如何设置鱿鱼透明代理客户端?
服务器细节
Squid Transparent Proxy Version: 3.3.8 OS: Ubuntu Server 14.04 Server IP: 192.168.1.3 Squidconfiguration文件
(不包括使用grep的注释)
root@ubuntu:~# grep -v '^$\|^\s*\#' /etc/squid3/squid.conf acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl mylocalnetwork src 192.168.1.0/24 http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access allow mylocalnetwork http_access deny manager http_access allow localhost http_access deny all http_port 3128 transparent cache_mem 8 MB maximum_object_size_in_memory 32 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA cache_dir aufs /opt/squid/cache 10000 14 256 maximum_object_size 128000 KB cache_swap_low 95 cache_swap_high 99 coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern -i \.(gif|png|jp?g|ico|bmp|tiff?)$ 10080 95% 43200 refresh_pattern -i \.(rpm|cab|deb|exe|msi|msu|zip|tar|xz|bz|bz2|lzma|gz|tgz|rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)$ 10080 90% 43200 refresh_pattern -i \.(avi|iso|wav|mid|mp?|mpeg|mov|3gp|wm?|swf|flv|x-flv|axd)$ 43200 95% 432000 refresh_pattern -i \.(html|htm|css|js)$ 1440 75% 40320 refresh_pattern -i \.index.(html|htm)$ 0 75% 10080 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 1440 90% 10080 quick_abort_min 0 KB quick_abort_max 0 KB quick_abort_pct 100 store_avg_object_size 13 KB visible_hostname localhost
鱿鱼日志
------------------------------------------------------------- ----------------------------------------------------------- ---------------------------------------------------------- 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| Loaded Icons. 2014/07/03 22:11:57| HTCP Disabled. 2014/07/03 22:11:57| Pinger socket opened on FD 13 2014/07/03 22:11:57| Squid plugin modules loaded: 0 2014/07/03 22:11:57| Adaptation support is off. 2014/07/03 22:11:57| Accepting NAT intercepted HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 11 flags=41 2014/07/03 22:11:57| Done reading /opt/squid/cache swaplog (2 entries) 2014/07/03 22:11:57| Finished rebuilding storage from disk. 2014/07/03 22:11:57| 2 Entries scanned 2014/07/03 22:11:57| 0 Invalid entries. 2014/07/03 22:11:57| 0 With invalid flags. 2014/07/03 22:11:57| 2 Objects loaded. 2014/07/03 22:11:57| 0 Objects expired. 2014/07/03 22:11:57| 0 Objects cancelled. 2014/07/03 22:11:57| 0 Duplicate URLs purged. 2014/07/03 22:11:57| 0 Swapfile clashes avoided. 2014/07/03 22:11:57| Took 0.08 seconds ( 24.94 objects/sec). 2014/07/03 22:11:57| Beginning Validation Procedure 2014/07/03 22:11:57| Completed Validation Procedure 2014/07/03 22:11:57| Validated 2 Entries 2014/07/03 22:11:57| store_swap_size = 12.00 KB 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| pinger: Initialising ICMP pinger ... 2014/07/03 22:11:57| pinger: ICMP socket opened. 2014/07/03 22:11:57| pinger: ICMPv6 socket opened 2014/07/03 22:11:57| Pinger exiting. 2014/07/03 22:11:58| storeLateRelease: released 0 objects
iptables规则
(暂时使用单个接口“eth0”
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.3:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
客户端configuration
问题是我无法使用Squid的IP作为网关和主DNS, 在我的客户机上访问Internet ,如下所示。
在Ubuntu客户端上
auto eth0 iface eth0 inet static address 192.168.1.10 netmask 255.255.255.0 gateway 192.168.1.3 dns-nameservers 192.168.1.3
在Windows客户端上
- 如何创build与firehol和tinyproxy透明HTTPS代理?
- 透明的SSL代理的神话和事实
- Mac OS X Lion – 将端口22上的所有连接转发到外部ip
- 设置一个透明的SSL代理
- 使用IPv6在CentOS 7上运行Squid和TPROXY
当我将Ubuntu客户端上的dns-nameservers 192.168.1.1更改为dns-nameservers 192.168.1.1 &Windows客户端到路由器192.168.1.1的相同ip而不是squid ip(192.168.1.3),那么我就可以访问互联网。 这可能不是办法做,因为页面可能直接从路由器呈现,可能不是从使用caching的鱿鱼服务器(当然,我可以看到/var/log/squid3/cache.log中生成的日志)。 我也注意到我的路由器已经被访问的页面闪烁,这可能意味着它通过互联网发送请求,而不是从鱿鱼caching中获取。
我还没有妥协。 如果我仍然可以访问我的客户端机器上的访问页面,并从互联网closures的caching中访问,我会很满意。
什么是configuration客户端的鱿鱼透明代理程序?有人指导我吗?
更新1
root@ubuntu:~# iptables -t nat -L -n -v Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.3:3128 0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * eth0 192.168.1.0/24 0.0.0.0/0
更新2
它的工作在以前版本Ubuntu 10.04(lucid)与鱿鱼版本Squid Cache: Version 2.7.STABLE7 ,下面是squidconfiguration文件的工作,我可以访问互联网客户机的网关和DNS设置为lucid的IP:
root@lucid:~# grep -v '^$\|^\s*\#' /etc/squid/squid.conf acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl mynet src 192.168.1.0/24 # RFC1918 possible internal network acl SSL_ports port 443 # https acl SSL_ports port 563 # snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow mynet http_access deny all icp_access allow localnet icp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? cache_mem 8 MB maximum_object_size_in_memory 32 KB cache_dir ufs /var/spool/squid 2000 16 256 access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] upgrade_http0.9 deny shoutcast acl apache rep_header Server ^Apache broken_vary_encoding allow apache extension_methods REPORT MERGE MKACTIVITY CHECKOUT hosts_file /etc/hosts offline_mode on coredump_dir /var/spool/squid
我不知道为什么它不工作在Ubuntu 14.04与Squid版本Squid Cache: Version 3.3.8 。 我肯定缺less新版本的鱿鱼或新destro的一些设置!
我不确定,但请看看这个清单:
编辑squid.conf文件并更改以下行以启用透明代理模式:
http_port 3128
to http_port 3128 intercept
服务鱿鱼重新启动服务鱿鱼重新加载
向iptables NAT表中添加一个条目,将内部接口(LAN端)的入站stream量端口转发到端口3128上的Squid服务器(假设eth0是IP地址192.168.1.3的内部接口
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT – 到(续)192.168.1.3:3128
现在,您可以使用以下命令查看您的iptables,默认筛选器表和nat表
iptables -L -t filter iptables -L -t nat
现在,您可以使用以下命令添加(附加)到iptablefilter表,以接受端口3128上squid的input
iptables -t filter -A INPUT -p tcp –dport 3128 -j ACCEPT
也试试这个
即使您不使用转发代理,您在configuration中也需要一个“拦截”和一个“转发代理”端口:
http_port 3129
http_port 3128拦截
注意 :自2010年以来,“透明”选项已被“拦截”选项所弃用。
根据鱿鱼WiKi你有错误的设置在http_port选项,与Squid 3.1 +和DNAT它应该是intercept而不是transparent 。
http_port 3128 intercept
虽然你的Squid日志的输出似乎表明被拦截的套接字被激活。
第二件事情是Linux服务器需要允许使用sysctl net.ipv4.ip_forward=1进行TCP-IP转发sysctl net.ipv4.ip_forward=1
错误: No forward-proxy ports configure (在/var/log/squid3/cache.log )
阅读Wiki 。
根据我的经验,透明代理需要NAT端口到squid.conf (两者都是)
http_port 3128 http_port 8080 intercept
在向http_port选项添加“拦截”之后,如果客户端被configuration为使用代理,那么我还是会遇到与iptablesredirect模式相结合的问题:
“错误:没有configuration正向代理端口。” 和“警告:转发循环检测到:”
在经过上面的陈述之后,我用这个作为现在最好的结果:
a)在squid.conf中使用双端口条目,如下所示:
http_port 8080 http_port 3128 intercept
这将呈现端口8080作为客户端configuration的普通转发端口,并给第二个端口转发redirect的stream量。
b)使用这样的iptables规则:
iptables -A PREROUTING -t NAT -i $LAN_IF -p tcp --dport 80 -j REDIRECT --to-port 3128
像这样,你将有一个经典的代理端口(8080)在你的客户端进行configuration,还有一个非encryptionstream量的强制端口。
为什么你应该这样做? 那么,如果您不希望HTTPSstream量绕过代理(无论如何需要configuration普通客户端),并且希望支持,但不希望(或不能)configuration较less的智能设备或程序。
在Ubuntu 14.04鱿鱼透明代理版本:3.3.8,你必须从configuration中删除透明http_port 3128我的意思是离开
http_port 3128
不
http_port 3128透明
由于某种原因,现在不工作。
与:
http_port 3128 http_port 8080 intercept
有用
(错误:在/var/log/squid3/cache.log中没有configuration正向代理端口)