RHEL6上のsquid3.1を使用した透過プロキシ
Windows XPのシステムが50近くあり、サーバー用にLinux(RHEL6)があります。
また、ローカルで使用するためのsquid 3.1、Samba、Apacheもあります。
プロキシでは、VPNとOutlookExpressは接続されていません。透過プロキシでこの問題が解決すると聞きました。私はインターネットとスタック交換からのステップを試しました。しかし、私はこの問題を完全に修正することはできません。明確な構成ファイルとIpTablesの構成を提供してください。
ここに私のsquidconfファイルがあります。
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localinternet src 10.1.1.0/24
##acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
##acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
##acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
##acl localnet src fc00::/7 # RFC 4193 local private network range
##acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
#
# Special IP List
acl special src "/etc/squid/special.txt" # All Access IPs
# Allowed IP List
acl d_unlimited src "/etc/squid/d_unlimited.txt" # Full Download access
acl u_unlimited src "/etc/squid/u_unlimited.txt" # Full Upload access
acl allow_proxy src "/etc/squid/allow_proxy.txt" # Allow Proxy
acl allow_social src "/etc/squid/allow_social.txt" # Allow Social networking
acl allow_tutorial src "/etc/squid/allow_tutorial.txt" # Allow Tutorial
acl allow_movie src "/etc/squid/allow_movie.txt" # Allow Jobs
acl allow_jobs src "/etc/squid/allow_jobs.txt" # Allow Movie
acl allow_sex src "/etc/squid/allow_sex.txt" # Allow Sex
#
# Blocked Keys
#
acl goodkey url_regex "/etc/squid/goodkey.txt"
acl proxy url_regex "/etc/squid/proxy.txt"
acl social url_regex "/etc/squid/social.txt"
acl tutorial url_regex "/etc/squid/tutorial.txt"
acl movie url_regex "/etc/squid/movie.txt"
acl jobs url_regex "/etc/squid/jobs.txt"
acl sex url_regex "/etc/squid/sex.txt"
#
# Upload/Download Limit
#
request_body_max_size 2000 KB localinternet !u_unlimited
reply_body_max_size 6000 KB localinternet !d_unlimited
#
#
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # Gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
#
# Allow all / Allow Good keys
http_access allow special
http_access allow goodkey
#
# Allow Proxy Sites
#
http_access allow allow_proxy proxy
#
# Allow Social Networking
#
http_access allow allow_social social
#
# Allow Tutorials
http_access allow allow_tutorial tutorial
#
# Allow Movie
http_access allow allow_movie movie
#
# Allow Jobs
http_access allow allow_jobs jobs
#
# Allow Sex
http_access allow allow_sex sex
#
# Allow List
http_access allow localinternet !proxy !social !tutorial !movie !jobs !sex
#
# Local Host
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^Gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
dns_nameservers 182.190.0.21 182.176.39.17 192.168.1.100
#broken_vary_encoding allow Apache
#extension_methods REPORT MERGE MKACTIVITY CHECKOUT
#acl M1 arp 00:18:8B:28:DD:7F
#acl M2 arp 00:21:9b:d3:d8:de
#http_access allow M1
#http_access allow M2
#http_access deny all
#http_port 80
#httpd_accel_Host 127.0.0.1
#http_accel_port 80
http_port 80 accel defaultsite=proxy.shancomputers.com vhost
forwarded_for on
#httpd_accel_single_Host on
#httpd_accel_with_proxy on
#httpd_accel_uses_Host_header off
icp_access allow all
#cache_peer 127.0.0.1 parent 3128 0 no-query default
acl web_ports port 80
http_access allow web_ports
acl purge method PURGE
#http_access allow purge localhost
http_access deny purge
hierarchy_stoplist cgi-bin ?
memory_replacement_policy lru
cache_replacement_policy heap LFUDA
#upgrade_http0.9 deny shoutcast
#acl all src all
unique_hostname proxy.shancomputers.com
visible_hostname proxy.shancomputers.com
cache_mgr [email protected]
acl dp url_regex -i \.mp3$ \.wmv$ \.avi$ \.wma$ \.mpe?g$
acl dp1 rep_mime_type video/flv
acl youtube dstdomain .youtube.com
acl YIM_ports port 5050
acl YIM_domains dstdomain .yahoo.com .yahoo.co.jp
acl YIM_hosts dstdomain scs.msg.yahoo.com cs.yahoo.co.jp
acl YIM_methods method CONNECT
acl MSN_ports port 1863 443 1503
acl MSN_domains dstdomain .Microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com
acl MSN_hosts dstdomain messenger.hotmail.com
acl MSN_nets dst 192.168.1.0/24
acl MSN_methods method CONNECT
acl numconn maxconn 6
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # Gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl POST method POST
acl CONNECT method CONNECT
acl GET method GET
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
acl Apache rep_header Server ^Apache
acl QUERY urlpath_regex cgi-bin \?
#---------------------------------------------------------------------
http_access allow YIM_methods YIM_ports YIM_hosts
http_access allow YIM_methods YIM_ports YIM_domains
http_access allow MSN_methods MSN_ports MSN_hosts
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 192.168.1.1:3128 transparent
#http_port 192.168.1.1:8080 transparent
#---------------------------------------------------------------------
#memory_cache_mode always
acl FTP proto FTP
always_direct allow FTP
miss_access allow all
#--------------------------------------------------------------------
cache_store_log /var/log/squid/store.log
no_cache deny QUERY
no_cache deny POST
#---------------------------------------------------------------------
request_header_max_size 100 MB
maximum_object_size 96 MB
refresh_pattern ^Gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 9999 99% 99990 override-expire reload-into-ims override-lastmod
refresh_pattern cgi-bin 1 20% 2
refresh_pattern \.asp$ 1 20% 2
refresh_pattern \.acgi$ 1 20% 2
refresh_pattern \.cgi$ 1 20% 2
refresh_pattern \.pl$ 1 20% 2
refresh_pattern \.shtml$ 1 20% 2
refresh_pattern \.php3$ 1 20% 2
refresh_pattern \? 1 20% 2
refresh_pattern \.gif$ 10080 90% 43200
refresh_pattern \.jpg$ 10080 90% 43200
refresh_pattern \.bom\.gov\.au 30 20% 120
refresh_pattern \.html$ 480 50% 22160
refresh_pattern \.htm$ 480 50% 22160
refresh_pattern \.class$ 10080 90% 43200
refresh_pattern \.Zip$ 10080 90% 43200
refresh_pattern \.jpeg$ 10080 90% 43200
refresh_pattern \.mid$ 10080 90% 43200
refresh_pattern \.shtml$ 480 50% 22160
refresh_pattern \.exe$ 10080 90% 43200
refresh_pattern \.thm$ 10080 90% 43200
refresh_pattern \.wav$ 10080 90% 43200
refresh_pattern \.txt$ 10080 90% 43200
refresh_pattern \.cab$ 10080 90% 43200
refresh_pattern \.au$ 10080 90% 43200
refresh_pattern \.mov$ 10080 90% 43200
refresh_pattern \.xbm$ 10080 90% 43200
refresh_pattern \.ram$ 10080 90% 43200
refresh_pattern \.avi$ 10080 90% 43200
refresh_pattern \.chtml$ 480 50% 22160
refresh_pattern \.thb$ 10080 90% 43200
refresh_pattern \.dcr$ 10080 90% 43200
refresh_pattern \.bmp$ 10080 90% 43200
refresh_pattern \.phtml$ 480 50% 22160
refresh_pattern \.mpg$ 10080 90% 43200
refresh_pattern \.pdf$ 10080 90% 43200
refresh_pattern \.swf$ 10080 90% 43200
refresh_pattern \.mp3$ 10080 90% 43200
refresh_pattern \.ra$ 10080 90% 43200
refresh_pattern \.spl$ 10080 90% 43200
refresh_pattern \.viv$ 10080 90% 43200
refresh_pattern \.doc$ 10080 90% 43200
refresh_pattern \.gz$ 10080 90% 43200
refresh_pattern \.Z$ 10080 90% 43200
refresh_pattern \.tgz$ 10080 90% 43200
refresh_pattern \.tar$ 10080 90% 43200
refresh_pattern \.vrm$ 10080 90% 43200
refresh_pattern \.vrml$ 10080 90% 43200
refresh_pattern \.aif$ 10080 90% 43200
refresh_pattern \.aifc$ 10080 90% 43200
refresh_pattern \.aiff$ 10080 90% 43200
refresh_pattern \.arj$ 10080 90% 43200
refresh_pattern \.c$ 10080 90% 43200
refresh_pattern \.cpt$ 10080 90% 43200
refresh_pattern \.dir$ 10080 90% 43200
refresh_pattern \.dxr$ 10080 90% 43200
refresh_pattern \.hqx$ 10080 90% 43200
refresh_pattern \.jpe$ 10080 90% 43200
refresh_pattern \.lha$ 10080 90% 43200
refresh_pattern \.lzh$ 10080 90% 43200
refresh_pattern \.midi$ 10080 90% 43200
refresh_pattern \.movie$ 10080 90% 43200
refresh_pattern \.mp2$ 10080 90% 43200
refresh_pattern \.mpe$ 10080 90% 43200
refresh_pattern \.mpeg$ 10080 90% 43200
refresh_pattern \.mpga$ 10080 90% 43200
refresh_pattern \.pl$ 10080 90% 43200
refresh_pattern \.ppt$ 10080 90% 43200
refresh_pattern \.ps$ 10080 90% 43200
refresh_pattern \.qt$ 10080 90% 43200
refresh_pattern \.qtm$ 10080 90% 43200
refresh_pattern \.ras$ 10080 90% 43200
refresh_pattern \.sea$ 10080 90% 43200
refresh_pattern \.sit$ 10080 90% 43200
refresh_pattern \.tif$ 10080 90% 43200
refresh_pattern \.tiff$ 10080 90% 43200
refresh_pattern \.snd$ 10080 90% 43200
refresh_pattern \.wrl$ 10080 90% 43200
refresh_pattern ^ftp:// 480 60% 22160
refresh_pattern ^Gopher:// 30 20% 120
refresh_pattern . 480 50% 22160
refresh_pattern \.iso$ 10080 90% 43200
#------------------------------------------------------------------------
range_offset_limit 0 KB
#---------------------------------------------------------------------------
hosts_file /etc/hosts
coredump_dir /var/spool/squid
#----------------------------------------------------------------------------
quick_abort_min 1024 KB
quick_abort_max 2048 KB
quick_abort_pct 90
cache_effective_user squid
cache_effective_group squid
cache_dir ufs /var/spool/squid 20000 16 256
cache_mem 1024 MB
fqdncache_size 1024
request_body_max_size 100 KB
これをsquid.confに入れてください
httpd_accel_Host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_Host_header on
# acl lan src 192.168.1.1 192.168.2.0/24 # configure this for your lan settings
http_access allow localhost
http_access allow lan
squidサーバーにiptablesがセットアップされていることを確認してください。
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
詳細については、HOWTOを http://tldp.org/HOWTO/TransparentProxy.html で確認してください。
Squidは通常ポート3128をリッスンします
http_port 3128 intercept
Squid.confファイルでこの変更を行います