Squid服务配置代理
1. 背景
公司出口IP是北京移动,一直用了很多年,结果昨天突然登录网页版抖音突然显示IP为“太原”了。咨询了服务商,也没办法。索性在公司托管IDC机房搭一个代理服务器,跳转一下。
2. 安装
2.1 安装Squid
- Ubuntu
sudo apt update
sudo apt install squid -y
- Centos7
sudo yum install epel-release -y
sudo yum install squid -y
2.2 安装htpasswd
- 安装
# 安装密码工具
sudo apt install apache2-utils -y # Ubuntu/Debian
sudo yum install httpd-tools -y # CentOS/RHEL
- 创建用户
# 创建密码文件(首次创建使用-c参数,创建/passwords文件)
# proxy_user 为创建的用户名
sudo htpasswd -c /etc/squid/passwords proxy_user
New password:
3.查看用户
# 命令
cat /etc/squid/passwords
# 显示结果
proxy_user:$apr1$knFfRHkL$9a/v6TrAzgDUYuDUyN7bv0
normal_user:$apr1$zJAf0dcm$z/UHf8O4hWQFSDYCZHl0G/
4.删除用户
sudo htpasswd -D /etc/squid/passwords normal_user
2.2 配置Squid
- 备份
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.bak
- 配置
#
# Recommended minimum configuration:
## Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
#### 新增配置 #########################################
#acl localnet src 0.0.0.0/0 # 允许所有IP访问
acl localnet src 0.0.0.0/0 # 允许所有IP访问
acl localnet src 161.178.31.23/32 # 允许XX职场访问
acl localnet src 221.207.51.17/32 # 允许xx职场访问#######################################################acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports# Only allow cachemgr access from localhost
#### 新增配置 ###########################################
# 1. 认证参数
# 注意,basic_ncsa_auth 在ubuntu和centos中路径不一样
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm "Proxy Authentication"
auth_param basic children 5 # 认证子进程数
auth_param basic credentialsttl 12 hours # 认证缓存时间# 2. 定义认证用户组
acl authenticated_users proxy_auth REQUIRED# 3. 允许认证用户 (必须放在deny规则前)
http_access allow authenticated_users###########################################################http_access allow localhost manager
http_access deny manager# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
## Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost# And finally deny all other access to this proxy
http_access deny all# Squid normally listens to port 3128
#### 修改端口#####
http_port 12345
################## Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320#### 新增配置 ##################################
# 禁用缓存(可选)
cache deny all# 设置DNS解析器
dns_nameservers 211.136.17.107 211.136.20.203 223.5.5.5 # 隐藏客户端IP(可选)
forwarded_for delete# 匿名Via头部
via on
forwarded_for delete# 自定义 Via 标识
header_replace Via "1.1 FireWallGateway"# 选择性删除敏感头部
request_header_access X-Forwarded-For deny all
request_header_access Cookie deny all# 提升连接处理能力
max_filedescriptors 65536 # 增加文件描述符上限(需系统级调整ulimit)
workers 12 # 启动多进程(Squid 4+支持多核)# 连接复用与超时控制
client_persistent_connections on # 启用客户端持久连接
server_persistent_connections on # 启用服务端持久连接
persistent_request_timeout 30 seconds # 缩短持久连接超时
connect_timeout 15 seconds # 加快连接失败判定# 关闭非必要日志
cache_access_log none # 关闭访问日志(大幅减少磁盘I/O)
cache_store_log none # 关闭存储日志
debug_options ALL,0 # 禁用调试日志#################################################
- 验证
# 命令执行,输出没有ERROR
squid -k parse
# 重新加载配置
squid -k reconfigure
2.3 启动Squid
systemctl start squid && systemctl enable squid
systemctl status squid
● squid.service - Squid caching proxyLoaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)Active: active (running) since 五 2025-08-01 18:41:20 CST; 2h 10min agoMain PID: 1858 (squid)CGroup: /system.slice/squid.service├─1858 /usr/sbin/squid -f /etc/squid/squid.conf├─1860 (squid-coord-13) -f /etc/squid/squid.conf├─1861 (squid-12) -f /etc/squid/squid.conf├─1862 (squid-11) -f /etc/squid/squid.conf├─1863 (squid-10) -f /etc/squid/squid.conf├─1864 (squid-9) -f /etc/squid/squid.conf├─1865 (squid-8) -f /etc/squid/squid.conf├─1866 (squid-7) -f /etc/squid/squid.conf├─1867 (squid-6) -f /etc/squid/squid.conf├─1868 (squid-5) -f /etc/squid/squid.conf├─1869 (squid-4) -f /etc/squid/squid.conf├─1870 (squid-3) -f /etc/squid/squid.conf├─1871 (squid-2) -f /etc/squid/squid.conf├─1872 (squid-1) -f /etc/squid/squid.conf├─2217 (basic_ncsa_auth) /etc/squid/passwords├─2218 (basic_ncsa_auth) /etc/squid/passwords├─2219 (basic_ncsa_auth) /etc/squid/passwords├─2220 (basic_ncsa_auth) /etc/squid/passwords├─2221 (basic_ncsa_auth) /etc/squid/passwords├─2222 (basic_ncsa_auth) /etc/squid/passwords├─2223 (basic_ncsa_auth) /etc/squid/passwords├─2224 (basic_ncsa_auth) /etc/squid/passwords├─2225 (basic_ncsa_auth) /etc/squid/passwords├─2226 (basic_ncsa_auth) /etc/squid/passwords├─2227 (basic_ncsa_auth) /etc/squid/passwords└─2236 (basic_ncsa_auth) /etc/squid/passwords
3. 测试
- 配置代理
- 浏览器验证
