家用服务器之 Squid 分流

    技术教程 Dr.V 603次浏览 0个评论 扫描二维码

    由于大家都知道的原因,大多数 ISP 的国外带宽往往不太理想,据说这个可以用 kcp 突破,我暂时没有国外带宽的困扰,有兴趣的可以去研究下。这篇博文提供的方法是使用 Squid 进行分流,国内直连,国外走父级代理,配合 polipo 和 ChinaDNS 效果拔群。

    由于 Squid 的父级代理暂不支持 socks5, 故还需要配合 polipo 将 socks5 转换为 HTTP proxy 使用。在 Arch 下通过 packer -S squid polipo 即可安装,接下来结合我的配置文件进行分析。

    由于 polipo 和 Squid 都具有缓存功能,考虑到 Squid 在用户鉴权上更为强大,作为 HTTP 前端接入比较合适,因此需要禁用 polipo 的缓存功能。

    socks5 to HTTP – polipo

    polipo 的配置(/etc/polipo/config)如下:

    # Sample configuration file for Polipo. -*-sh-*-
    # /etc/polipo/config
    # You should not need to use a configuration file; all configuration
    # variables have reasonable defaults. If you want to use one, you
    # can copy this to /etc/polipo/config or to ~/.polipo and modify.
    # This file only contains some of the configuration variables; see the
    # list given by “polipo -v” and the manual for more.
    ### Basic configuration
    ### *******************
    # Uncomment one of these if you want to allow remote clients to
    # connect:
    proxyAddress = ::0 # both IPv4 and IPv6
    # proxyAddress = “0.0.0.0” # IPv4 only
    # If you do that, you’ll want to restrict the set of hosts allowed to
    # connect:
    # allowedClients = 127.0.0.1, 134.157.168.57
    # allowedClients = 127.0.0.1, 134.157.168.0/24
    allowedClients = 127.0.0.1, ::1, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
    # Uncomment this if you want your Polipo to identify itself by
    # something else than the host name:
    # proxyName = “polipo.example.org”
    # Uncomment this if there’s only one user using this instance of Polipo:
    # cacheIsShared = false
    # Uncomment this if you want to use a parent proxy:
    # parentProxy = “squid.example.org:3128”
    # Uncomment this if you want to use a parent SOCKS proxy:
    socksParentProxy = localhost:8080
    socksProxyType = socks5
    # Uncomment this if you want to scrub private information from the log:
    # scrubLogs = true
    ### Memory
    ### ******
    # Uncomment this if you want Polipo to use a ridiculously small amount
    # of memory (a hundred C-64 worth or so):
    # chunkHighMark = 819200
    # objectHighMark = 128
    # Uncomment this if you’ve got plenty of memory:
    # chunkHighMark = 50331648
    # objectHighMark = 16384
    ### On-disk data
    ### ************
    # Uncomment this if you want to disable the on-disk cache:
    diskCacheRoot =
    # Uncomment this if you want to put the on-disk cache in a
    # non-standard location:
    # diskCacheRoot = “~/.polipo-cache/”
    # Uncomment this if you want to disable the local web server:
    # localDocumentRoot = “”
    # Uncomment this if you want to enable the pages under /polipo/index?
    # and /polipo/servers?. This is a serious privacy leak if your proxy
    # is shared.
    # disableIndexing = false
    # disableServersList = false
    ### Domain Name System
    ### ******************
    # Uncomment this if you want to contact IPv4 hosts only (and make DNS
    # queries somewhat faster):
    # dnsQueryIPv6 = no
    # Uncomment this if you want Polipo to prefer IPv4 to IPv6 for
    # double-stack hosts:
    # dnsQueryIPv6 = reluctantly
    # Uncomment this to disable Polipo’s DNS resolver and use the system’s
    # default resolver instead. If you do that, Polipo will freeze during
    # every DNS query:
    # dnsUseGethostbyname = yes
    ### HTTP
    ### ****
    # Uncomment this if you want to enable detection of proxy loops.
    # This will cause your hostname (or whatever you put into proxyName
    # above) to be included in every request:
    # disableVia=false
    # Uncomment this if you want to slightly reduce the amount of
    # information that you leak about yourself:
    # censoredHeaders = from, accept-language
    # censorReferer = maybe
    # Uncomment this if you’re paranoid. This will break a lot of sites,
    # though:
    # censoredHeaders = set-cookie, cookie, cookie2, from, accept-language
    # censorReferer = true
    # Uncomment this if you want to use Poor Man’s Multiplexing; increase
    # the sizes if you’re on a fast line. They should each amount to a few
    # seconds’ worth of transfer; if pmmSize is small, you’ll want
    # pmmFirstSize to be larger.
    # Note that PMM is somewhat unreliable.
    # pmmFirstSize = 16384
    # pmmSize = 8192
    # Uncomment this if your user-agent does something reasonable with
    # Warning headers (most don’t):
    # relaxTransparency = maybe
    # Uncomment this if you never want to revalidate instances for which
    # data is available (this is not a good idea):
    # relaxTransparency = yes
    # Uncomment this if you have no network:
    # proxyOffline = yes
    # Uncomment this if you want to avoid revalidating instances with a
    # Vary header (this is not a good idea):
    # mindlesslyCacheVary = true
    # Uncomment this if you want to add a no-transform directive to all
    # outgoing requests.
    # alwaysAddNoTransform = true
    view rawpolipo_config hosted with ❤ by GitHub

    其中 socksParentProxy = "localhost:8080" 为 socks5 代理,你可以通过 ss 提供。diskCacheRoot = "" 为禁用 polipo 的缓存功能。polipo 默认监听 8123 端口,需要更改的话设定 proxyPort 即可。

    Squid

    作为可能开放公网接入的 Squid 服务,除了开放局域网内 IP 白名单外还需要对其他 IP 进行鉴权,推荐相对安全一点的 digest http auth. htdigest 在 apache-tools 中,使用 packer -S apache-tools 安装。按照 Squid 上的操作来就好。我的配置文件如下:

    #
    # Recommended minimum configuration:
    #
    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7 # RFC 4193 local private network range
    acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    #
    # Recommended minimum Access Permission configuration:
    #
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports
    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports
    # Only allow cachemgr access from localhost
    http_access allow localhost manager
    http_access deny manager
    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on “localhost” is a local user
    http_access deny to_localhost
    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #
    # access chinaip or other
    cache_peer localhost parent 8123 0 no-query default
    prefer_direct off
    nonhierarchical_direct off
    acl chinaip dst “/etc/chnroute.txt”
    always_direct allow chinaip
    never_direct allow all
    # not alter the X-Forwarded-For header in any way
    forwarded_for transparent
    follow_x_forwarded_for allow localhost
    # prevent 504 proxy loop for polipo
    via off
    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow localnet
    http_access allow localhost
    # authentication
    auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/squid_digest_user
    auth_param digest children 5
    auth_param digest realm MyRealm
    auth_param digest credentialsttl 2 hours
    acl users proxy_auth REQUIRED
    http_access deny !users
    http_access allow users
    # And finally deny all other access to this proxy
    http_access deny all
    # Squid normally listens to port 3128
    http_port 3128
    cache_mem 128 MB
    maximum_object_size 32 MB
    # Uncomment and adjust the following to add a disk cache directory.
    #cache_dir ufs /var/cache/squid 100 16 256
    cache_dir diskd /datacenter/cache/squid 10000 16 256
    # Leave coredumps in the first cache dir
    #coredump_dir /var/cache/squid
    coredump_dir /datacenter/cache/squid
    #
    # Add any of your own refresh_pattern entries above these.
    #
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern . 0 20% 4320
    view rawsquid.conf hosted with ❤ by GitHub

    最后设置开机启动,大功告成,Squid 默认开放 3128 端口,局域网内可设置 HTTP 代理为此测试。

    原文:https://blog.yuanbin.me/posts/2016/07/Squid-for-home-server.html?utm_source=tuicool&utm_medium=referral

    anyShare分享到:

    VPN信息网 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权 , 转载请注明-VPN信息网-家用服务器之 Squid 分流
    喜欢 (0)
    发表我的评论
    取消评论

    表情 贴图 加粗 删除线 居中 斜体 签到

    Hi,您需要填写昵称和邮箱!

    • 昵称 (必填)
    • 邮箱 (必填)
    • 网址