宜蘭縣教育支援平台 會員登入 會員註冊 我的i教書

« 上一篇 | 下一篇 »

參考網站:
SQUID Transparent Proxy (HTTP+HTTPs)
設定SQUID 成為 HTTP/HTTPS 代理伺服器及啟動 ICAP client功能
Jedi Linuxer: 利用 Squid 代理伺服器(Proxy)分析 HTTPS 連線內容
Configure Squid as HTTP and HTTPS Transparent Proxy
Configure squid-3.3 in transparent mode on CentOS 7 with SSL bum - Notes Wiki

CentOS 7.x x64
NAT Client:192.168.1.0/24
NAT Server:192.168.1.254
1. 安裝 perl-Crypt-OpenSSL-X509 套件
# yum install perl-Crypt-OpenSSL-X509 --enablerepo=epel

2. 初始化 Squid SSL DB
# /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
Initialization SSL db...
Done


3. 改變擁有者及群組
# chown -R squid.squid /var/lib/ssl_db

4. 如果有開啟 SELinux
# chcon -R -u system_u -t squid_conf_t /var/lib/ssl_db

5. 修改 /etc/squid/squid.conf
    僅列出特別修改的地方
# vim /etc/squid/squid.conf
http_port 3130
http_port 3128 intercept
http_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem

#always_direct allow all
ssl_bump server-first all
#sslproxy_cert_error deny all
#sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

coredump_dir /var/spool/squid
shutdown_lifetime 1 second

6. 使用 OpenSSL 來建立 Squid 憑證
# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.$(date +%F)
# vim /etc/pki/tls/openssl.cnf
default_days    = 1365                  # how long to certify for

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = TW
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Yilan

localityName                    = Locality Name (eg, city)
localityName_default            = TouCheng

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Elementary School

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Proxy Server

commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_default              = proxy.test.ilc.edu.tw
commonName_max                  = 64

emailAddress                    = test@gmail.com
emailAddress_max                = 64

7. 建立目錄
# mkdir /etc/squid/ssl_cert

8. 改變目錄擁有者及群組
# chown -R squid.squid /etc/squid/ssl_cert

9. 切換目錄
# cd /etc/squid/ssl_cert

10. 建立 Server Key,按 Enter 鍵即可
# openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem -out myca.pem
Generating a 1024 bit RSA private key
...............................................++++++
.........++++++
writing new private key to 'myca.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Yilan]:
Locality Name (eg, city) [TouCheng]:
Organization Name (eg, company) [Elementary School]:
Organizational Unit Name (eg, section) [Proxy Server]:
Common Name (eg, your name or your server's hostname) [proxy.test.ilc.edu.tw]:
test@gmail.com []:

11. 建立 Windows Client Key
# openssl x509 -in myca.pem -outform DER -out myca.der

12. 修改防火牆設定
# iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --dport 80 -j DNAT --to 192.168.1.254:3128
# iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --dport 443 -j DNAT --to 192.168.1.254:3129




 
 
 
用LINE傳送

  1. Re: Squid Proxy Server SSL

    剛巧在找這個題目,發現這篇比較簡單:http://www.sbarjatiya.com/notes_wiki/index.php/Configure_squid-3.3_in_transparent_mode_on_CentOS_7_with_SSL_bump

    [回覆] netman 迴響於 22 八月, 2017 00:34

      Re: Squid Proxy Server SSL

      您好:
      感謝您提供的補充資訊。

      [回覆] 《未設定暱稱》 迴響於 22 八月, 2017 08:13

發表迴響

 暱稱 (必填)

 悄悄話

 標題

 個人網頁

 電子郵件

authimage 
 認證碼 (必填)