通过ubuntu的apt-get安装的squid没有启用ssl功能,需要手动编译。
编译squid步骤如下。
apt-get install openssl libssl-dev ssl-cert
apt-get source squid
apt-get build-dep squid
apt-get install devscripts build-essential fakeroot
以安装squid3-3.5.12为例
cd squid3-3.5.12
# 修改编译选项
vi debian/rules
# 在 DEB_CONFIGURE_EXTRA_FLAGS 下添加两项
--with-openssl \
--enable-ssl-crtd \
./configure
debuild -us -uc -b
编译成功后,会在源代码目录的上一层,生成一系列.deb包,可以按需使用。
下面以安装amd64系统为例。
cd ..
apt-get install squid-langpack
dpkg -i squid-common_3.5.12-1ubuntu7.3_all.deb
dpkg -i squid_3.5.12-1ubuntu7.3_amd64.deb
如果你的服务器已经有了ssl证书,可以直接使用。
也可以自己生成一个根证书机构,给自己颁发证书,如下面例子。
自己配置的证书,即使把根证书加到信任列表,chrome也不识别。 推荐使用 Let's Encrypt 的免费证书。
# >>>>>>>>>>>>>>>>>> 根证书 <<<<<<<<<<<<<<<<<<<<<<
# 生成根证书私钥: ca.key
openssl genrsa -out ca.key 2048
# 生成自签名根证书: ca.crt
openssl req -new -key ca.key -x509 -days 3650 -out ca.crt -subj /C=CN/ST=GuangDong/O="Localhost Ltd"/CN="Localhost Root"
# >>>>>>>>>>>>>>>>>> 服务器证书 <<<<<<<<<<<<<<<<<<<<<<
# 生成服务器证书私钥: ca.key
openssl genrsa -out server.key 2048
# 生成服务器证书请求: server.csr
# example.com 要替换为服务器域名
openssl req -new -nodes -key server.key -out server.csr -subj /C=CN/ST=GuangDong/L=Guangzhou/O="Localhost Server"/CN="example.com"
# 签名服务器证书: server.crt
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
# 证书链
cat ca.crt >> server.crt
假设存放证书路径为/cert/
修改/etc/squid/squid.conf为如下内容:
acl SSL_ports port 443
acl Safe_ports port 1-65535 # unregistered ports
acl CONNECT method CONNECT
acl HEAD method HEAD
http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
#http_access allow localhost manager
http_access deny manager
#http_access allow localhost
http_access allow all
http_port 10250
https_port 10251 cert=/cert/server.crt key=/cert/server.key
coredump_dir /var/spool/squid3
# based on http://code.google.com/p/ghebhes/downloads/detail?name=tunning.conf&can=2&q=
#All File
refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|rpm|divx|dvr-ms) 1440 100% 129600 reload-into-ims
refresh_pattern -i \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 1440 100% 129600 reload-into-ims
refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js) 1440 100% 129600 reload-into-ims
refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)) 1440 100% 129600 reload-into-ims
refresh_pattern -i \.(og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav) 1440 100% 129600 reload-into-ims
refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t)) 1440 100% 129600 reload-into-ims
refresh_pattern -i \.(doc|pdf)$ 1440 50% 43200 reload-into-ims
refresh_pattern -i \.(html|htm)$ 1440 50% 40320 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
# http options
via off
# memory cache options
cache_mem 512 MB
maximum_object_size_in_memory 256 KB
# disk cache
#cache_dir diskd /var/spool/squid3 10240 16 256
#maximum_object_size 20480 KB
# timeouts
# forward_timeout 10 seconds
# connect_timeout 10 seconds
# read_timeout 10 seconds
# write_timeout 10 seconds
# client_lifetime 59 minutes
# request_timeout 30 seconds
half_closed_clients off
#
forwarded_for delete
dns_v4_first on
ipcache_size 4096
dns_nameservers 223.5.5.5, 114.114.114.114
# error page
cache_mgr admin@example.com
visible_hostname example.com
email_err_data off
err_page_stylesheet none
systemctl restart squid.service
# example.com 替换为实际域名
curl --proxy-cacert /cert/ca.crt -x https://example.com:10251 http://baidu.com
直接设置该https代理到chrome中,会报ERR_PROXY_CERTIFICATE_INVALID错误。
需要手工把ca.crt导入到chrome的受信任根证书目录。