安裝依賴

apt-get install openssl
apt-get install libssl-dev
apt-get install ssl-cert
apt-get install devscripts build-essential fakeroot

抓取最新squid原碼

wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.27.tar.gz
tar -zxvf squid-3.5.27.tar.gz

下載openssl,放置的位置跟編譯條件有關,所以要注意

cd /root
wget  https://www.openssl.org/source/openssl-1.0.2o.tar.gz
tar -zxvf openssl-1.0.2o.tar.gz

切換至該目錄

cd squid-3.5.27

配置編譯條件

vim build.sh

填入以下腳本
改腳本要放在squid-3.5.27目錄底下

#!/bin/bash
./configure \
--prefix=/usr \
--localstatedir=/var \
--libexecdir=${prefix}/lib/squid \
--datadir=${prefix}/share/squid \
--sysconfdir=/etc/squid \
--with-default-user=proxy \
--with-logdir=/var/log/squid \
--with-pidfile=/var/run/squid.pid\
--with-openssl=/root/openssl-1.0.2o \
--enable-dlmalloc \
--enable-gnuregex \
--enable-carp \
--enable-async-io \
--enable-storeio=aufs,diskd,ufs \
--enable-icmp \
--enable-delay-pools \
--enable-removal-policies=heap,lru \
--enable-useragent-log \
--enable-referer-log \
--enable-snmp \
--enable-arp-acl \
--enable-htcp \
--enable-ssl \
--enable-cache-digests \
--with-coss-membuf-size=2097152 \
--enable-poll \
--enable-linux-netfilter \
--enable-x-accelerator-vary \
--enable-stacktrace \
--enable-truncate \
--enable-underscores \
--enable-auth \
--enable-basic-auth-helpers="NCSA" \
--enable-icap-client

開始配置條件

sh build.sh

沒出錯的話就開始編譯

make

編譯完,安裝

make install

安裝完後,將squid-3.5.27/helpers/basic_auth/NCSA底下的basic_ncsa_auth複製到/usr/bin底下

basic_ncsa_auth是能進行驗證的工具

cp /root/squid-3.5.27/helpers/basic_auth/NCSA/basic_ncsa_auth /usr/bin

配置squid啟動服務
將以下腳本儲存為squid並放置在/etc/init.d

#! /bin/sh
#
# squid        Startup script for the SQUID HTTP proxy-cache.
#
# Version:    @(#)squid.rc  1.0  07-Jul-2006  luigi@debian.org
#
### BEGIN INIT INFO
# Provides:          squid
# Required-Start:    $network $remote_fs $syslog
# Required-Stop:     $network $remote_fs $syslog
# Should-Start:      $named
# Should-Stop:       $named
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Squid HTTP Proxy version 3.x
### END INIT INFO

NAME=squid
DESC="Squid HTTP Proxy"
DAEMON=/usr/sbin/squid
PIDFILE=/var/run/$NAME.pid
CONFIG=/etc/squid/squid.conf
SQUID_ARGS="-YC -f $CONFIG"

[ ! -f /etc/default/squid ] || . /etc/default/squid

. /lib/lsb/init-functions

PATH=/bin:/usr/bin:/sbin:/usr/sbin

[ -x $DAEMON ] || exit 0

ulimit -n 65535

find_cache_dir () {
    w="     " # space tab
        res=`$DAEMON -k parse -f $CONFIG 2>&1 |
        grep "Processing:" |
        sed s/.*Processing:\ // |
        sed -ne '
            s/^['"$w"']*'$1'['"$w"']\+[^'"$w"']\+['"$w"']\+\([^'"$w"']\+\).*$/\1/p;
            t end;
            d;
            :end q'`
        [ -n "$res" ] || res=$2
        echo "$res"
}

grepconf () {
    w="     " # space tab
        res=`$DAEMON -k parse -f $CONFIG 2>&1 |
        grep "Processing:" |
        sed s/.*Processing:\ // |
        sed -ne '
            s/^['"$w"']*'$1'['"$w"']\+\([^'"$w"']\+\).*$/\1/p;
            t end;
            d;
            :end q'`
    [ -n "$res" ] || res=$2
    echo "$res"
}

create_run_dir () {
    run_dir=/var/run/squid
    usr=`grepconf cache_effective_user proxy`
    grp=`grepconf cache_effective_group proxy`

    if [ "$(dpkg-statoverride --list $run_dir)" = "" ] &&
       [ ! -e $run_dir ] ; then
        mkdir -p $run_dir
          chown $usr:$grp $run_dir
        [ -x /sbin/restorecon ] && restorecon $run_dir
    fi
}

start () {
    cache_dir=`find_cache_dir cache_dir`
    cache_type=`grepconf cache_dir`
    run_dir=/var/run/squid

    #
    # Create run dir (needed for several workers on SMP)
    #
    create_run_dir

    #
    # Create spool dirs if they don't exist.
    #
    if test -d "$cache_dir" -a ! -d "$cache_dir/00"
    then
        log_warning_msg "Creating $DESC cache structure"
        $DAEMON -z -f $CONFIG
        [ -x /sbin/restorecon ] && restorecon -R $cache_dir
    fi

    umask 027
    ulimit -n 65535
    cd $run_dir
    start-stop-daemon --quiet --start \
        --pidfile $PIDFILE \
        --exec $DAEMON -- $SQUID_ARGS < /dev/null
    return $?
}

stop () {
    PID=`cat $PIDFILE 2>/dev/null`
    start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
    #
    #    Now we have to wait until squid has _really_ stopped.
    #
    sleep 2
    if test -n "$PID" && kill -0 $PID 2>/dev/null
    then
        log_action_begin_msg " Waiting"
        cnt=0
        while kill -0 $PID 2>/dev/null
        do
            cnt=`expr $cnt + 1`
            if [ $cnt -gt 24 ]
            then
                log_action_end_msg 1
                return 1
            fi
            sleep 5
            log_action_cont_msg ""
        done
        log_action_end_msg 0
        return 0
    else
        return 0
    fi
}

cfg_pidfile=`grepconf pid_filename`
if test "${cfg_pidfile:-none}" != "none" -a "$cfg_pidfile" != "$PIDFILE"
then
    log_warning_msg "squid.conf pid_filename overrides init script"
    PIDFILE="$cfg_pidfile"
fi

case "$1" in
    start)
    res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL .*"`
    if test -n "$res";
    then
        log_failure_msg "$res"
        exit 3
    else
        log_daemon_msg "Starting $DESC" "$NAME"
        if start ; then
            log_end_msg $?
        else
            log_end_msg $?
        fi
    fi
    ;;
    stop)
    log_daemon_msg "Stopping $DESC" "$NAME"
    if stop ; then
        log_end_msg $?
    else
        log_end_msg $?
    fi
    ;;
    reload|force-reload)
    res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL .*"`
    if test -n "$res";
    then
        log_failure_msg "$res"
        exit 3
    else
        log_action_msg "Reloading $DESC configuration files"
          start-stop-daemon --stop --signal 1 \
            --pidfile $PIDFILE --quiet --exec $DAEMON
        log_action_end_msg 0
    fi
    ;;
    restart)
    res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL .*"`
    if test -n "$res";
    then
        log_failure_msg "$res"
        exit 3
    else
        log_daemon_msg "Restarting $DESC" "$NAME"
        stop
        if start ; then
            log_end_msg $?
        else
            log_end_msg $?
        fi
    fi
    ;;
    status)
    status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit 3
    ;;
    *)
    echo "Usage: /etc/init.d/$NAME {start|stop|reload|force-reload|restart|status}"
    exit 3
    ;;
esac

exit 0

更改權限

chmod 754  /etc/init.d/squid

再啟動前要先創建access.log cache.log netdb.state這三個檔案要不然會出錯

touch /var/log/squid access.log
touch /var/log/squid cache.log
touch /var/log/squid netdb.state
chmod 777 /var/log/squid/*

啟動squid

/etc/init.d/squid start
/etc/init.d/squid stop
/etc/init.d/squid restart

沒意外的話會生成systemctl 相關配置,沒有的話就用上面的方式

啟動squid : systemctl start squid.service
停止squid : systemctl stop squid.service
重啟squid : systemctl restart  squid.service

開始配置squid

先將預設的設定檔備份起來

mv /etc/squid/squid.conf /etc/squid/squid.conf.bk
vim /etc/squid/squid.conf

添加以下內容後,儲存離開

acl SSL_ports port 443
acl Safe_ports port 1-65535     # unregistered ports
acl CONNECT method CONNECT
acl HEAD method HEAD

http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
#http_access allow localhost manager
http_access deny manager
#http_access allow localhost
auth_param basic program /usr/bin/basic_ncsa_auth /etc/squid/passwd
acl auth_user proxy_auth REQUIRED
auth_param basic children 5
auth_param basic credentialsttl 2 hours
auth_param basic realm Web proxy server
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
http_access deny all


http_port 10250
https_port 10251 cert=/etc/pki/ssl/certfile/wijtb.nctu.me/fullchain.cer key=/etc/pki/ssl/certfile/wijtb.nctu.me/wijtb.nctu.me.key
ssl_bump stare all  
ssl_bump bump all 
coredump_dir /var/spool/squid3

# based on http://code.google.com/p/ghebhes/downloads/detail?name=tunning.conf&can=2&q=

#All File
refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|rpm|divx|dvr-ms)      1440 100% 129600 reload-into-ims
refresh_pattern -i \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 1440 100% 129600 reload-into-ims
refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)         1440 100% 129600 reload-into-ims
refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p))                   1440 100% 129600 reload-into-ims
refresh_pattern -i \.(og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav)                  1440 100% 129600 reload-into-ims
refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t))               1440 100% 129600 reload-into-ims

refresh_pattern -i \.(doc|pdf)$           1440   50% 43200 reload-into-ims
refresh_pattern -i \.(html|htm)$          1440   50% 40320 reload-into-ims

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

# http options
via off

# memory cache options
cache_mem 512 MB
maximum_object_size_in_memory 256 KB

# disk cache
#cache_dir diskd /var/spool/squid3 10240 16 256
#maximum_object_size 20480 KB

# timeouts
# forward_timeout 10 seconds
# connect_timeout 10 seconds
# read_timeout 10 seconds
# write_timeout 10 seconds
# client_lifetime 59 minutes
# request_timeout 30 seconds
half_closed_clients off

#
forwarded_for delete
dns_v4_first on
ipcache_size 4096
dns_nameservers 120.108.101.101, 120.108.101.102

# error page
cache_mgr admin@example.com
visible_hostname example.com
email_err_data off
err_page_stylesheet none

生成網站證書
使用Let's Encrypt
為proxy建立帳號密碼

htpasswd -c /usr/etc/passwd 使用者名稱

Last modification:April 16, 2018
If you think my article is useful to you, please feel free to appreciate