翻墙被狗咬
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

Squid+MySQL认证

前言:

最近准备做一个代理项目,所以需要用到 Squid 为了保证安全需要进行安全认证。但是问题来了·····

要是用本地文件做验证就太麻烦了····

91afec64e32d6bf957e441df2ab638bb

我需要借助第三方认证!然后选择了MySQL····

以下记录方便所有需要同学参考


安装Squid

# 服务器信息
[thsheep@proxy ~]$ hostnamectl
   Static hostname: proxy
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 53ce105d2ff73e81b5f54777fbf6095f
           Boot ID: 0565112160324810b5fe55fa9e316593
    Virtualization: kvm
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-862.14.4.el7.x86_64
      Architecture: x86-64
# 安装Squid
[thsheep@proxy ~]$ sudo yum install -y squid
# 安装MySQL认证依赖(官方带的MySQL认证插件需要这个依赖库 不然会报错)
[thsheep@proxy ~]$ sudo yum install perl-DBD-mysql

配置MySQL

创建Squid使用的数据库
mysql> create database squid;
设置权限
mysql> grant select on squid.* to 你的用户名@% identified by '你使用的密码';
建表
mysql> CREATE TABLE `passwd` (
  `user` varchar(32) NOT NULL default '',
  `password` varchar(35) NOT NULL default '',
  `enabled` tinyint(1) NOT NULL default '1',
  `fullname` varchar(60) default NULL,
  `comment` varchar(60) default NULL,
  PRIMARY KEY  (`user`)
);
插入测试数据
mysql> insert into passwd values('testuser','test',1,'Test User','for testing purpose');

测试Squid是否可以通过MySQL认证

# 注意这是在安装Squid的服务器上进行
# /usr/lib64/squid/basic_db_auth --dsn "DBI:mysql:刚刚建立的数据名字:你的服务器IP" --user proxyauth --password proxy2018 --plaintext --persist 

[thsheep@proxy ~]$ /usr/lib64/squid/basic_db_auth --dsn "DBI:mysql:squid:xx.xx.xx.xx" --user proxyauth --password proxy2018 --plaintext --persist
testuser test  # 这是刚刚建立的测试账号和密码
OK

Note: 如果输出OK 则表示正常工作

下面是Squid的完整配置文件

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
#http_access deny !Safe_ports
http_access allow !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
#http_access deny allow !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
#http_access deny !localnet
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
#http_access deny all

# Squid normally listens to port 3128
http_port 0.0.0.0:3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

auth_param basic program /usr/lib64/squid/basic_db_auth --dsn "DBI:mysql:squid:替换IP" --user proxyauth --password proxy2018 --plaintext --persist
auth_param basic children 10
auth_param basic realm PleaseSignIn
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl db-auth proxy_auth REQUIRED
http_access allow db-auth
http_access deny all


via off
cache deny all
forwarded_for off  /  forwarded_for delete
follow_x_forwarded_for deny all


request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

启动Squid

#检查配置文件 没有任何错误输出则配置文件正常
[thsheep@proxy ~]$ sudo squid -k parse
[thsheep@proxy ~]$ sudo systemctl start squid
# 是否监听在正常端口
[thsheep@proxy ~]$ netstat -nlt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN

浏览器测试效果

1342129d04cd2924dd06cead4cf0a3ca

浏览器测试可以使用 SwitchyOmega 插件

代码测试效果

#!/usr/bin/python3
"""
-------------------------------------------------
   File Name:     main
   Description :
   Author :       thsheep
   date:          2018/11/27
-------------------------------------------------
   Change Activity:
                   2018/11/27:
-------------------------------------------------
"""
__author__ = 'thsheep'

import requests

if __name__ == '__main__':
    proxies = {
        "http": "http://testuser:test@xx.xxx.xxx.206:3128",
    }
    response = requests.get("http://www.net.cn/static/customercare/yourip.asp", proxies=proxies)
    response.encoding = 'gb2312'
    print(response.text)

输入出如下:

a8c0f2fe99d7e3c664c4a377b8ae43f4

以上完毕!