普通のhttp proxyサーバーを用意する
なんか、テストにオープンproxy使うとかアホなこと言っているので、「んなの中間者攻撃でいろいろ抜かれたらどうするのさ」って注意して、使えるものを立てることに。
http proxyなんて、だいぶ長いこと立てたことないな。お作法とか変わっているのかな?
最近は、nginxで立てるのが普通なのかな。
今回はリバースじゃないから、Poundじゃない感じ。
とりあえず、伝統的なsquidでさくらクラウド上のubuntuにて立ててみる。
インストール
squidのパッケージは、squidとsquid3があるけど、後者はダミーパッケージ。
$ sudo apt-get install squid (snip) The following NEW packages will be installed: libecap3 libltdl7 squid squid-common squid-langpack ssl-cert (snip)
インストール直後で動いている。
$ sudo systemctl status squid.service ● squid.service - LSB: Squid HTTP Proxy version 3.x Loaded: loaded (/etc/init.d/squid; bad; vendor preset: enabled) Active: active (running) since Mon 2016-12-26 09:31:43 JST; 30min ago Docs: man:systemd-sysv-generator(8) CGroup: /system.slice/squid.service ├─5023 /usr/sbin/squid -YC -f /etc/squid/squid.conf ├─5027 (squid-1) -YC -f /etc/squid/squid.conf ├─5033 (logfile-daemon) /var/log/squid/access.log └─5048 (pinger) Dec 26 09:31:43 DNSP systemd[1]: Starting LSB: Squid HTTP Proxy version 3.x... Dec 26 09:31:43 DNSP squid[4981]: * Starting Squid HTTP Proxy squid Dec 26 09:31:43 DNSP squid[4981]: ...done. Dec 26 09:31:43 DNSP systemd[1]: Started LSB: Squid HTTP Proxy version 3.x. Dec 26 09:31:43 DNSP squid[5023]: Squid Parent: will start 1 kids Dec 26 09:31:43 DNSP squid[5023]: Squid Parent: (squid-1) process 5027 started
デフォルト設定
デフォルトで有効なのは、こういう設定。
$ sudo cat /etc/squid/squid.conf | grep -v "^#" | grep -v "^$" acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost http_access deny all http_port 3128 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320
なんかACL対応とか増えている感じ?
このへんか。
http://wiki.squid-cache.org/SquidFaq/SquidAcl
http_portは、3128とかになっているけど、デフォルトでいいか。
デフォルト設定での接続テスト
テスト。
手元の端末でテストしてみる。
普通にアクセス。
$ curl http://google.com <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.co.jp/?gfe_rd=cr&ei=7GxgWLiCNfD98we2xbOABQ">here</A>. </BODY></HTML>
proxyでアクセス。
$ curl --proxy http://XXX.XXX.XXX.XXX:3128 http://google.com <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta type="copyright" content="Copyright (C) 1996-2015 The Squid Software Foundation and contributors"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>ERROR: The requested URL could not be retrieved</title> <style type="text/css"><!-- /* * Copyright (C) 1996-2015 The Squid Software Foundation and contributors * * Squid software is distributed under GPLv2+ license and includes * contributions from numerous individuals and organizations. * Please see the COPYING and CONTRIBUTORS files for details. */ /* Stylesheet for Squid Error pages Adapted from design by Free CSS Templates http://www.freecsstemplates.org Released for free under a Creative Commons Attribution 2.5 License */ /* Page basics */ * { font-family: verdana, sans-serif; } html body { margin: 0; padding: 0; background: #efefef; font-size: 12px; color: #1e1e1e; } /* Page displayed title area */ #titles { margin-left: 15px; padding: 10px; padding-left: 100px; background: url('/squid-internal-static/icons/SN.png') no-repeat left; } /* initial title */ #titles h1 { color: #000000; } #titles h2 { color: #000000; } /* special event: FTP success page titles */ #titles ftpsuccess { background-color:#00ff00; width:100%; } /* Page displayed body content area */ #content { padding: 10px; background: #ffffff; } /* General text */ p { } /* error brief description */ #error p { } /* some data which may have caused the problem */ #data { } /* the error message received from the system or other software */ #sysmsg { } pre { font-family:sans-serif; } /* special event: FTP / Gopher directory listing */ #dirmsg { font-family: courier; color: black; font-size: 10pt; } #dirlisting { margin-left: 2%; margin-right: 2%; } #dirlisting tr.entry td.icon,td.filename,td.size,td.date { border-bottom: groove; } #dirlisting td.size { width: 50px; text-align: right; padding-right: 5px; } /* horizontal lines */ hr { margin: 0; } /* page displayed footer area */ #footer { font-size: 9px; padding-left: 10px; } body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; } --></style> </head><body id=ERR_ACCESS_DENIED> <div id="titles"> <h1>ERROR</h1> <h2>The requested URL could not be retrieved</h2> </div> <hr> <div id="content"> <p>The following error was encountered while trying to retrieve the URL: <a href="http://google.com/">http://google.com/</a></p> <blockquote id="error"> <p><b>Access Denied.</b></p> </blockquote> <p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p> <p>Your cache administrator is <a href="mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_ACCESS_DENIED&body=CacheHost%3A%20DNSP%0D%0AErrPage%3A%20ERR_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Mon,%2026%20Dec%202016%2001%3A06%3A21%20GMT%0D%0A%0D%0AClientIP%3A%20XXX.XXX.XXX.XXX%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20curl%2F7.24.0%20(x86_64-apple-darwin12.0)%20libcurl%2F7.24.0%20OpenSSL%2F0.9.8%7D%20zlib%2F1.2.5%0D%0AAccept%3A%20*%2F*%0D%0AProxy-Connection%3A%20Keep-Alive%0D%0AHost%3A%20google.com%0D%0A%0D%0A%0D%0A">webmaster</a>.</p> <br> </div> <hr> <div id="footer"> <p>Generated Mon, 26 Dec 2016 01:06:21 GMT by DNSP (squid/3.5.12)</p> <!-- ERR_ACCESS_DENIED --> </div> </body></html>
外から使うとエラーになる。
デフォルト設定では、オープンproxyにはならないようにしてあるということか。
設定変更
認証はダサいけど、接続元が特定できない環境なので、パスワード認証に。
認証には外部プログラムを使うようだ。
これはいっしょにインストールされている。
basic認証だけなので、basic_ncsa_authを使う。
$ sudo vi /etc/squid/squid.conf auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/.passwd auth_param basic children 5 startup=5 idle=1 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl password proxy_auth REQUIRED http_access allow password
認証用のパスワードファイルを作るのに、htpasswdが必要。
$ sudo apt-get install apache2-utils
myproxyとmypassでパスワードファイルを作成。
$ sudo htpasswd -c /etc/squid/.passwd myproxy New password: Re-type new password: Adding password for user myproxy $ sudo cat /etc/squid/.passwd myproxy:$apr1$1h7QyKbH$CWtkYCcDikL/oXbm0FxVz.
サービスを再起動。
$ sudo systemctl restart squid.service
接続テスト。
$ curl --proxy http://myproxy:mypass@XXX.XXX.XXX.XXX:3128 http://google.com <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.co.jp/?gfe_rd=cr&ei=CnNgWMTeAe398we21bH4DA">here</A>. </BODY></HTML>
通るようになった。
認証なしだと拒否になる。
$ curl --proxy http://XXX.XXX.XXX.XXX:3128 http://google.com <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta type="copyright" content="Copyright (C) 1996-2015 The Squid Software Foundation and contributors"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>ERROR: Cache Access Denied</title> <style type="text/css"><!-- /* * Copyright (C) 1996-2015 The Squid Software Foundation and contributors * * Squid software is distributed under GPLv2+ license and includes * contributions from numerous individuals and organizations. * Please see the COPYING and CONTRIBUTORS files for details. */ /* Stylesheet for Squid Error pages Adapted from design by Free CSS Templates http://www.freecsstemplates.org Released for free under a Creative Commons Attribution 2.5 License */ /* Page basics */ * { font-family: verdana, sans-serif; } html body { margin: 0; padding: 0; background: #efefef; font-size: 12px; color: #1e1e1e; } /* Page displayed title area */ #titles { margin-left: 15px; padding: 10px; padding-left: 100px; background: url('/squid-internal-static/icons/SN.png') no-repeat left; } /* initial title */ #titles h1 { color: #000000; } #titles h2 { color: #000000; } /* special event: FTP success page titles */ #titles ftpsuccess { background-color:#00ff00; width:100%; } /* Page displayed body content area */ #content { padding: 10px; background: #ffffff; } /* General text */ p { } /* error brief description */ #error p { } /* some data which may have caused the problem */ #data { } /* the error message received from the system or other software */ #sysmsg { } pre { font-family:sans-serif; } /* special event: FTP / Gopher directory listing */ #dirmsg { font-family: courier; color: black; font-size: 10pt; } #dirlisting { margin-left: 2%; margin-right: 2%; } #dirlisting tr.entry td.icon,td.filename,td.size,td.date { border-bottom: groove; } #dirlisting td.size { width: 50px; text-align: right; padding-right: 5px; } /* horizontal lines */ hr { margin: 0; } /* page displayed footer area */ #footer { font-size: 9px; padding-left: 10px; } body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; } --></style> </head><body id=ERR_CACHE_ACCESS_DENIED> <div id="titles"> <h1>ERROR</h1> <h2>Cache Access Denied.</h2> </div> <hr> <div id="content"> <p>The following error was encountered while trying to retrieve the URL: <a href="http://google.com/">http://google.com/</a></p> <blockquote id="error"> <p><b>Cache Access Denied.</b></p> </blockquote> <p>Sorry, you are not currently allowed to request http://google.com/ from this cache until you have authenticated yourself.</p> <p>Please contact the <a href="mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_CACHE_ACCESS_DENIED&body=CacheHost%3A%20DNSP%0D%0AErrPage%3A%20ERR_CACHE_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Mon,%2026%20Dec%202016%2001%3A32%3A40%20GMT%0D%0A%0D%0AClientIP%3A%20XXX.XXX.XXX.XXX%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20curl%2F7.24.0%20(x86_64-apple-darwin12.0)%20libcurl%2F7.24.0%20OpenSSL%2F0.9.8%7D%20zlib%2F1.2.5%0D%0AAccept%3A%20*%2F*%0D%0AProxy-Connection%3A%20Keep-Alive%0D%0AHost%3A%20google.com%0D%0A%0D%0A%0D%0A">cache administrator</a> if you have difficulties authenticating yourself.</p> <br> </div> <hr> <div id="footer"> <p>Generated Mon, 26 Dec 2016 01:32:40 GMT by DNSP (squid/3.5.12)</p> <!-- ERR_CACHE_ACCESS_DENIED --> </div> </body></html>
httpsのサーバーに対してもゲイトウエイとして機能している。
$ curl --proxy http://myproxy:mypass@XXX.XXX.XXX.XXX:3128 https://google.com <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="https://www.google.co.jp/?gfe_rd=cr&ei=K4pgWN7ZEafU8AeApYigCg">here</A>. </BODY></HTML>
その他テストしてないけど設定メモ
proxyの情報出力を抑止。今回はあんまり関係ないのでパス。
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all
reply_header_access X-Forwarded-For deny all
reply_header_access Via deny all
reply_header_access Cache-Control deny all
キャッシュに保管する容量制限。
デフォルトではメモリ内のみにキャッシュ。
最低限では、こんな感じか。
maximum_object_size 4096 KB
maximum_object_size_in_memory 8 KB
cache_mem 8 MB