Squid4 PDF

http://www.silviogarbes.com.br/sistemas/linux/instalar-squid-4-com-https...
Sistemas > Linux >
Instalar/Configurar Squid 4 com HTTPs transparente no

CentOS 7
Autor: Silvio Garbes
# ---------------- #
# INSTALAR O SQUID #
# ---------------- #
# vi /etc/selinux/config
SELINUX=disabled
# setenforce 0
# rpm -Uvh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# rpm -Uvh http://mirror.symnds.com/distributions/gf/el/7/gf/x86_64/gf-release-7-10.gf.el7.noarch.rpm
# vi /etc/yum.repos.d/gf.repo
[gf-plus]
name=Ghettoforge packages that will overwrite core distro packages.
mirrorlist=http://mirrorlist.ghettoforge.org/el/7/plus/$basearch/mirrorlist
# Please read http://ghettoforge.org/index.php/Usage *before* enabling this repository!
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-gf.el7
failovermethod=priority
# vi /etc/yum.repos.d/ngtech.repo
[squid]
name=Squid repo for CentOS Linux - $basearch
#IL mirror
baseurl=http://www1.ngtech.co.il/repo/centos/$releasever/beta/$basearch/
failovermethod=priority
enabled=1
gpgcheck=0
# yum update
# yum install open-vm-tools libxml2 expat-devel openssl-devel libcap libecap ccache libtool-ltdl-devel
cppunit cppunit-devel bzr autoconf automake libtool gcc-c++ perl-Pod-MinimumVersion bzip2 ed make
openldap-devel pam-devel db4-devel libxml2-devel libcap-devel screen vim nettle-devel redhat-lsb-core
autoconf-archive perl wget firewalld
# yum install squid squid-helpers
# squid -v
# systemctl enable squid.service
# systemctl enable firewalld.service
# ----------------- #
# CONFIGURAR SQUID #
# ----------------- #
# cd /etc/squid
# mkdir ssl_cert
# chmod 700 ssl_cert
# cd ssl_cert
# openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509 -keyout myca.pem -out
1 of 4 28/05/2019 18:27
myca.pem
Country Name (2 letter code) [XX]:BR
State or Province Name (full name) []:MEU ESTADO
Locality Name (eg, city) [Default City]:MINHA CIDADE
Organization Name (eg, company) [Default Company Ltd]:MINHA EMPRESA
Organizational Unit Name (eg, section) []:MEU SETOR
Common Name (eg, your name or your server's hostname) []:SQUID PROXY
Email Address []:MEU EMAIL
# openssl x509 -in myca.pem -outform DER -out myca.der

# /usr/lib64/squid/security_file_certgen -c -s /var/spool/squid_ssldb
# chown squid:squid -R /var/spool/squid_ssldb
# chown squid:squid -R /etc/squid/ssl_cert
# squid -k parse
# vi /etc/squid/squid.conf
acl ssl_exclude_domains dstdomain "/etc/squid/acl/ssl_exclude_domains.conf"
acl ssl_exclude_ip dst "/etc/squid/acl/ssl_exclude_ip.conf"
acl ssl_skip_bump req_header X-SSL-Bump -i skip
acl ssl_force_bump req_header X-SSL-Bump -i force
http_port 3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid/ssl_cert/myca.pem
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc
/squid/ssl_cert/myca.pem
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/spool/squid_ssldb -M 4MB
sslproxy_cert_error allow all
tls_outgoing_options flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
ssl_bump splice localhost
ssl_bump splice ssl_exclude_domains
ssl_bump none ssl_exclude_ip
ssl_bump splice ssl_skip_bump
ssl_bump server-first ssl_force_bump
ssl_bump server-first all
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
2 of 4 28/05/2019 18:27
request_header_access Mime-Version allow all

request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
# mkdir /etc/squid/acl
# vi /etc/squid/acl/ssl_exclude_domains.conf
.apple.com
.itunes.com
.icloud.com
.dropbox.com
.mzstatic.com
# vi /etc/squid/acl/ssl_exclude_ip.conf
104.16.0.0/12
# chown squid:squid -R /etc/squid/acl

# squid -k parse
# systemctl restart squid.service
# vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
# sysctl -p
# systemctl start firewalld.service

# firewall-cmd --set-default-zone=internal
# firewall-cmd --zone=internal --add-interface=ens160
# firewall-cmd --zone=internal --add-service=ssh --permanent
# firewall-cmd --zone=internal --add-service=http --permanent
# firewall-cmd --zone=internal --add-service=https --permanent
# firewall-cmd --zone=internal --add-port=3126/tcp --permanent
# firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i ens160 -p tcp --dport 80 -j
REDIRECT --to-port 3126
# firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i ens160 -p tcp --dport 443 -j
REDIRECT --to-port 3127
# firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o ens160 -j MASQUERADE
# firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -j ACCEPT
# firewall-cmd --complete-reload
# firewall-cmd --get-active-zones
# firewall-cmd --zone=internal --list-all
# firewall-cmd --direct --get-all-rules
# ---------------------------------------------- #
# INSTALAR CERTIFICADO NO NAVEGADOR DE INTERNET #
# ---------------------------------------------- #
# cd /etc/squid/ssl_cert
Copiar o certificado myca.der para instalar no navegador de internet
[Firefox]
Abra o Firefox -> Opções -> Avançado -> Certificados -> Ver certificados -> Autoridades -> Selecione o
certificado (myca.der) -> Marque todas as caixas -> OK -> OK
[Google Chrome]
3 of 4 28/05/2019 18:27
Abra o Chrome -> Configurações -> Avançadas -> Gerenciar certificados -> Autoridade de certificação raiz
confiáveis -> Importar -> Selecione o certificado (myca.der) -> OK -> Fechar
4 of 4 28/05/2019 18:27

Squid4 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Squid4 PDF

Uploaded by

Copyright:

Available Formats

http://www.silviogarbes.com.br/sistemas/linux/instalar-squid-4-com-https...

Sistemas > Linux >

Instalar/Configurar Squid 4 com HTTPs transparente no

# openssl x509 -in myca.pem -outform DER -out myca.der

request_header_access Mime-Version allow all

# chown squid:squid -R /etc/squid/acl

# systemctl start firewalld.service

You might also like