由于大家都知道的原因,大多数 ISP 的国外带宽往往不太理想,据说这个可以用 kcp 突破,我暂时没有国外带宽的困扰,有兴趣的可以去研究下。这篇博文提供的方法是使用 Squid 进行分流,国内直连,国外走父级代理,配合 polipo 和 ChinaDNS 效果拔群。
由于 Squid 的父级代理暂不支持 socks5, 故还需要配合 polipo 将 socks5 转换为 HTTP proxy 使用。在 Arch 下通过 packer -S squid polipo 即可安装,接下来结合我的配置文件进行分析。
由于 polipo 和 Squid 都具有缓存功能,考虑到 Squid 在用户鉴权上更为强大,作为 HTTP 前端接入比较合适,因此需要禁用 polipo 的缓存功能。
socks5 to HTTP – polipo
polipo 的配置(/etc/polipo/config)如下:
| # Sample configuration file for Polipo. -*-sh-*- | |
| # /etc/polipo/config | |
| # You should not need to use a configuration file; all configuration | |
| # variables have reasonable defaults. If you want to use one, you | |
| # can copy this to /etc/polipo/config or to ~/.polipo and modify. | |
| # This file only contains some of the configuration variables; see the | |
| # list given by “polipo -v” and the manual for more. | |
| ### Basic configuration | |
| ### ******************* | |
| # Uncomment one of these if you want to allow remote clients to | |
| # connect: | |
| proxyAddress = “::0“ # both IPv4 and IPv6 | |
| # proxyAddress = “0.0.0.0” # IPv4 only | |
| # If you do that, you’ll want to restrict the set of hosts allowed to | |
| # connect: | |
| # allowedClients = 127.0.0.1, 134.157.168.57 | |
| # allowedClients = 127.0.0.1, 134.157.168.0/24 | |
| allowedClients = 127.0.0.1, ::1, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 | |
| # Uncomment this if you want your Polipo to identify itself by | |
| # something else than the host name: | |
| # proxyName = “polipo.example.org” | |
| # Uncomment this if there’s only one user using this instance of Polipo: | |
| # cacheIsShared = false | |
| # Uncomment this if you want to use a parent proxy: | |
| # parentProxy = “squid.example.org:3128” | |
| # Uncomment this if you want to use a parent SOCKS proxy: | |
| socksParentProxy = “localhost:8080“ | |
| socksProxyType = socks5 | |
| # Uncomment this if you want to scrub private information from the log: | |
| # scrubLogs = true | |
| ### Memory | |
| ### ****** | |
| # Uncomment this if you want Polipo to use a ridiculously small amount | |
| # of memory (a hundred C-64 worth or so): | |
| # chunkHighMark = 819200 | |
| # objectHighMark = 128 | |
| # Uncomment this if you’ve got plenty of memory: | |
| # chunkHighMark = 50331648 | |
| # objectHighMark = 16384 | |
| ### On-disk data | |
| ### ************ | |
| # Uncomment this if you want to disable the on-disk cache: | |
| diskCacheRoot = ““ | |
| # Uncomment this if you want to put the on-disk cache in a | |
| # non-standard location: | |
| # diskCacheRoot = “~/.polipo-cache/” | |
| # Uncomment this if you want to disable the local web server: | |
| # localDocumentRoot = “” | |
| # Uncomment this if you want to enable the pages under /polipo/index? | |
| # and /polipo/servers?. This is a serious privacy leak if your proxy | |
| # is shared. | |
| # disableIndexing = false | |
| # disableServersList = false | |
| ### Domain Name System | |
| ### ****************** | |
| # Uncomment this if you want to contact IPv4 hosts only (and make DNS | |
| # queries somewhat faster): | |
| # dnsQueryIPv6 = no | |
| # Uncomment this if you want Polipo to prefer IPv4 to IPv6 for | |
| # double-stack hosts: | |
| # dnsQueryIPv6 = reluctantly | |
| # Uncomment this to disable Polipo’s DNS resolver and use the system’s | |
| # default resolver instead. If you do that, Polipo will freeze during | |
| # every DNS query: | |
| # dnsUseGethostbyname = yes | |
| ### HTTP | |
| ### **** | |
| # Uncomment this if you want to enable detection of proxy loops. | |
| # This will cause your hostname (or whatever you put into proxyName | |
| # above) to be included in every request: | |
| # disableVia=false | |
| # Uncomment this if you want to slightly reduce the amount of | |
| # information that you leak about yourself: | |
| # censoredHeaders = from, accept-language | |
| # censorReferer = maybe | |
| # Uncomment this if you’re paranoid. This will break a lot of sites, | |
| # though: | |
| # censoredHeaders = set-cookie, cookie, cookie2, from, accept-language | |
| # censorReferer = true | |
| # Uncomment this if you want to use Poor Man’s Multiplexing; increase | |
| # the sizes if you’re on a fast line. They should each amount to a few | |
| # seconds’ worth of transfer; if pmmSize is small, you’ll want | |
| # pmmFirstSize to be larger. | |
| # Note that PMM is somewhat unreliable. | |
| # pmmFirstSize = 16384 | |
| # pmmSize = 8192 | |
| # Uncomment this if your user-agent does something reasonable with | |
| # Warning headers (most don’t): | |
| # relaxTransparency = maybe | |
| # Uncomment this if you never want to revalidate instances for which | |
| # data is available (this is not a good idea): | |
| # relaxTransparency = yes | |
| # Uncomment this if you have no network: | |
| # proxyOffline = yes | |
| # Uncomment this if you want to avoid revalidating instances with a | |
| # Vary header (this is not a good idea): | |
| # mindlesslyCacheVary = true | |
| # Uncomment this if you want to add a no-transform directive to all | |
| # outgoing requests. | |
| # alwaysAddNoTransform = true |
其中 socksParentProxy = "localhost:8080" 为 socks5 代理,你可以通过 ss 提供。diskCacheRoot = "" 为禁用 polipo 的缓存功能。polipo 默认监听 8123 端口,需要更改的话设定 proxyPort 即可。
Squid
作为可能开放公网接入的 Squid 服务,除了开放局域网内 IP 白名单外还需要对其他 IP 进行鉴权,推荐相对安全一点的 digest http auth. htdigest 在 apache-tools 中,使用 packer -S apache-tools 安装。按照 Squid 上的操作来就好。我的配置文件如下:
| # | |
| # Recommended minimum configuration: | |
| # | |
| # Example rule allowing access from your local networks. | |
| # Adapt to list your (internal) IP networks from where browsing | |
| # should be allowed | |
| acl localnet src 10.0.0.0/8 # RFC1918 possible internal network | |
| acl localnet src 172.16.0.0/12 # RFC1918 possible internal network | |
| acl localnet src 192.168.0.0/16 # RFC1918 possible internal network | |
| acl localnet src fc00::/7 # RFC 4193 local private network range | |
| acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines | |
| acl SSL_ports port 443 | |
| acl Safe_ports port 80 # http | |
| acl Safe_ports port 21 # ftp | |
| acl Safe_ports port 443 # https | |
| acl Safe_ports port 70 # gopher | |
| acl Safe_ports port 210 # wais | |
| acl Safe_ports port 1025-65535 # unregistered ports | |
| acl Safe_ports port 280 # http-mgmt | |
| acl Safe_ports port 488 # gss-http | |
| acl Safe_ports port 591 # filemaker | |
| acl Safe_ports port 777 # multiling http | |
| acl CONNECT method CONNECT | |
| # | |
| # Recommended minimum Access Permission configuration: | |
| # | |
| # Deny requests to certain unsafe ports | |
| http_access deny !Safe_ports | |
| # Deny CONNECT to other than secure SSL ports | |
| http_access deny CONNECT !SSL_ports | |
| # Only allow cachemgr access from localhost | |
| http_access allow localhost manager | |
| http_access deny manager | |
| # We strongly recommend the following be uncommented to protect innocent | |
| # web applications running on the proxy server who think the only | |
| # one who can access services on “localhost” is a local user | |
| http_access deny to_localhost | |
| # | |
| # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS | |
| # | |
| # access chinaip or other | |
| cache_peer localhost parent 8123 0 no-query default | |
| prefer_direct off | |
| nonhierarchical_direct off | |
| acl chinaip dst “/etc/chnroute.txt” | |
| always_direct allow chinaip | |
| never_direct allow all | |
| # not alter the X-Forwarded-For header in any way | |
| forwarded_for transparent | |
| follow_x_forwarded_for allow localhost | |
| # prevent 504 proxy loop for polipo | |
| via off | |
| # Example rule allowing access from your local networks. | |
| # Adapt localnet in the ACL section to list your (internal) IP networks | |
| # from where browsing should be allowed | |
| http_access allow localnet | |
| http_access allow localhost | |
| # authentication | |
| auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/squid_digest_user | |
| auth_param digest children 5 | |
| auth_param digest realm MyRealm | |
| auth_param digest credentialsttl 2 hours | |
| acl users proxy_auth REQUIRED | |
| http_access deny !users | |
| http_access allow users | |
| # And finally deny all other access to this proxy | |
| http_access deny all | |
| # Squid normally listens to port 3128 | |
| http_port 3128 | |
| cache_mem 128 MB | |
| maximum_object_size 32 MB | |
| # Uncomment and adjust the following to add a disk cache directory. | |
| #cache_dir ufs /var/cache/squid 100 16 256 | |
| cache_dir diskd /datacenter/cache/squid 10000 16 256 | |
| # Leave coredumps in the first cache dir | |
| #coredump_dir /var/cache/squid | |
| coredump_dir /datacenter/cache/squid | |
| # | |
| # Add any of your own refresh_pattern entries above these. | |
| # | |
| refresh_pattern ^ftp: 1440 20% 10080 | |
| refresh_pattern ^gopher: 1440 0% 1440 | |
| refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | |
| refresh_pattern . 0 20% 4320 |
- https://gist.github.com/billryan/718af2a3500bdf93a30e225d1e7dd725#file-squid-conf-L51 利用了 polipo 父级代理
- https://gist.github.com/billryan/718af2a3500bdf93a30e225d1e7dd725#file-squid-conf-L54 利用了 ChinaDNS 提供的中国大陆的 IPv4 信息,这里是分流的关键!
- https://gist.github.com/billryan/718af2a3500bdf93a30e225d1e7dd725#file-squid-conf-L60 可以配合 nghttpx 使用,以使得 Squid 在作为二级代理时能正确获知客户端 IP 进行鉴权
- https://gist.github.com/billryan/718af2a3500bdf93a30e225d1e7dd725#file-squid-conf-L63 禁用 via, 防止 polipo 504 proxy loop
- https://gist.github.com/billryan/718af2a3500bdf93a30e225d1e7dd725#file-squid-conf-L72 为需认证用户的信息,需要自行更改
- https://gist.github.com/billryan/718af2a3500bdf93a30e225d1e7dd725#file-squid-conf-L92 对于缓存另起一进程处理,避免阻塞
最后设置开机启动,大功告成,Squid 默认开放 3128 端口,局域网内可设置 HTTP 代理为此测试。
原文:https://blog.yuanbin.me/posts/2016/07/Squid-for-home-server.html?utm_source=tuicool&utm_medium=referral
评论 在此处输入想要评论的文本。