Using squid to build HTTPS transparent proxy

Last Update:2018-08-23 Source: Internet

Author: User

Tags gopher rfc iptables

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

# Recommended minimum Configuration:

# Example rule allowing access to your local networks.

# ADAPT to list your (internal) IP networks from where browsing

# should be allowed

ACL localnet src 10.0.0.0/8 # RFC1918 possible Internal network

ACL localnet src 172.16.0.0/12 # RFC1918 possible Internal network

ACL localnet src 192.168.0.0/24# RFC1918 possible Internal network

ACL localnet src FC00::/7 # RFC 4193 local private network range

ACL localnet src FE80::/10 # RFC 4291 link-local (directly plugged) machines

ACL Ssl_ports port443

ACL safe_ports PORT80 # http

ACL safe_ports port21 # FTP

ACL safe_ports port443 # HTTPS

ACL safe_ports PORT70 # Gopher

ACL safe_ports port210 # WAIS

ACL safe_ports Port 1025-65535 # unregistered ports

ACL safe_ports port280 # HTTP-MGMT

ACL safe_ports port488 # gss-http

ACL safe_ports port591 # FileMaker

ACL safe_ports port777 # multiling http

ACL Connect method Connect

# Recommended minimum Access Permission configuration:

# Deny requests to certain unsafe ports

Http_access Deny! Safe_ports

# Deny CONNECT to the other than secure SSL ports

Http_access Deny CONNECT! Ssl_ports

# only allow cachemgr access from localhost

http_access allow localhost Manager

Http_access Deny Manager

# We strongly recommend the following is uncommented to protect innocent

# Web applications running on the proxy server

# One who can access services on ' localhost ' is ' a ' local user

#http_access Deny To_localhost

# INSERT YOUR OWN rule (S) ALLOW ACCESS from YOUR CLIENTS

# Example rule allowing access to your local networks.

# Adapt LocalNet in the ACL section to list your (internal) IP networks

# from where browsing should to be allowed

Http_access Allow LocalNet

http_access allow localhost

# and finally deny all other access to this proxy

Http_access Denyall

# Squid normally listens to port 3128

Http_port 3128

Http_port 3129 Intercept

Https_port 3130 Intercept CERT=/USR/LOCAL/SQUID/ETC/CERT/SERVER.CRT Key=/usr/local/squid/etc/cert/server.key Version=1 ssl-bump Generate-host-certificates=on DYNAMIC_CERT_MEM_CACHE_SIZE=4MB

#https_port 3130 Transparent Cert=/usr/local/squid/etc/cert/selfca.der KEY=/USR/LOCAL/SQUID/ETC/CERT/SELFCA.PEM

Ftp_port 3131 Intercept

Ssl_bump Server-first All

Sslcrtd_program/usr/local/squid/libexec/ssl_crtd-s/var/lib/ssl_db-m 4MB

Sslcrtd_children 8 Startup=1 idle=1

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir UFS/USR/LOCAL/SQUID/VAR/CACHE/SQUID 100 16 256

# Leave Coredumps in the ' the '

Coredump_dir/usr/local/squid/var/cache/squid

# ADD any of the your own Refresh_pattern entries above these.

Refresh_pattern ^ftp:1440 20% 10080

Refresh_pattern ^gopher:1440 0% 1440

Refresh_pattern-i (/cgi-bin/|\.) 0 0% 0

Refresh_pattern. 0 20% 4320

Visible_hostname test.com

[Root@dev etc]# Iptables-save

# generated by Iptables-save v1.4.7 on Fri Oct 28 14:58:10 2016

*filter

: INPUT ACCEPT [11,287:1,837,455]

: FORWARD DROP [627:37,845]

: OUTPUT ACCEPT [12,229:3,244,822]

-A forward-p udp-m UDP--dport 53-j ACCEPT

-A forward-p udp-m UDP--sport 53-j ACCEPT

COMMIT

# Completed on Fri Oct 28 14:58:10 2016

# generated by Iptables-save v1.4.7 on Fri Oct 28 14:58:10 2016

*nat

:P rerouting ACCEPT [832:59,702]

:P ostrouting ACCEPT [3:144]

: OUTPUT ACCEPT [2,469:119,333]

-A prerouting-s 192.168.0.0/24-i wlan0-p tcp-m tcp--dport 80-j REDIRECT--to-ports 3129

-A prerouting-s 192.168.0.0/24-i wlan0-p tcp-m tcp--dport 443-j REDIRECT--to-ports 3130

-A postrouting-o Eth0-j Masquerade

COMMIT

# Completed on Fri Oct 28 14:58:10 2016

# generated by Iptables-save v1.4.7 on Fri Oct 28 14:58:10 2016

*mangle

:P rerouting ACCEPT [95,433:29,957,319]

: INPUT ACCEPT [88,691:28,329,249]

: FORWARD ACCEPT [6,644:1,618,880]

: OUTPUT ACCEPT [81,571:24,890,703]

:P ostrouting ACCEPT [86,820:26,418,963]

-A prerouting-p tcp-m tcp--dport 3129-j DROP

-A prerouting-p tcp-m tcp--dport 3130-j DROP COMMIT

# Completed on Fri Oct 28 14:58:10 2016

[Root@dev etc]# sysctl-w net.ipv4.ip_forward=1

Net.ipv4.ip_forward = 1

Reference Links:

Http://wiki.squid-cache.org/Features/HTTPS

https://www.tectut.com/2015/08/configure-squid-as-http-and-https-transparent-proxy/

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More