Pages

Wednesday, 26 August 2015

利用SQUID的https proxy功能翻墙

Squid是一个大名鼎鼎老牌软件,用于做HTTP缓存代理。它非常完善的支持HTTP/1.1 proxy协议,所以我的方法就是:让squid以https的方式提供forward proxy service,然后在客户端机器使用chrome访问被封的网站.

首先,我有一个国外的LINUX VPS主机(内存最好为1 gb以上,且为xen或kvm平台。openvz平台不太好)。我要在它上面安装squid:
从源代码编译:(编译的squid必须是3.3或以上的版本。2.x版好像没有加密代理功能.注:建议vps的内存要达到1 gb,否则编译容易出错
yum install gcc gcc-c++ bzip2
yum install openssl openssl-devel 

 (如果你的系统是DEBIAN/UBUNTU,则需运行命令:
apt-get install gcc g++ bzip2
apt-get install openssl libssl-dev

否则编译时,会遇到错误:configure: error: library 'crypto' is required for OpenSSL。参见
http://superuser.com/questions/371901/openssl-missing-during-configure-how-to-fix)


wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.7.tar.bz2
tar jxvf squid-3.5.7.tar.bz2 
cd squid-3.5.7 
./configure --sysconfdir=/etc/squid --libdir=/usr/lib
--with-openssl --enable-auth-basic='DB,NCSA,NIS,POP3,RADIUS,SMB,getpwnam'
--with-swapdir=/var/spool/squid --libexecdir=/usr/lib/squid --enable-ssl
make && make install  (此步骤耗时15-30分钟)


注意:gcc的版本需为4.8.5;我是在centos7上,安装的。

root@umh:~/squid-3.5.7# which squid
root@umh:~/squid-3.5.7# find / -name squid
/var/spool/squid
/usr/local/squid
/usr/local/squid/var/run/squid
/usr/local/squid/sbin/squid
/usr/lib/squid
/etc/squid
/root/squid-3.5.7/src/squid
root@umh:~/squid-3.5.7# echo 'export PATH=$PATH:/usr/local/squid/sbin' >> /etc/profile && . /etc/profile

配置squid.
nano /etc/squid/squid.conf
把http_port变成https_port ,修改监听的端口号为
30289
https_port 30289 cert=/root/public.crt key=/root/private.key
其中cert和key分别是证书和私钥。在/root目录中,运行
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout private.key -out public.crt即可生成public.crt和private.key.


现在,因为letsencrypt.org推出了免费证书,所以建议使用其免费证书,而不要再使用自签的证书。这样,就把https_port 30289 cert=/root/public.crt key=/root/private.key改为:
https_port 30289 cert=/path/to/certificate-file key=/path/to/key-file

把http_access deny all 改为http_access allow all

把cache_dir ufs /var/spool/squid 100 16 256前面的#号去掉。

运行squid,会提示:
root@AR:/etc/squid# /usr/local/squid/sbin/squid
WARNING: Cannot write log file: /usr/local/squid/var/logs/cache.log
/usr/local/squid/var/logs/cache.log: Permission denied.
         messages will be sent to 'stderr'.
root@AR:/etc/squid#

解决办法:
root@AR:/etc/squid# chmod 777 /usr/local/squid/var/logs/

另外,设置以下的目录权限为777,否则squid可能启动不起来:chmod -R 777 /var/spool/squid/

还要开放squid的
30289端口:
iptables -I INPUT -p tcp -m tcp --dport 30289 -j ACCEPT
然后运行squid -z (千万不要忘记此步骤,否则可能无法启动squid)
如果运行squid -z,遇错:
FATAL: Ipc::Mem::Segment::create failed to shm_open(/squid-cf__metadata.shm): (13) Permission denied
解决办法:chmod -R 777 /dev/shm/ ,再运行squid -z就不会遇错了:
root@umh:/var# chmod -R 777 /dev/shm/
root@umh:/var# squid -z 

会显示:
 2018/07/22 18:56:45 kid1| Set Current Directory to /var/spool/squid
2018/07/22 18:56:45 kid1| Creating missing swap directories
2018/07/22 18:56:45 kid1| /var/spool/squid exists
2018/07/22 18:56:45 kid1| Making directories in /var/spool/squid/00
2018/07/22 18:56:45 kid1| Making directories in /var/spool/squid/01
2018/07/22 18:56:45 kid1| Making directories in /var/spool/squid/02
2018/07/22 18:56:45 kid1| Making directories in /var/spool/squid/03
2018/07/22 18:56:45 kid1| Making directories in /var/spool/squid/04
2018/07/22 18:56:45 kid1| Making directories in /var/spool/squid/05
2018/07/22 18:56:45 kid1| Making directories in /var/spool/squid/06
2018/07/22 18:56:45 kid1| Making directories in /var/spool/squid/07
2018/07/22 18:56:45 kid1| Making directories in /var/spool/squid/08
2018/07/22 18:56:45 kid1| Making directories in /var/spool/squid/09
2018/07/22 18:56:45 kid1| Making directories in /var/spool/squid/0A
2018/07/22 18:56:45 kid1| Making directories in /var/spool/squid/0B
2018/07/22 18:56:45 kid1| Making directories in /var/spool/squid/0C
2018/07/22 18:56:45 kid1| Making directories in /var/spool/squid/0D
2018/07/22 18:56:45 kid1| Making directories in /var/spool/squid/0E
2018/07/22 18:56:45 kid1| Making directories in /var/spool/squid/0F
root@umh:/var#
(参考http://squid-web-proxy-cache.1019090.n4.nabble.com/FATAL-Ipc-Mem-Segment-create-failed-to-shm-open-squid-cf-metadata-shm-13-Permission-denied-td4665373.html)

即可正常启动squid:
root@AR:/etc/squid# squid -f /etc/squid/squid.conf
root@AR:/etc/squid# ps aux|grep squid
root     14206  0.0  1.0  43576  2612 ?        Ss   09:23   0:00 squid -f /etc/squid/squid.conf
nobody   14208  0.0  4.5  48512 11628 ?        S    09:23   0:00 (squid-1) -f /etc/squid/squid.conf
root     14259  0.0  0.3   8828   776 pts/3    S+   09:24   0:00 grep --color=auto squid
root@AR:/etc/squid#
(最好重复运行三次ps aux|grep squid检测一下squid是否在运行,因为有时你输入squid,回车后,没有任何出错提示,导致你以为squid在运行中,但实际上并未在运行,此时你还得输入squid -f /etc/squid/squid.conf,回车,这次squid应该在运行中了,你可运行ps aux|grep squid验证一下,以确保squid在运行中。)
如果你哪一天用此术翻墙失败,估计是squid退出了,再次运行squid -f /etc/squid/squid.conf即可。

另外,如果你的vps的系统为centos7,则还需:
systemctl stop firewalld
systemctl disable firewalld
yum erase firewalld
systemctl enable iptables
systemctl start iptables
这段内容的意思是停止firewalld而启用iptables.我之前没有停止firewalld,弄得我在客户端机器上的chrome里,一直连不上squid服务器,从而翻墙失败。


还要开放squid的
30289端口:
iptables -I INPUT -p tcp -m tcp --dport 30289 -j ACCEPT,意思是开放tcp端口30289,否则客户端机器上的chrome也是连不上squid服务器的。
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
service iptables save
service iptables restart

chrome支持https类型的代理,需安装switchyomega插件。(启动chrome的时候在末尾加上--proxy-server=https://vps-ip:
30289 --ignore-certificate-errors即可。)

在switchyomega里面,新建情景模式,代理协议选择https, '代理服务器'地址栏填写你的域名,代理端口填写30289,点击“应用选项”。选择该情景模式,即可在chrome里面翻墙。
访问http://httpbin.org/get 看一下。看看IP是否对。

配置squid的用户认证(修改SQUID的配置文件):
squid默认是按照IP进行权限控制,但是这个对我不适用,因为我是要从公网访问它,client没有一个固定的IP。所以最简单的办法就是通过http basic身份认证。方式是用basic_ncsa_auth,搭配apache的htpasswd程序使用。具体方法如下:
yum install httpd (debian/ubuntu系统下,则apt-get install apache2)
这样你的系统上就会出现htpasswd命令。然后在/etc/squid/目录里,运行
htpasswd -cb /etc/squid/users jones fx5rm31s
上述命令将生成密码文件users.(jones和fx5rm31s分别为你指定的用户名和密码)
然后,编辑/etc/squid/squid.conf文件,把http_access allow all改回http_access deny all,然后在http_access deny all那一段的上方,插入:
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/users
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 24 hours
acl normal proxy_auth REQUIRED
http_access allow normal
auth_param basic casesensitive off

然后重启squid,即可启用squid的认证机制。
如果想添加用户,方法如下:
htpasswd -cb /etc/squid/users2  doe rfrev36
此命令会生成users2文件。然后:
cat /etc/squid/users2 >> /etc/squid/users即可。

同样,如果还想添加用户,则
htpasswd -cb /etc/squid/users3 john 47dcjrQH
此命令会生成users3文件。然后:
cat /etc/squid/users3 >> /etc/squid/users即可。
这样,除了 用户名:jones,密码:fx5rm31s外,你创建了另外2个账号:
用户名:doe,密码:rfrev36
用户名:john,密码:47dcjrQH

关于squid的digest认证,可参看http://briteming.blogspot.com/2012/02/squid.html一文的最后部分-squid digest authentication。
 

Anonymizing Traffic(使流量匿名化)

In order to mask your IP address from websites you visit, you will need to add the following lines to the Squid configuration file and restart the squid service:

request_header_access Via deny all
request_header_access X-Forwarded-For deny all

(把上述2行加在http_access deny all那段的上方
这样,访问http://ip-check.info页面的START TEST链接,就不会再显示你的linux vps的主机名和你本地的ip。从而保护了你的隐私。

建议在kvm vps或xen vps上,搭建本程序,这样翻墙的速度才快。我也试过搭建在openvz vps上,翻墙速度不理想,影响使用体验而且vps的内存最好在1 gb以上.
另外,如果你在使用chrome访问被封的网站时,遇到“域名无法解析”的提示,带参数--proxy-server=https://vps-ip:
30289 --ignore-certificate-errors重启chrome即可。

至此,你不必往下看了。

或者,在本地机器安装Stunnel,用stunnel做本地中转
假如浏览器(比如IE)不支持https proxy怎么办呢?这时可以请stunnel这个程序来帮忙

无需在服务器上安装stunnel)
mkdir local-stunnel-for-squid
cd local-stunnel-for-squid
进入local-stunnel-for-squid目录后,
把服务器上的public.crt和private.key文件下载到当前目录。
装完stunnel后,给它写一个简单的配置文件stunnel.conf,内容如下:
cert = ~/local-stunnel-for-squid/public.crt
key = ~/local-stunnel-for-squid/private.key
client=yes 
[https proxy]
accept = 127.0.0.1:50001
connect = vps-ip:
30289  
(上面的public.crt和private.key系从服务器下载下来的文件)
如果是Linux或Mac OS X,把上述内容以文本文件方式保存为stunnel.conf
然后启动 stunnel 程序,在命令行上执行:

stunnel ~/local-stunnel-for-squid/stunnel.conf 
测试一下:
curl -L -v  --proxy-digest -Usnnn:xxxxx -x http://localhost:50001 http://twitter.com
其中-U后面是proxy的用户名密码,以冒号分割。

然后设置本地机器的浏览器的http proxy为127.0.0.1,端口50001,浏览器即可翻墙。

配置其它第三方程序:
git
git config --global http.proxy http://snnn:xxxxxxx@localhost:50001
然后访问github就爽快多了!
maven
请参见 https://maven.apache.org/guides/mini/guide-proxies.html

related post: http://briteming.blogspot.com/2013/03/linux-vpssquidstunnel.html

-----------


Squid配置之使用帐号密码验证


1. 安装squid
使用root用户进行操作。
先使用rpm检测是否已经安装了sqlid,如>> rpm –q squid
如未安装,可使用>> yum –install squid进行安装


2. 配置squid
Squid安装后提供几个设置的地方:
/etc/squid/squid.conf:这个是主要的设置文件,所有squid所需要的设置都放在这里
/etc/squid/mime.conf:这是squid所支持的internet上的mime格式列表,一般来说不需修改
/usr/sbin/squid:squid 的主程序
/var/spool/squid:预设的squid放置缓存的地方
/usr/lib64/squid/:squid 提共的控制组件,如密码认证等


对/etc/squid/squid.conf进行配置:
只开通80端口的代理功能,把数据缓存关掉,通过密码认证方式进行使用代理,其它均不需要,设置如下:
  1. # 使用帐号密码认证方式使用代理  
  2. auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squid_user.txt  
  3. auth_param basic children 5   #认证程序进程数
  4. auth_param basic credentialsttl 2 hours   #认证有效时间
  5. auth_param basic realm Welcome to pycredit's proxy-only web server  
  6.   
  7. # 定义授权组  
  8. acl squid_user proxy_auth REQUIRED  
  9.   
  10. # 定义端口  
  11. acl Safe_ports port 80      # http  
  12.   
  13. # 拒绝所有非定义的端口  
  14. http_access deny !Safe_ports  
  15.   
  16. # 允许授权组  
  17. http_access allow squid_user  
  18.   
  19. # 拒绝其它所有未定义的  
  20. http_access deny all  
  21.   
  22. # Squid 端口  
  23. http_port 3128  
  24.   
  25. # 缓存设置  
  26. cache_dir ufs /var/spool/squid 100 16 256 read-only  
  27. cache_mem 0 MB  
  28. coredump_dir /var/spool/squid  

设置授权用户:
做好配置后,我们需要设置授权用户(即上面设置的密码文件):
>> htpasswd -c /etc/squid/squid_user.txt atco
此命令使用htpasswd进行密码设置生成用户atco,首次生成文件需要使用-c参数,如果无此命令则需使用指令>> yum install httpd,安装httpd。


3. 启动squid
>> /etc/init.d/squid start


4. 使用代理
Squid代理的使用方式与普通的代理使用方式一致,其端口为3128(可改),密码加密方式为base64位加密.
---------------

通过HTTPS代理翻墙


使用squid的ssl功能来对传输过程进行加密,以避免传输过程中被干扰.
##特点 1. 安全:客户端与服务器之间,通过SSL传递数据.客户端和服务器端都严格控制证书的有效性,防止中间人攻击 2. 简便:个人觉得这已经是一种很简单的,成本很低的配置方式了
##要求 1. 有个墙外的VPS 2. 有个懂得敲命令的linux玩家
##服务器配置 1. 安装squid, 一般来说直接用apt或者yum等包管理工具就能安装. 安装完成后,先看看有没有ssl(–enable-ssl)支持,如果没有ssl支持,可能需要手动编译.

[root@li384-23 ~]$ squid -v
Squid Cache: Version 3.2.5
configure options:  '--build=x86_64-unknown-linux-gnu' '--host=x86_64-unknown-linux-gnu'

'--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'

'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' 

'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' 

'--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'

'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr'

'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'

'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'

'--with-logdir=$(localstatedir)/log/squid'

'--with-pidfile=$(localstatedir)/run/squid.pid'

'--disable-dependency-tracking' '--enable-arp-acl' 

'--enable-follow-x-forwarded-for' '--enable-auth' 

'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth'

'--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' '--enable-digest-auth-helpers=password,ldap,eDirectory'

'--enable-negotiate-auth-helpers=squid_kerb_auth'

'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-cache-digests'

'--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' 

'--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru'

'--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' 

'--enable-esi' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl'

'--with-pthreads' 'build_alias=x86_64-unknown-linux-gnu' 'host_alias=x86_64-unknown-linux-gnu' 

'target_alias=x86_64-redhat-linux-gnu'

'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie'

'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie'

'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'

    生成ca和证书,这个网上也有相关的文章,这里提供一种比较简便的方法. openvpn提供了一个easy-rsa的脚本,可以很方便地创建ssl证书,我这里就用它来创建证书:
$ yum install openvpn
$ cp /usr/share/openvpn/easy-rsa/2.0 ~/easy-rsa
$ cd ~/easy-rsa
$ source vars # 如果这一步提示缺少openssl.cnf,那么请查看下当前目录下有没有openssl-x.x.x.cnf的文件,将他重命名一下
$ ./clean-all
$ ./build-dh
$ ./build-ca
$ ./build-key-server example.com # 这里替换成你的域名,最好是用你服务器真实的域名
$ ./build-key user1 #这里替换成你的用户名,实际上问题不太大的.

    将easy-rsa/keys里面的ca.key ca.crt好好保存着,用于签发证书,将ca.crt example.com.crt example.com.key放到服务器的/etc/squid/里面,将ca.crt user1.crt user1.key放在客户端.
    修改squid的配置文件:
http_access allow all #加上这句.
#http_access deny all
# http_port 3128 #这行也注释掉,我们不需要http proxy.
https_port 5678 cert=/etc/squid/example.com.crt key=/etc/squid/example.com.key cafile=/etc/squid/ca.crt
修改完配置后,重启squid服务器

    客户端配置.
客户端可以继续使用squid,不过我觉得不用使用那么重量级的东西了,于是我选择了socat.
socat tcp-listen:1234,reuseaddr,fork openssl:example-vps.com:5678,cert=/path/to/user1.crt,key=/path/to/user1.key,cafile=/path/to/ca.crt

这样就可以运行一个127.0.0.1:1234的http代理了, 设置firefox的http代理为127.0.0.1 1234,就ok了,firefox即可翻墙。
每次启动一下,肯定很麻烦,于是我写了一个systemd的unit文件:
# /usr/lib/systemd/system/proxy.service
[Unit]
Description=OpenSSH Daemon
Wanted=network.target

[Service]
EnvironmentFile=/etc/proxy.conf
ExecStart=/usr/bin/socat tcp-listen:${listen-port},reuseaddr,fork openssl:${server},cafile=${cafile},cert=${cert},key=${key}
Restart=always

[Install]
WantedBy=multi-user.target

还有配置文件:
# /etc/proxy.conf
listen-port=1234
server=example-vps.com:5678
cafile=/path/to/ca.crt
cert=/path/to/user1.crt
key=/path/to/user1.key
------------------------------------------------------------------

 Squid3 proxy installer with username & password authentication

 
Mirrored from https://github.com/richardskumat/spi.
SPI - Squid Proxy Installer
Under testing.
Personally worked so far on:

Debian 6/7/8/9
Ubuntu 12.04/14.04/15.10/16.04 LTS
Centos 5/6/7
RHEL 7.2
Fedora 22/23

Debian 6 has been tested with Wheezy packages and squid3 worked after a reboot, but it's not recommended to use Debian 6.
Debian 6 LTS is EOL and should not be used anymore, even for personal use cases.
Debian 9 seems to install squid3 to /etc/squid instead of /etc/squid3, so it's not supported yet.
Fork of https://github.com/hidden-refuge/spi.
SPI3 has been tested on Ubuntu 14.04 via Ansible with AWS deployments and it worked fine.
##About
A Squid proxy installer with username and password authentication.
The Squid Proxy Installer (short: SPI) is a fully automated shell script to install an anonymous HTTP proxy based on Squid 3 with a username and password authentication through NCSA Auth and htpasswd. It requires no other input than your desired username and password. The default configuration listens on the default TCP port 3128 or the one you specify.
64 Bit versions of some operating systems require more than 256 MB RAM for Squid to work (this includes generally Debian and Ubuntu as a outcome of various tests in OpenVZ).
How to use:
If squid3 has issues with you, debug it with:

squid3 -k parse OR squid -k parse

You can test if the proxy works with curl(replace 123.123.123.123:3128 with your IP:PORT):

curl -4 -A "curl/7.26.3" -x username:password@123.123.123.123:3128 ifconfig.co

You can find installation and usage guides for all supported operating systems here: https://github.com/hidden-refuge/spi/wiki/Usage
How to add more users:
You can easily add more users which are allowed to access your proxy with the command below:
https://github.com/hidden-refuge/spi/wiki/User-management
Domain blacklist
You can easily block access to domains by adding them to the "blacklist.acl" file. Follow this guide: https://github.com/hidden-refuge/spi/wiki/Domain-blacklist
For help with Squid and in order to change the configuration according to your needs please consult the Squid FAQ at http://wiki.squid-cache.org/SquidFaq and the Squid wiki at http://wiki.squid-cache.org/.

from https://gitlab.com/richardskumat/spi
 ----------

Squid User management
Notes
Since htpasswd 2.2.18 passwords are stored as MD5 hashes by default in the username and password database. If you want even more secure hashing use the -B flag for htpasswd when creating users or updating their passwords. This flag will use bcrypt for hashing of the passwords. bcrypt is more secure than MD5 but only supported since htpasswd 2.4. So you will need new package sources with Apache 2.4 which includes version 2.4 of htpasswd because not all supported operating systems are shipped with Apache 2.4 by default.


Creating "passwd" file and the first user
By default SPI creates the username & password file and the first user during installation and asks you for the desired username and password. So this step is usually not necessary as it is done for you by SPI. However if you want to start over with a new and clean username and password database you need this step.
Below are the necessary commands to create a new username & password file and the first user corresponding to supported operating systems.
On CentOS 5, 6, 7 and Fedora please run the following command as root (or with sudo):
htpasswd -c /etc/squid/passwd <username>
On Debian 6, 7, 8 and Ubuntu please run the following command as root (or with sudo):
htpasswd -c /etc/squid3/passwd <username>
Replace <username> with the desired username of the first user. You will be asked to enter the password for the new user and enter it a second time to confirm it. A restart of the Squid proxy service is not necessary. New users are instantly recognized and can login straight away.
This will override all users and passwords that were created before! Do not use this if you only want to remove certain users. If you wish to delete certain users continue to "Delete authorized proxy users".

Add new authorized proxy users
Squid with username & password authentication through htpasswd and NCSA supports multiple proxy users and simultaneous login from various locations/connections.
Below are the necessary commands to add more authorized proxy users corresponding to supported operating systems.
To add new authorized proxy users on CentOS 5, 6, 7 and Fedora please run the following command as root (or with sudo):
htpasswd /etc/squid/passwd <username>
To add new authorized proxy users on Debian 6, 7, 8 and Ubuntu please run the following command as root (or with sudo):
htpasswd /etc/squid3/passwd <username>
Replace <username> with the desired username of the new authorized user. You will be asked to enter the password for the new user and enter it a second time to confirm it. A restart of the Squid proxy service is not necessary. New users are instantly recognized and can login straight away.

Change passwords of existing users
htpasswd allows not only creation of flat file username and password databases but also their update. Therefore also passwords of existing authorized proxy users can be changed/recovered by the Squid proxy administrator.
To change the password for an existing authorized proxy user simply run the commands from "Add new authorized proxy users". You will be asked to enter a new password for the username you've set in the command and to confirm it by entering the password a second time. After that the password for the selected user has been updated.
As always a restart of the Squid proxy service is not necessary. Changes are going live straight away. However current active sessions will be using the old password until they expire (usually 2 hours unless it was changed by you).

Delete authorized proxy users
If you no longer wish certain authorized users to access your proxy you can remove them from the username and password database and they won't be able to login and use your proxy ever again (unless you readd them).
Below are the commands to delete authorized proxy users from the username and password database corresponding to the supported operating systems.
To delete authorized proxy users on CentOS 5, 6, 7 and Fedora please run the following command as root (or with sudo):
htpasswd -D /etc/squid/passwd <username>
To delete authorized proxy users on Debian 6, 7, 8 and Ubuntu please run the following command as root (or with sudo):
htpasswd -D /etc/squid3/passwd <username>
Replace <username> with the username of the authorized proxy user you want to remove. A restart of the Squid proxy service is not necessary. Once the current active session (if the user is logged in during the removal) has expired (usually after 2 hours unless it was changed by you) the user will no longer be able to use the username and password to login into the proxy.

from  https://github.com/hidden-refuge/spi/wiki/User-management
---------

关于在VPS部署squid https通道的终极教程(已经彻底解决SSL编译的问题)

这里以squid4.0.4为例,平台是centos 7:

1. 编译:
wget http://www.squid-cache.org/Versions/v4/squid-4.10.tar.gz

tar xvzf squid-4.10.tar.gz
cd squid-4.10

编译之前做好基础准备,安装好openssl 和gcc等,这里就不废话了.

下面是编译的重中之重,直接决定了squid是否能真正支持SSL, 这也是我摸索了好久,今天终于摸索出来突破的成果:
./configure  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,NCSA,NIS,POP3,RADIUS,SMB,getpwnam'  '--enable-auth-digest=file' '--enable-auth-negotiate=kerberos'  '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi'   '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl'

预配置完成以后,开始编译,
make
等待15-20分钟.
完成:
make install && cp src/auth/basic/NCSA/basic_ncsa_auth /usr/bin/
这里basic_ncsa_auth是实现用户认证的关键文件,后面再讲,先把squid的https通道跑通再说。

然后运行:
squid -v
Squid Cache: Version 4.0.4-20160205-r14526
Service Name: squid
configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,NCSA,NIS,POP3,RADIUS,SMB,getpwnam' '--enable-auth-digest=file' '--enable-auth-negotiate=kerberos' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu'
你会发现squid确实是4.0.4了。

2. 制作证书:
cd /etc/squid/

openssl req -new -x509 -days 7777 -nodes -out vps.pem -keyout vps.pem

openssl gendh 2048 >> vps.pem

openssl x509 -subject -dates -fingerprint -in vps.pem

3. 配置 squid.conf

vi /etc/squid/squid.conf

主要做以下修改(暂时不开启用户认证):
#http_access deny all
http_access allow all

# Squid normally listens to port 3128
#http_port 127.0.0.1:3128
https_port 443 cert=/etc/squid/vps.pem key=/etc/squid/vps.pem
然后ESC :wq 存盘。

启动squid,
[root@vultr ~]# squid

查看后台进程:
[root@vultr ~]# ps -ef |grep squid
root     21537     1  0 12:02 ?        00:00:00 squid
squid    21539 21537  0 12:02 ?        00:00:01 (squid-1)
squid    21540 21539  0 12:02 ?        00:00:00 (logfile-daemon) /var/log/squid/access.log
root     22642 22621  0 12:40 pts/3    00:00:00 grep --color=auto squid

到此为止:服务端基本配置完毕。

4. 客户端配置:
客户端配置远远没有你们想象中那么简单,因为自签发的证书是通过不了chrome的CA认证的!

所以,简单的建立一个https: vpsip:443的代理,chrome是无法识别,拒绝连接的!

怎么办? 所以这里需要引入stunnel, 通过stunnel跟VPS的SSL证书握手,因为stunnel不检查CA证书,所以没有这个问题,然后把外部的https连接转换为普通的本地http代理,这样chrome就不会检查证书了,因为普通的http连接是不需要检查证书的。 下面是详细的步骤:
a. 通过winscp把上面的vps.pem证书传回本地:

b. 下载安装stunnle (https://www.stunnel.org/downloads.html)

安装以后,主要不要签发生成stunnel自带的证书:

然后把vps.pem放入stunnel的config目录,然后编辑stunnel.conf文件,把里面的内容统统删光,把下面的内容粘贴进去:
[https]
client = yes
accept  = 800
connect = VPS IP:443
cert = .\vps.pem

把你的VPS IP粘贴进去,800是本地代理监听端口,可以随便改。

启动stunnel ,
然后chrome通过swithyomega,新建一个http: 127.0.0.1:800的代理.
切换到此代理,OK! 搞定!现在已经可以用了! 至此squid的https通道已经完全搭建好了!

5. 实现squid用户认证:
因为你可能不希望什么人都可以随意的连接到你的VPS,需要更严格更安全的认证,这时候需要引入squid用户认证。

前面的编译的时候已经做了铺垫,编译生成了用户认证的关键文件: basic_ncsa_auth

下面还需要生成一个密码文件:

yum install httpd
htpasswd  /etc/squid/passwd user1
user1就是用户名
然后输入密码
New password:
Re-type new password:
记住此密码,密码文件存放在/etc/squid/passwd最后配置squid.conf文件

vi /etc/squid/squid.conf

主要做以下修改:
# And finally deny all other access to this proxy

auth_param basic program /usr/bin/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic credentialsttl 2 hours
auth_param basic realm Example.com's Squid proxy-caching
acl auth_users proxy_auth REQUIRED
http_access allow auth_users

#http_access deny all
#http_access allow all

# Squid normally listens to port 3128
#http_port 127.0.0.1:3128
https_port 443 cert=/etc/squid/vps.pem key=/etc/squid/vps.pem

完成以后,
运行: ps -ef | grep squid

终止掉squid的进程:
 ps -ef |grep squid

root     21537     1  0 12:02 ?        00:00:00 squid
squid    21539 21537  0 12:02 ?        00:00:01 (squid-1)
squid    21540 21539  0 12:02 ?        00:00:00 (logfile-daemon) /var/log/squid/access.log
root     22642 22621  0 12:40 pts/3    00:00:00 grep --color=auto squid

这里运行两次kill 21539

然后重启squid
[root@vultr ~]# squid

看看后台进程:
ps -ef |grep squid

root     21537     1  0 12:02 ?        00:00:00 squid
squid    21539 21537  0 12:02 ?        00:00:02 (squid-1)
squid    21540 21539  0 12:02 ?        00:00:00 (logfile-daemon) /var/log/squid/access.log
squid    21555 21539  0 12:03 ?        00:00:00 (basic_ncsa_auth) /etc/squid/passwd
root     23148 23132  0 13:00 pts/0    00:00:00 grep --color=auto squid

这里已经多了basic_ncsa_auth的用户认证进程,说明squidd的用户认证功能已经成功实现!

至此教程全部完成! 这里面最难的其实还是自编译squid SSL支持的实现,这也是我今天的一大突破。

from https://groups.google.com/forum/#!topic/fqlt/NtG5EGZ70Ao

---------------------

架設http Proxy over TLS

HTTP Proxy 算是很好用的跳板手段,瀏覽器有很多套件可以依照各種條件自動切換到不同的 Proxy 上面。

但一般在使用 HTTP Proxy 是使用明文傳輸的,就不適合使用 Proxy-Authenticate 把帳號密碼帶進去 (出自 RFC 7235 的「Hypertext Transfer Protocol (HTTP/1.1): Authentication」),查了一些資料後發現,現在的瀏覽器基本上都支援 Proxy over TLS 了,也就是 Proxy Protocol 外面包一層 TLS,保護瀏覽器到 Proxy 中間的流量。

順便說一下,這邊講的 HTTPS Proxy 跟環境變數裡的 HTTPS_PROXY 與 https_proxy 不太一樣,這兩個環境變數是說「HTTPS 協定要走哪個 Proxy 設定」。

HTTPS Proxy 主要有幾份文件可以參考,第一份可以是 Squid 的「Feature: HTTPS (HTTP Secure or HTTP over TLS)」,裡面提到了伺服器上的設定 https_port,以及瀏覽器的支援度

第二份是認證的部份,也是 Squid 的文章「Proxy Authentication」這篇,走 ncsa 認證基本上就可以吃熟悉的 .htpasswd 格式了。

接下來就是安裝與設定了,在 Ubuntu 20.04 可以直接用 apt 裝 squid4,因為有包括了 --enable-gnutls;而在 Ubuntu 18.04 就不能這樣做了,因為 Ubuntu 裡面是 squid3,而且沒有加上 --enable-openssl 或是 --enable-gnutls,會比較麻煩...

其他基本上就是塞設定進去就可以了... 然後 Google Chrome 這邊可以裝Proxy SwitchyOmega套件,他可以設定 HTTPS Proxy 的 Profile,然後依照網域名稱來設定要用哪個 Profile。

這樣做的好處就是不需要連 VPN 改變 routing table (通常需要登入),就有類似 VPN 的效果,而且可以很細緻的調整流量要怎麼繞。

而且機器上也不需要 shell account 讓人跑 ssh -D1080 之類的指令開 Socks Proxy,要給朋友共用也比較簡單。

from https://blog.gslin.org/archives/2021/03/11/10057/%E6%9E%B6%E8%A8%AD-proxy-over-tls/

--------

Squid + GnuTLS 不支援 Intermediate Certificate 的問題

提到了我用 Squid 架 Proxy over TLS 的服務起來用,本來在家裡跑得好好的,但到了公司發現卻不能用,追蹤後發現是目前 Ubuntu 裡面包的 Squid + GnuTLS 沒有辦法支援 intermediate certificate 的問題,而且有人問過了:「[squid-users] HTTPS_PORT AND SSL CERT」。

這邊先講測試的方法,然後後面再講解法。

測試的方式可以用 openssl s_client -connect hostname:port 測,正常的情況會可以看到兩層。

在這邊的例子裡,R3 簽了 home.gslin.orgDST Root CA X3 簽了 R3,而 DST Root CA X3 則在 root certificate 名單中:

$ openssl s_client -connect home.gslin.org:443
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = home.gslin.org
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = home.gslin.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

如果沒有送出 Intermediate Certificate 的話就會導致信任鏈無法建立,像是我故意設計的 nointermediate.gslin.com 這樣,R3 簽了 nointermediate.gslin.com,但 R3 並沒有在 root certificate 的名單中:

$ openssl s_client -connect nointermediate.gslin.com:443
CONNECTED(00000003)
depth=0 CN = nointermediate.gslin.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = nointermediate.gslin.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = nointermediate.gslin.com
verify return:1
---
Certificate chain
 0 s:CN = nointermediate.gslin.com
   i:C = US, O = Let's Encrypt, CN = R3                                
---

而想到的解法就是重新包一份 Squid 出來用,把本來的 --with-gnutls 改成 --with-openssl

這邊會先裝 Build-Depends 裡面指定的東西,然後加裝 libssl-dev,接著換掉 --with-gnutls 後編譯,最後產生 .deb

sudo apt install -y ed libltdl-dev pkg-config build-essential cdbs debhelper dpkg-dev lsb-release dh-apparmor libcppunit-dev libcap2-dev libdb-dev libecap3-dev libexpat1-dev libgnutls28-dev libkrb5-dev comerr-dev libldap2-dev libnetfilter-conntrack-dev libpam0g-dev libsasl2-dev libxml2-dev nettle-dev libssl-dev
apt-get source squid
cd squid/squid-4.10
sed -i -e 's/--with-gnutls/--with-openssl/' debian/rules
cd ..
dpkg-buildpackage -rfakeroot -uc -b

編好的 .deb 就可以拿到其他機器上裝了,然後就可以吐出 intermediate certificate 了...