作者 主題: [config] setup squid 3 transparent for SSL/HTTPS on CentOS 6  (閱讀 2593 次)

0 會員 與 1 訪客 正在閱讀本文。

netman

  • 管理員
  • 俺是博士!
  • *****
  • 文章數: 17342
    • 檢視個人資料
    • http://www.study-area.org
ref:
http://roberts.bplaced.net/index.php/linux-guides/centos-6-guides/proxy-server/squid-transparent-proxy-http-https
(but it is for x86 32bit only, need some change for x64)

steps:

wget http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-3.3.8-1.el6.x86_64.rpm
yum install ksh
rpm -ivh squid-3.3.8-1.el6.x86_64.rpm
/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
chown -R squid.squid /var/lib/ssl_db
vi squid.conf
代碼: [選擇]
...
# Squid normally listens to port 3128
#http_port 3128
http_port 3130

http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem

#always_direct allow all
ssl_bump server-first all
#sslproxy_cert_error deny all
#sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

...
mkdir /etc/squid/ssl_cert
chown -R squid.squid /etc/squid/ssl_cert
cd /etc/squid/ssl_cert
openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem -out myca.pem
openssl x509 -in myca.pem -outform DER -out myca.der
chkconfig squid on
service squid start
iptables -t nat -A PREROUTING -s 10.1.0.0/24 ! -d 10.1.0.1/32 -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -s 10.1.0.0/24 ! -d 10.1.0.1/32 -i eth1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

# client settings:
to import the myca.pem (for linux) or myca.der (for windows) to CA Certs in browser.
« 上次編輯: 2015-06-12 19:09 由 netman »