Настройка SQUID

Настройка SQUID

 

 

cd /usr/ports/www/squid
make config install clean

===> Pre-installation configuration for squid-3.5.10
o You can find the configuration files for this package in the
directory /usr/local/etc/squid.

o The default cache directory is /var/squid/cache/.
The default log directory is /var/log/squid/.

Note:
You must initialize new cache directories before you can start
squid. Do this by running "squid -z" as 'root' or 'squid'.
If your cache directories are already initialized (e.g. after an
upgrade of squid) you do not need to initialize them again.

0 When using DiskD storage scheme remember to read documentation:
http://wiki.squid-cache.org/Features/DiskDaemon
and alter your kern.ipc defaults in /boot/loader.conf. DiskD will not
work reliably without this. Last recomendations were:

kern.ipc.msgmnb=8192
kern.ipc.msgssz=64
kern.ipc.msgtql=2048

o The default configuration will deny everyone but the local host and
local networks as defined in RFC 1918 for IPv4 and RFCs 4193 and
4291 for IPv6 access to the proxy service. Edit the "http_access
allow/deny" directives in /usr/local/etc/squid/squid.conf
to suit your needs.

To enable Squid, set squid_enable=yes in either
/etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/squid
Please see /usr/local/etc/rc.d/squid for further details.

Note:
If you just updated your Squid installation from an earlier version,
make sure to check your Squid configuration against the 3.4 default
configuration file /usr/local/etc/squid/squid.conf.sample.

/usr/local/etc/squid/squid.conf.documented is a fully annotated
configuration file you can consult for further reference.

Additionally, you should check your configuration by calling
'squid -f /path/to/squid.conf -k parse' before starting Squid.

===> SECURITY REPORT:
This port has installed the following binaries which execute with
increased privileges.
/usr/local/libexec/squid/pinger

This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/libexec/squid/pinger
/usr/local/libexec/squid/basic_radius_auth
/usr/local/sbin/squid

This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/squid

If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.

For more information, and contact details about the security
status of this software, see the following webpage:
http://www.squid-cache.org/

 Добавим строки файл /boot/loader.conf как нам предложено 

kern.ipc.msgmnb=8192
kern.ipc.msgssz=64
kern.ipc.msgtql=2048

cd /usr/local/libexec/squid
ssl_crtd -c -s /usr/local/etc/squid/ssl/ssl_db

 

openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout squidCA.pem -out squidCA.pem

Так как файл squidCA.pem содержит приватный ключ, делаем его читаемым только для пользователя root:
chmod 400 squidCA.pem

очень помог сайт https://habrahabr.ru/post/168515/

  

 

 

rdr pass on alc0 inet proto tcp from <net_users> to ! 192.168.22.1 port = http -> 127.0.0.1 port 3128
rdr pass on alc0 inet proto tcp from <net_users> to ! 192.168.22.1 port = https -> 127.0.0.1 port 3129

 

 

http_port 192.168.22.1:8080
http_port 127.0.0.1:3128 intercept
https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/etc/squid/ssl/squidCA.pem key=/usr/local/etc/squid/ssl/squidCA.key version=4 cipher=TLSv1:!AES128:!CAMELLIA
always_direct allow all

#ssl_bump client-first all # - с этим значением выдает ошибку NET::ERR_CERT_COMMON_NAME_INVALID
# хотя даже после этого https://gmail.com/ продолжает выдавать такую ошибку (((  пользуемся https://mail.google.com

ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /usr/local/etc/squid/ssl/ssl_db -M 4MB