of file descriptors: 16353

        Reserved number of file descriptors:   100

        Store Disk files open:                   0

Internal Data Structures:

           740 StoreEntries

           273 StoreEntries with MemObjects

           264 Hot Object Cache Items

           679 on-disk objects