家用服务器之 Squid 分流

由于大家都知道的原因,大多数 ISP 的国外带宽往往不太理想,据说这个可以用 kcp 突破,我暂时没有国外带宽的困扰,有兴趣的可以去研究下。这篇博文提供的方法是使用 Squid 进行分流,国内直连,国外走父级代理,配合 polipo 和 ChinaDNS 效果拔群。

由于 Squid 的父级代理暂不支持 socks5, 故还需要配合 polipo 将 socks5 转换为 HTTP proxy 使用。在 Arch 下通过 packer -S squid polipo 即可安装,接下来结合我的配置文件进行分析。

由于 polipo 和 Squid 都具有缓存功能,考虑到 Squid 在用户鉴权上更为强大,作为 HTTP 前端接入比较合适,因此需要禁用 polipo 的缓存功能。

socks5 to HTTP – polipo

polipo 的配置(/etc/polipo/config)如下:

# Sample configuration file for Polipo. -*-sh-*-
# /etc/polipo/config
# You should not need to use a configuration file; all configuration
# variables have reasonable defaults. If you want to use one, you
# can copy this to /etc/polipo/config or to ~/.polipo and modify.
# This file only contains some of the configuration variables; see the
# list given by “polipo -v” and the manual for more.
### Basic configuration
### *******************
# Uncomment one of these if you want to allow remote clients to
# connect:
proxyAddress = ::0 # both IPv4 and IPv6
# proxyAddress = “0.0.0.0” # IPv4 only
# If you do that, you’ll want to restrict the set of hosts allowed to
# connect:
# allowedClients = 127.0.0.1, 134.157.168.57
# allowedClients = 127.0.0.1, 134.157.168.0/24
allowedClients = 127.0.0.1, ::1, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
# Uncomment this if you want your Polipo to identify itself by
# something else than the host name:
# proxyName = “polipo.example.org”
# Uncomment this if there’s only one user using this instance of Polipo:
# cacheIsShared = false
# Uncomment this if you want to use a parent proxy:
# parentProxy = “squid.example.org:3128”
# Uncomment this if you want to use a parent SOCKS proxy:
socksParentProxy = localhost:8080
socksProxyType = socks5
# Uncomment this if you want to scrub private information from the log:
# scrubLogs = true
### Memory
### ******
# Uncomment this if you want Polipo to use a ridiculously small amount
# of memory (a hundred C-64 worth or so):
# chunkHighMark = 819200
# objectHighMark = 128
# Uncomment this if you’ve got plenty of memory:
# chunkHighMark = 50331648
# objectHighMark = 16384
### On-disk data
### ************
# Uncomment this if you want to disable the on-disk cache:
diskCacheRoot =
# Uncomment this if you want to put the on-disk cache in a
# non-standard location:
# diskCacheRoot = “~/.polipo-cache/”
# Uncomment this if you want to disable the local web server:
# localDocumentRoot = “”
# Uncomment this if you want to enable the pages under /polipo/index?
# and /polipo/servers?. This is a serious privacy leak if your proxy
# is shared.
# disableIndexing = false
# disableServersList = false
### Domain Name System
### ******************
# Uncomment this if you want to contact IPv4 hosts only (and make DNS
# queries somewhat faster):
# dnsQueryIPv6 = no
# Uncomment this if you want Polipo to prefer IPv4 to IPv6 for
# double-stack hosts:
# dnsQueryIPv6 = reluctantly
# Uncomment this to disable Polipo’s DNS resolver and use the system’s
# default resolver instead. If you do that, Polipo will freeze during
# every DNS query:
# dnsUseGethostbyname = yes
### HTTP
### ****
# Uncomment this if you want to enable detection of proxy loops.
# This will cause your hostname (or whatever you put into proxyName
# above) to be included in every request:
# disableVia=false
# Uncomment this if you want to slightly reduce the amount of
# information that you leak about yourself:
# censoredHeaders = from, accept-language
# censorReferer = maybe
# Uncomment this if you’re paranoid. This will break a lot of sites,
# though:
# censoredHeaders = set-cookie, cookie, cookie2, from, accept-language
# censorReferer = true
# Uncomment this if you want to use Poor Man’s Multiplexing; increase
# the sizes if you’re on a fast line. They should each amount to a few
# seconds’ worth of transfer; if pmmSize is small, you’ll want
# pmmFirstSize to be larger.
# Note that PMM is somewhat unreliable.
# pmmFirstSize = 16384
# pmmSize = 8192
# Uncomment this if your user-agent does something reasonable with
# Warning headers (most don’t):
# relaxTransparency = maybe
# Uncomment this if you never want to revalidate instances for which
# data is available (this is not a good idea):
# relaxTransparency = yes
# Uncomment this if you have no network:
# proxyOffline = yes
# Uncomment this if you want to avoid revalidating instances with a
# Vary header (this is not a good idea):
# mindlesslyCacheVary = true
# Uncomment this if you want to add a no-transform directive to all
# outgoing requests.
# alwaysAddNoTransform = true
view rawpolipo_config hosted with ❤ by GitHub

其中 socksParentProxy = "localhost:8080" 为 socks5 代理,你可以通过 ss 提供。diskCacheRoot = "" 为禁用 polipo 的缓存功能。polipo 默认监听 8123 端口,需要更改的话设定 proxyPort 即可。

Squid

作为可能开放公网接入的 Squid 服务,除了开放局域网内 IP 白名单外还需要对其他 IP 进行鉴权,推荐相对安全一点的 digest http auth. htdigest 在 apache-tools 中,使用 packer -S apache-tools 安装。按照 Squid 上的操作来就好。我的配置文件如下:

#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on “localhost” is a local user
http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# access chinaip or other
cache_peer localhost parent 8123 0 no-query default
prefer_direct off
nonhierarchical_direct off
acl chinaip dst “/etc/chnroute.txt”
always_direct allow chinaip
never_direct allow all
# not alter the X-Forwarded-For header in any way
forwarded_for transparent
follow_x_forwarded_for allow localhost
# prevent 504 proxy loop for polipo
via off
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# authentication
auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/squid_digest_user
auth_param digest children 5
auth_param digest realm MyRealm
auth_param digest credentialsttl 2 hours
acl users proxy_auth REQUIRED
http_access deny !users
http_access allow users
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
cache_mem 128 MB
maximum_object_size 32 MB
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/cache/squid 100 16 256
cache_dir diskd /datacenter/cache/squid 10000 16 256
# Leave coredumps in the first cache dir
#coredump_dir /var/cache/squid
coredump_dir /datacenter/cache/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
view rawsquid.conf hosted with ❤ by GitHub

最后设置开机启动,大功告成,Squid 默认开放 3128 端口,局域网内可设置 HTTP 代理为此测试。

原文:https://blog.yuanbin.me/posts/2016/07/Squid-for-home-server.html?utm_source=tuicool&utm_medium=referral

评论 在此处输入想要评论的文本。

Copied title and URL