# 建立 Proxy Server(on sles15) * 他是放在 sle-module-server-applications ``` $ sudo zypper in squid ``` ``` $ vim /var/run/netconfig/resolv.conf ### /etc/resolv.conf is a symlink to /var/run/netconfig/resolv.conf ### autogenerated by netconfig! # # Before you change this file manually, consider to define the # static DNS configuration using the following variables in the # /etc/sysconfig/network/config file: # NETCONFIG_DNS_STATIC_SEARCHLIST # NETCONFIG_DNS_STATIC_SERVERS # NETCONFIG_DNS_FORWARDER # or disable DNS configuration updates via netconfig by setting: # NETCONFIG_DNS_POLICY='' # # See also the netconfig(8) manual page and other documentation. # ### Call "netconfig update -f" to force adjusting of /etc/resolv.conf. nameserver 8.8.8.8 ``` * 設定所有人都可以連線  ``` $ sudo vim /etc/squid/squid.conf ...... # And finally deny all other access to this proxy http_access allow all ...... ``` * 啟動 proxy server ``` $ sudo systemctl enable --now squid Created symlink /etc/systemd/system/multi-user.target.wants/squid.service → /usr/lib/systemd/system/squid.service. ``` ``` $ sudo systemctl status squid ● squid.service - Squid caching proxy Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2023-11-06 14:40:24 CST; 23s ago Docs: man:squid(8) Process: 5040 ExecStartPre=/usr/lib/squid/initialize_cache_if_needed.sh (code=exited, status=0/SUCCESS) Process: 5044 ExecStart=/usr/sbin/squid -FC (code=exited, status=0/SUCCESS) Main PID: 5045 (squid) Tasks: 4 CGroup: /system.slice/squid.service ├─5045 /usr/sbin/squid -FC ├─5047 "(squid-1)" --kid squid-1 -FC ├─5048 "(logfile-daemon)" /var/log/squid/access.log └─5049 "(pinger)" Nov 06 14:40:23 localhost systemd[1]: Starting Squid caching proxy... Nov 06 14:40:24 localhost squid[5045]: Squid Parent: will start 1 kids Nov 06 14:40:24 localhost systemd[1]: Started Squid caching proxy. Nov 06 14:40:24 localhost squid[5045]: Squid Parent: (squid-1) process 5047 started ``` * 檢查服次是否正常 ``` $ sudo squid -k check | echo $? 0 ``` * 本機測試是否可以名稱解析 ``` $ squidclient http://www.google.com HTTP/1.1 200 OK Date: Mon, 06 Nov 2023 06:42:33 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-Jlkg-sBLx6zrlLoV7R7gyA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2023-11-06-06; expires=Wed, 06-Dec-2023 06:42:33 GMT; path=/; domain=.google.com; Secure Set-Cookie: AEC=Ackid1Qhk1eCjN15pFZRT4lpFGMfQ4iM5a0Ofgk7StCGcyDWppw2fywaxA; expires=Sat, 04-May-2024 06:42:33 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=511=jK5vkyMApAYl6VhD-UUfU849sHyKDXzn2y1VGiJpSdQeMFRYqB9Nc1_qY8hM2YIZO5TRTS7kUcP1Ssnd-y03nnWM8aK7fmMdYzdzv8YfKoBCsILheGSwCYIfXMpliRhl2BGP7hG3qibwBg8HghQ6Otp9N19IvNL-80euEr2MTKA; expires=Tue, 07-May-2024 06:42:33 GMT; path=/; domain=.google.com; HttpOnly Accept-Ranges: none Vary: Accept-Encoding X-Cache: MISS from localhost X-Cache-Lookup: MISS from localhost:3128 Via: 1.1 localhost (squid/5.4.1) Connection: close ``` * 查看 access log ``` # less /var/log/squid/access.log ...... 1746422519.023 52 ::1 TCP_MISS/200 18745 GET http://www.google.com/ - HIER_DIRECT/142.250.77.4 text/html 1746422529.917 99 192.168.11.104 TCP_TUNNEL/200 23587 CONNECT www.google.com:443 - HIER_DIRECT/142.250.77.4 - 1746422546.444 77 192.168.11.104 TCP_TUNNEL/200 23584 CONNECT www.google.com:443 - HIER_DIRECT/142.250.77.4 - ``` ## client 設定 * client 本身不能上網，只能透過 proxy server 上網 ``` $ sudo yast proxy ``` * 設定 proxy ip 位置與 port * 設定解析 localhost 或 127.0.0.1 不要透過 proxy server  * 測試是否可以連到 google ``` $ curl www.google.com <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="zh-TW"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta ...... ``` ## 使用 docekr 安裝 ``` $ sudo mkdir -p /var/spool/squid /etc/squid/ $ chmod -R 777 /var/log/squid/ ``` * 需要更改設定 `client_sources` 允許的 client 網段 ``` $ sudo nano /etc/squid/config # ============================================================================= # ACL (Access Control Lists) - 存取控制列表 # ============================================================================= # 定義一個名為 'client_sources' 的 ACL 來源 IP # !!! 請務必將 10.10.7.0/24 更換為您來源主機的實際 IP 位址 !!! acl client_sources src 10.10.7.0/24 # Squid 的標準安全設定：拒絕連線到非標準埠口 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT # ============================================================================= # http_access - 存取規則 # ============================================================================= # 拒絕不安全的連線請求 # 只允許 SSL/TLS 連線到 443 埠口 http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # 核心規則： # 1. 首先，拒絕所有不是來自 client_sources 主機的請求。 # 這可以防止您的 Proxy 被濫用。 http_access deny !client_sources # 2. 允許來自 client_sources 主機的所有請求。 # 這條規則應放在拒絕規則之後。 http_access allow client_sources # 3. 最後，預設拒絕所有其他未匹配的請求 (安全考量) http_access allow all # ============================================================================= # Port and Network Settings - 埠口與網路設定 # ============================================================================= # Squid 監聽的埠口，預設為 3128 http_port 3128 # ============================================================================= # Cache Settings - 快取設定 (可選，但建議保留) # ============================================================================= # 設定快取存放路徑 # 'ufs' 是標準的儲存格式 # '/var/spool/squid' 是快取目錄 # '10000' 是快取大小 (MB)，這裡設為 10GB # '16' 是第一層子目錄數量 # '256' 是第二層子目錄數量 #cache_dir ufs /var/spool/squid 10000 16 256 coredump_dir /var/spool/squid # 如果不想快取任何東西，可以取消註解下面這行，但不建議 # cache deny all # ============================================================================= # Miscellaneous Settings - 其他設定 # ============================================================================= # 關閉 via 標頭，隱藏您使用了代理伺服器 via off # 修改轉發請求的標頭，避免洩漏內部 IP forwarded_for delete # 當 Squid 關閉時，等待 2 秒讓活動中的連線結束 shutdown_lifetime 2 seconds # 建議為 Squid 程序設定一個可見的主機名稱 visible_hostname squid-proxy.yourdomain.local logfile_rotate 0 ``` ``` $ sudo docker run -d --name squid-container \ --restart=always \ -e TZ=UTC \ -p 3128:3128 \ -v /var/log/squid:/var/log/squid \ -v /var/spool/squid:/var/spool/squid \ -v /etc/squid/config:/etc/squid/squid.conf \ --cap-add=NET_RAW \ docker.io/ubuntu/squid:latest ```