普通のhttp proxyサーバーを用意する
なんか、テストにオープンproxy使うとかアホなこと言っているので、「んなの中間者攻撃でいろいろ抜かれたらどうするのさ」って注意して、使えるものを立てることに。
http proxyなんて、だいぶ長いこと立てたことないな。お作法とか変わっているのかな?
最近は、nginxで立てるのが普通なのかな。
今回はリバースじゃないから、Poundじゃない感じ。
とりあえず、伝統的なsquidでさくらクラウド上のubuntuにて立ててみる。
インストール
squidのパッケージは、squidとsquid3があるけど、後者はダミーパッケージ。
$ sudo apt-get install squid (snip) The following NEW packages will be installed: libecap3 libltdl7 squid squid-common squid-langpack ssl-cert (snip)
インストール直後で動いている。
$ sudo systemctl status squid.service
● squid.service - LSB: Squid HTTP Proxy version 3.x
Loaded: loaded (/etc/init.d/squid; bad; vendor preset: enabled)
Active: active (running) since Mon 2016-12-26 09:31:43 JST; 30min ago
Docs: man:systemd-sysv-generator(8)
CGroup: /system.slice/squid.service
├─5023 /usr/sbin/squid -YC -f /etc/squid/squid.conf
├─5027 (squid-1) -YC -f /etc/squid/squid.conf
├─5033 (logfile-daemon) /var/log/squid/access.log
└─5048 (pinger)
Dec 26 09:31:43 DNSP systemd[1]: Starting LSB: Squid HTTP Proxy version 3.x...
Dec 26 09:31:43 DNSP squid[4981]: * Starting Squid HTTP Proxy squid
Dec 26 09:31:43 DNSP squid[4981]: ...done.
Dec 26 09:31:43 DNSP systemd[1]: Started LSB: Squid HTTP Proxy version 3.x.
Dec 26 09:31:43 DNSP squid[5023]: Squid Parent: will start 1 kids
Dec 26 09:31:43 DNSP squid[5023]: Squid Parent: (squid-1) process 5027 started
デフォルト設定
デフォルトで有効なのは、こういう設定。
$ sudo cat /etc/squid/squid.conf | grep -v "^#" | grep -v "^$" acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost http_access deny all http_port 3128 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320
なんかACL対応とか増えている感じ?
このへんか。
http://wiki.squid-cache.org/SquidFaq/SquidAcl
http_portは、3128とかになっているけど、デフォルトでいいか。
デフォルト設定での接続テスト
テスト。
手元の端末でテストしてみる。
普通にアクセス。
$ curl http://google.com <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.co.jp/?gfe_rd=cr&ei=7GxgWLiCNfD98we2xbOABQ">here</A>. </BODY></HTML>
proxyでアクセス。
$ curl --proxy http://XXX.XXX.XXX.XXX:3128 http://google.com
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2015 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<style type="text/css"><!--
/*
* Copyright (C) 1996-2015 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
*/
/*
Stylesheet for Squid Error pages
Adapted from design by Free CSS Templates
http://www.freecsstemplates.org
Released for free under a Creative Commons Attribution 2.5 License
*/
/* Page basics */
* {
font-family: verdana, sans-serif;
}
html body {
margin: 0;
padding: 0;
background: #efefef;
font-size: 12px;
color: #1e1e1e;
}
/* Page displayed title area */
#titles {
margin-left: 15px;
padding: 10px;
padding-left: 100px;
background: url('/squid-internal-static/icons/SN.png') no-repeat left;
}
/* initial title */
#titles h1 {
color: #000000;
}
#titles h2 {
color: #000000;
}
/* special event: FTP success page titles */
#titles ftpsuccess {
background-color:#00ff00;
width:100%;
}
/* Page displayed body content area */
#content {
padding: 10px;
background: #ffffff;
}
/* General text */
p {
}
/* error brief description */
#error p {
}
/* some data which may have caused the problem */
#data {
}
/* the error message received from the system or other software */
#sysmsg {
}
pre {
font-family:sans-serif;
}
/* special event: FTP / Gopher directory listing */
#dirmsg {
font-family: courier;
color: black;
font-size: 10pt;
}
#dirlisting {
margin-left: 2%;
margin-right: 2%;
}
#dirlisting tr.entry td.icon,td.filename,td.size,td.date {
border-bottom: groove;
}
#dirlisting td.size {
width: 50px;
text-align: right;
padding-right: 5px;
}
/* horizontal lines */
hr {
margin: 0;
}
/* page displayed footer area */
#footer {
font-size: 9px;
padding-left: 10px;
}
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=ERR_ACCESS_DENIED>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="http://google.com/">http://google.com/</a></p>
<blockquote id="error">
<p><b>Access Denied.</b></p>
</blockquote>
<p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p>
<p>Your cache administrator is <a href="mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_ACCESS_DENIED&body=CacheHost%3A%20DNSP%0D%0AErrPage%3A%20ERR_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Mon,%2026%20Dec%202016%2001%3A06%3A21%20GMT%0D%0A%0D%0AClientIP%3A%20XXX.XXX.XXX.XXX%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20curl%2F7.24.0%20(x86_64-apple-darwin12.0)%20libcurl%2F7.24.0%20OpenSSL%2F0.9.8%7D%20zlib%2F1.2.5%0D%0AAccept%3A%20*%2F*%0D%0AProxy-Connection%3A%20Keep-Alive%0D%0AHost%3A%20google.com%0D%0A%0D%0A%0D%0A">webmaster</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated Mon, 26 Dec 2016 01:06:21 GMT by DNSP (squid/3.5.12)</p>
<!-- ERR_ACCESS_DENIED -->
</div>
</body></html>外から使うとエラーになる。
デフォルト設定では、オープンproxyにはならないようにしてあるということか。
設定変更
認証はダサいけど、接続元が特定できない環境なので、パスワード認証に。
認証には外部プログラムを使うようだ。
これはいっしょにインストールされている。
basic認証だけなので、basic_ncsa_authを使う。
$ sudo vi /etc/squid/squid.conf auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/.passwd auth_param basic children 5 startup=5 idle=1 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl password proxy_auth REQUIRED http_access allow password
認証用のパスワードファイルを作るのに、htpasswdが必要。
$ sudo apt-get install apache2-utils
myproxyとmypassでパスワードファイルを作成。
$ sudo htpasswd -c /etc/squid/.passwd myproxy New password: Re-type new password: Adding password for user myproxy $ sudo cat /etc/squid/.passwd myproxy:$apr1$1h7QyKbH$CWtkYCcDikL/oXbm0FxVz.
サービスを再起動。
$ sudo systemctl restart squid.service
接続テスト。
$ curl --proxy http://myproxy:mypass@XXX.XXX.XXX.XXX:3128 http://google.com <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.co.jp/?gfe_rd=cr&ei=CnNgWMTeAe398we21bH4DA">here</A>. </BODY></HTML>
通るようになった。
認証なしだと拒否になる。
$ curl --proxy http://XXX.XXX.XXX.XXX:3128 http://google.com
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2015 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: Cache Access Denied</title>
<style type="text/css"><!--
/*
* Copyright (C) 1996-2015 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
*/
/*
Stylesheet for Squid Error pages
Adapted from design by Free CSS Templates
http://www.freecsstemplates.org
Released for free under a Creative Commons Attribution 2.5 License
*/
/* Page basics */
* {
font-family: verdana, sans-serif;
}
html body {
margin: 0;
padding: 0;
background: #efefef;
font-size: 12px;
color: #1e1e1e;
}
/* Page displayed title area */
#titles {
margin-left: 15px;
padding: 10px;
padding-left: 100px;
background: url('/squid-internal-static/icons/SN.png') no-repeat left;
}
/* initial title */
#titles h1 {
color: #000000;
}
#titles h2 {
color: #000000;
}
/* special event: FTP success page titles */
#titles ftpsuccess {
background-color:#00ff00;
width:100%;
}
/* Page displayed body content area */
#content {
padding: 10px;
background: #ffffff;
}
/* General text */
p {
}
/* error brief description */
#error p {
}
/* some data which may have caused the problem */
#data {
}
/* the error message received from the system or other software */
#sysmsg {
}
pre {
font-family:sans-serif;
}
/* special event: FTP / Gopher directory listing */
#dirmsg {
font-family: courier;
color: black;
font-size: 10pt;
}
#dirlisting {
margin-left: 2%;
margin-right: 2%;
}
#dirlisting tr.entry td.icon,td.filename,td.size,td.date {
border-bottom: groove;
}
#dirlisting td.size {
width: 50px;
text-align: right;
padding-right: 5px;
}
/* horizontal lines */
hr {
margin: 0;
}
/* page displayed footer area */
#footer {
font-size: 9px;
padding-left: 10px;
}
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=ERR_CACHE_ACCESS_DENIED>
<div id="titles">
<h1>ERROR</h1>
<h2>Cache Access Denied.</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="http://google.com/">http://google.com/</a></p>
<blockquote id="error">
<p><b>Cache Access Denied.</b></p>
</blockquote>
<p>Sorry, you are not currently allowed to request http://google.com/ from this cache until you have authenticated yourself.</p>
<p>Please contact the <a href="mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_CACHE_ACCESS_DENIED&body=CacheHost%3A%20DNSP%0D%0AErrPage%3A%20ERR_CACHE_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Mon,%2026%20Dec%202016%2001%3A32%3A40%20GMT%0D%0A%0D%0AClientIP%3A%20XXX.XXX.XXX.XXX%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20curl%2F7.24.0%20(x86_64-apple-darwin12.0)%20libcurl%2F7.24.0%20OpenSSL%2F0.9.8%7D%20zlib%2F1.2.5%0D%0AAccept%3A%20*%2F*%0D%0AProxy-Connection%3A%20Keep-Alive%0D%0AHost%3A%20google.com%0D%0A%0D%0A%0D%0A">cache administrator</a> if you have difficulties authenticating yourself.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated Mon, 26 Dec 2016 01:32:40 GMT by DNSP (squid/3.5.12)</p>
<!-- ERR_CACHE_ACCESS_DENIED -->
</div>
</body></html>
httpsのサーバーに対してもゲイトウエイとして機能している。
$ curl --proxy http://myproxy:mypass@XXX.XXX.XXX.XXX:3128 https://google.com <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="https://www.google.co.jp/?gfe_rd=cr&ei=K4pgWN7ZEafU8AeApYigCg">here</A>. </BODY></HTML>
その他テストしてないけど設定メモ
proxyの情報出力を抑止。今回はあんまり関係ないのでパス。
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all
reply_header_access X-Forwarded-For deny all
reply_header_access Via deny all
reply_header_access Cache-Control deny all
キャッシュに保管する容量制限。
デフォルトではメモリ内のみにキャッシュ。
最低限では、こんな感じか。
maximum_object_size 4096 KB
maximum_object_size_in_memory 8 KB
cache_mem 8 MB
