Professional Documents
Culture Documents
# ---------------- #
# INSTALAR O SQUID #
# ---------------- #
# vi /etc/selinux/config
SELINUX=disabled
# setenforce 0
# rpm -Uvh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# rpm -Uvh http://mirror.symnds.com/distributions/gf/el/7/gf/x86_64/gf-release-7-10.gf.el7.noarch.rpm
# vi /etc/yum.repos.d/gf.repo
[gf-plus]
name=Ghettoforge packages that will overwrite core distro packages.
mirrorlist=http://mirrorlist.ghettoforge.org/el/7/plus/$basearch/mirrorlist
# Please read http://ghettoforge.org/index.php/Usage *before* enabling this repository!
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-gf.el7
failovermethod=priority
# vi /etc/yum.repos.d/ngtech.repo
[squid]
name=Squid repo for CentOS Linux - $basearch
#IL mirror
baseurl=http://www1.ngtech.co.il/repo/centos/$releasever/beta/$basearch/
failovermethod=priority
enabled=1
gpgcheck=0
# yum update
# yum install open-vm-tools libxml2 expat-devel openssl-devel libcap libecap ccache libtool-ltdl-devel
cppunit cppunit-devel bzr autoconf automake libtool gcc-c++ perl-Pod-MinimumVersion bzip2 ed make
openldap-devel pam-devel db4-devel libxml2-devel libcap-devel screen vim nettle-devel redhat-lsb-core
autoconf-archive perl wget firewalld
# yum install squid squid-helpers
# squid -v
# systemctl enable squid.service
# systemctl enable firewalld.service
# ----------------- #
# CONFIGURAR SQUID #
# ----------------- #
# cd /etc/squid
# mkdir ssl_cert
# chmod 700 ssl_cert
# cd ssl_cert
# openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509 -keyout myca.pem -out
1 of 4 28/05/2019 18:27
http://www.silviogarbes.com.br/sistemas/linux/instalar-squid-4-com-https...
myca.pem
Country Name (2 letter code) [XX]:BR
State or Province Name (full name) []:MEU ESTADO
Locality Name (eg, city) [Default City]:MINHA CIDADE
Organization Name (eg, company) [Default Company Ltd]:MINHA EMPRESA
Organizational Unit Name (eg, section) []:MEU SETOR
Common Name (eg, your name or your server's hostname) []:SQUID PROXY
Email Address []:MEU EMAIL
# vi /etc/squid/squid.conf
acl ssl_exclude_domains dstdomain "/etc/squid/acl/ssl_exclude_domains.conf"
acl ssl_exclude_ip dst "/etc/squid/acl/ssl_exclude_ip.conf"
acl ssl_skip_bump req_header X-SSL-Bump -i skip
acl ssl_force_bump req_header X-SSL-Bump -i force
http_port 3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid/ssl_cert/myca.pem
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc
/squid/ssl_cert/myca.pem
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/spool/squid_ssldb -M 4MB
sslproxy_cert_error allow all
tls_outgoing_options flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
ssl_bump splice localhost
ssl_bump splice ssl_exclude_domains
ssl_bump none ssl_exclude_ip
ssl_bump splice ssl_skip_bump
ssl_bump server-first ssl_force_bump
ssl_bump server-first all
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
2 of 4 28/05/2019 18:27
http://www.silviogarbes.com.br/sistemas/linux/instalar-squid-4-com-https...
# mkdir /etc/squid/acl
# vi /etc/squid/acl/ssl_exclude_domains.conf
.apple.com
.itunes.com
.icloud.com
.dropbox.com
.mzstatic.com
# vi /etc/squid/acl/ssl_exclude_ip.conf
104.16.0.0/12
# ---------------------------------------------- #
# INSTALAR CERTIFICADO NO NAVEGADOR DE INTERNET #
# ---------------------------------------------- #
# cd /etc/squid/ssl_cert
Copiar o certificado myca.der para instalar no navegador de internet
[Firefox]
Abra o Firefox -> Opções -> Avançado -> Certificados -> Ver certificados -> Autoridades -> Selecione o
certificado (myca.der) -> Marque todas as caixas -> OK -> OK
[Google Chrome]
3 of 4 28/05/2019 18:27
http://www.silviogarbes.com.br/sistemas/linux/instalar-squid-4-com-https...
Abra o Chrome -> Configurações -> Avançadas -> Gerenciar certificados -> Autoridade de certificação raiz
confiáveis -> Importar -> Selecione o certificado (myca.der) -> OK -> Fechar
4 of 4 28/05/2019 18:27