AWS上にProxyサーバとしてSquidを導入する

  • 0
    Like
  • 0
    Comment

    Proxy (Squid) サーバの設定

    $ sudo su -
    # yum -y install squid
    # vim /etc/squid/squid.conf
    # squid -z
    # service squid start
    # chkconfig squid on
    # vi /etc/sysconfig/iptables
    # vi iptables-restore < /etc/sysconfig/iptables
    # service iptables restart
    # iptables -L
    
    squid.conf
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports
    
    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports
    
    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    #http_access deny to_localhost
    
    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #
    
    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow localnet
    http_access allow localhost
    
    # And finally deny all other access to this proxy
    #http_access deny all
    
    # Squid normally listens to port 3128
    http_port 3128
    
    # Uncomment and adjust the following to add a disk cache directory.
    #cache_dir ufs /var/spool/squid 100 16 256
    
    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid
    
    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
    refresh_pattern .               0       20%     4320
    
    visible_hostname hayashier.info
    
    acl myacl src all
    http_access allow myacl
    http_access deny all
    
    forwarded_for off
    
    request_header_access X-Forwarded-For deny all
    request_header_access Via deny all
    request_header_access Cache-Control deny all
    
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :FWINPUT - [0:0]
    -A INPUT -j FWINPUT
    -A FORWARD -j FWINPUT
    -A FWINPUT -i lo -j ACCEPT
    -A FWINPUT -p icmp --icmp-type any -j ACCEPT
    -A FWINPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A FWINPUT -p tcp -m tcp --dport 22 -s 0.0.0.0/0 -j ACCEPT
    -A FWINPUT -p tcp -m tcp --dport 3128 -s 0.0.0.0 -j ACCEPT
    COMMIT
    

    別のインスタンスからプロキシ経由でのアクセス可能なことを確認。

    $ curl hayashier.com -x 52.41.123.30:3128 -vvv > /dev/null
    * Rebuilt URL to: hayashier.com/
    *   Trying 52.41.123.30...
    * TCP_NODELAY set
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 52.41.123.30 (52.41.123.30) port 3128 (#0)
    > GET http://hayashier.com/ HTTP/1.1
    > Host: hayashier.com
    > User-Agent: curl/7.51.0
    > Accept: */*
    > Proxy-Connection: Keep-Alive
    >
    * HTTP 1.0, assume close after body
    < HTTP/1.0 200 OK
    < Date: Tue, 04 Jul 2017 14:32:03 GMT
    < Server: Apache
    < X-Powered-By: PHP/7.0.12
    < X-Pingback: http://hayashier.com/xmlrpc.php
    < Link: <http://hayashier.com/wp-json/>; rel="https://api.w.org/", <http://wp.me/P8lnQs-2>; rel=shortlink
    < X-Frame-Options: SAMEORIGIN
    < Vary: Cookie,Accept-Encoding
    < X-Mod-Pagespeed: 1.9.32.14-0
    < Cache-Control: max-age=0, no-cache
    < Content-Length: 17392
    < Content-Type: text/html; charset=UTF-8
    < X-Cache: MISS from hayashier.info
    < X-Cache-Lookup: MISS from hayashier.info:3128
    < Via: 1.0 hayashier.info (squid/3.1.23)
    * HTTP/1.0 connection set to keep alive!
    < Connection: keep-alive
    <
    { [11790 bytes data]
    * Curl_http_done: called premature == 0
    100 17392  100 17392    0     0  38520      0 --:--:-- --:--:-- --:--:-- 38563
    * Connection #0 to host 52.41.123.30 left intact
    
    $ sudo tail -f /var/log/squid/access.log
    

    アクセスのログが記録される。

    access.log
    1499178222.199    403 35.162.193.203 TCP_MISS/200 17067 GET http://hayashier.com/ - DIRECT/54.89.215.227 text/html
    1499178556.929    379 35.162.193.203 TCP_MISS/200 17009 GET http://hayashier.com/ - DIRECT/54.89.215.227 text/html
    1499178768.861    448 35.162.193.203 TCP_MISS/200 17974 GET http://hayashier.com/ - DIRECT/54.89.215.227 text/html
    

    プロキシサーバの参照先設定。参考にできそう。
    http://tech.farend.jp/blog/2015/01/13/proxy_for_vpc/