wiki:TipAndDoc/network/proxy/squid

Version 7 (modified by mitty, 12 years ago) (diff)

--

no disk cache

forward proxy with SSL

  • http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection

    Unfortunately, popular modern browsers do not permit configuration of TLS/SSL encrypted proxy connections.

    • IE 9/Firefox 17/Chrome 23では、chromeのみ(23.0.1271.97)サポートしている模様
    • Secure Web Proxy - The Chromium Projects
    • chrome --proxy-pac-url=D:\ssl.pacのようにして起動する
      function FindProxyForURL(url, host) { return "HTTPS proxy.example.jp:8443"; }
      
      • インターネットオプション > 接続 > LANの設定 > 自動構成スクリプト に file://D:/ssl.pac のように指定することも出来るが、IE(対応していない全ての接続が不可能になる)やその他のクライアントにも影響が出るため好ましくない
  • /etc/squid3/squid.conf
    https_port 8443 cert=/etc/ssl/ssl.crt key=/etc/ssl/ssl.key options=NO_SSLv2 cipher=ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+SSLv3:+EXP
    
    • 信頼されない証明書の場合(俺俺証明書など)、以下の様なエラーになる
      このウェブページにアクセスできません
      http://www.google.co.jp/ のウェブページは一時的に停止しているか、新しい http://www.google.co.jp/ に移動した可能性があります。
      エラー 136 (net::ERR_PROXY_CERTIFICATE_INVALID): 不明なエラーです。
      

--enable-ssl

  • Ubuntu 12.04のsquid3パッケージは、httpsサイトへのプロクシとしては動作するが、configure --enable-sslされていないため、リビルドが必要
  • 必要なパッケージ
    • mitty@test:~$ sudo aptitude build-dep squid3
      Unable to satisfy the build-depends: Build-Depends: libcap2-dev.
      
    • mitty@test:~$ sudo aptitude install -R devscripts
    • mitty@test:~$ sudo aptitude install -R libcap2-dev
      Note: selecting "libcap-dev" instead of the
            virtual package "libcap2-dev"
      The following NEW packages will be installed:
        libcap-dev
      
      • 不足していると、debuild -us -ucが以下のエラーで失敗する
        dpkg-checkbuilddeps: Unmet build dependencies: libcap2-dev
        
    • mitty@test:~$ sudo aptitude install -R libssl-dev
      • 不足していると、debuild -us -ucが以下のエラーで失敗する
        ../../src/ssl/gadgets.h:39:1: error: variable or field 'X509_free_cpp' declared void
        ../../src/ssl/gadgets.h:39:1: error: 'X509' was not declared in this scope
        ../../src/ssl/gadgets.h:39:1: error: 'a' was not declared in this scope
        ../../src/ssl/gadgets.h:40:21: error: 'X509' was not declared in this scope
        
      • i'm having a problem while compiling squid 3.2.0.12 (since 3.2.0.6) on ubuntu server
  • mitty@test:~$ apt-get source squid3
    Get:1 http://ftp.tsukuba.wide.ad.jp/Linux/ubuntu/ precise-updates/main squid3 3.1.19-1ubuntu3.12.04.1 (dsc) [1,912 B]
    Get:2 http://ftp.tsukuba.wide.ad.jp/Linux/ubuntu/ precise-updates/main squid3 3.1.19-1ubuntu3.12.04.1 (tar) [3,403 kB]
    Get:3 http://ftp.tsukuba.wide.ad.jp/Linux/ubuntu/ precise-updates/main squid3 3.1.19-1ubuntu3.12.04.1 (diff) [22.1 kB]
    
    squid3-3.1.19/
    squid3_3.1.19-1ubuntu3.12.04.1.debian.tar.gz
    squid3_3.1.19-1ubuntu3.12.04.1.dsc
    squid3_3.1.19.orig.tar.gz
    
  • mitty@test:~$ vim squid3-3.1.19/debian/rules
    • rules

      old new  
      3535        --enable-esi \ 
      3636        --enable-zph-qos \ 
      3737        --enable-wccpv2 \ 
       38        --enable-ssl \ 
      3839        --disable-translation \ 
      3940        --with-logdir=/var/log/squid3 \ 
      4041        --with-pidfile=/var/run/squid3.pid \ 
  • mitty@test:~/squid3-3.1.19$ debuild -us -uc
    squid_3.1.19-1ubuntu3.12.04.1_amd64.deb
    squid3_3.1.19-1ubuntu3.12.04.1_amd64.deb
    squid3-common_3.1.19-1ubuntu3.12.04.1_all.deb
    squid3-dbg_3.1.19-1ubuntu3.12.04.1_amd64.deb
    squid-cgi_3.1.19-1ubuntu3.12.04.1_amd64.deb
    squidclient_3.1.19-1ubuntu3.12.04.1_amd64.deb
    squid-common_3.1.19-1ubuntu3.12.04.1_all.deb
    

install debs

  • 依存パッケージ
    • mitty@squid:~$ sudo aptitude install -R libcap2 libldap-2.4-2 libltdl7 libsasl2-2 ssl-cert squid-langpack
  • mitty@squid:~$ sudo dpkg -i squid3_3.1.19-1ubuntu3.12.04.1_amd64.deb squid3-common_3.1.19-1ubuntu3.12.04.1_all.deb
  • mitty@squid:~$ squid3 -v
    Squid Cache: Version 3.1.19
    configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2' '--enable-ssl' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security' --with-squid=/home/mitty/squid3-3.1.19
    
    • オリジナルのconfigure options
    • mitty@test:~$ squid3 -v
      Squid Cache: Version 3.1.19
      configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security' --with-squid=/build/buildd/squid3-3.1.19