验证身份:
# 定义本地网络 ACL
acl localnet src 0.0.0.1-0.255.255.255
acl localnet src 10.0.0.0/8
acl localnet src 100.64.0.0/10
acl localnet src 169.254.0.0/16
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
# 定义安全端口 ACL
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
# 允许 localhost 访问管理界面
http_access allow localhost manager
# 禁止非 localhost 主机访问管理界面
http_access deny manager
# 引入额外配置文件
include /etc/squid/conf.d/*.conf
# 设置身份验证参数
auth_param basic program /usr/lib/squid/basic_ncsa_auth /usr/local/nginx/conf/.htpasswd
acl authenticated_users proxy_auth REQUIRED
# 允许经过身份验证的用户访问
http_access allow authenticated_users
# 允许本地网络访问
http_access allow localnet
# 允许 localhost 访问(非管理权限)
http_access allow localhost
# 拒绝所有其他未授权访问
http_access deny all
# 设置 Squid 监听端口
http_port 3128
# 设置核心转储目录
coredump_dir /var/spool/squid
# 允许所有用户的 CONNECT 请求方法
http_access allow CONNECT Safe_ports
测试:
curl -x http://tom:123456@192.168.88.128:3128 https://www.baidu.com
/usr/local/nginx/conf/.htpasswd 文件要用htpasswd工具生成。
htpasswd -c /usr/local/nginx/conf/.htpasswd tom
支持SSL/TLS通信:
# 定义本地网络 ACL
acl localnet src 0.0.0.1-0.255.255.255
acl localnet src 10.0.0.0/8
acl localnet src 100.64.0.0/10
acl localnet src 169.254.0.0/16
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
# 定义安全端口 ACL(合并重复项)
acl SSL_ports port 443
acl Safe_ports port 80 # HTTP
acl Safe_ports port 21 # FTP
acl Safe_ports port 280 # Gopher
acl Safe_ports port 488 # ACAP
acl Safe_ports port 591 # FileMaker
acl Safe_ports port 70 # Gopher
acl Safe_ports port 210 # Z39.50
acl Safe_ports port 1025-65535 # Unregistered ports
acl Safe_ports port 443 # HTTPS
# 允许 localhost 访问管理界面
http_access allow localhost manager
# 禁止非 localhost 主机访问管理界面
http_access deny manager
# 引入额外配置文件
include /etc/squid/conf.d/*.conf
# 设置身份验证参数
auth_param basic program /usr/lib/squid/basic_ncsa_auth /usr/local/nginx/conf/.htpasswd
acl authenticated_users proxy_auth REQUIRED
# 允许经过身份验证的用户访问
http_access allow authenticated_users
# 允许本地网络访问
http_access allow localnet
# 允许 localhost 访问(非管理权限)
http_access allow localhost
# 拒绝所有其他未授权访问
http_access deny all
# 设置 Squid 监听端口
http_port 3128
# 设置SSL监听端口(关键在于这一行,Squid 5的选项名前都加了tls-)
https_port 3129 tls-cert=/usr/local/nginx/cert/server.crt tls-key=/usr/local/nginx/cert/server.key
# SSL/TLS中间人代理设置(添加以下内容)
ssl_bump bump all
ssl_bump splice if !SSL::is_cached
ssl_bump peek all
sslproxy_cert_error deny all
# 设置核心转储目录(由原来的:coredumpdir,改为:coredump_dir)
coredump_dir /var/spool/squid
# 允许所有用户的 CONNECT 请求方法
http_access allow CONNECT Safe_ports
使用PHP测试:curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS);
<?php
//要访问的目标页面
$page_url = "https://www.baidu.com/";
//代理ip,由快代理提供
$proxy = "192.168.88.128:3129"; // squid
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $page_url);
//设置代理
curl_setopt($ch, CURLOPT_PROXY_SSL_VERIFYPEER, false); // 不验证代理服务器的证书的有效性
curl_setopt($ch, CURLOPT_PROXY_SSL_VERIFYHOST, false); // 不验证代理服务器的域名是否与证书中的域名匹配
curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS);
curl_setopt($ch, CURLOPT_PROXY, $proxy);
curl_setopt($ch, CURLOPT_PROXYUSERPWD, 'tom:123456');
//自定义header
$headers = array();
$headers[] = 'User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0);';
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($ch);
$info = curl_getinfo($ch);
echo curl_error($ch), PHP_EOL;
curl_close($ch);
echo $result;
echo "\n\nfetch " . $info['url'] . "\ntimeuse: " . $info['total_time'] . "s\n\n";
curl -x https://192.168.88.128:3129 https://www.baidu.com -U tom:123456 --proxy-insecure
# 代理服务器使用了自签名证书,所以要加参数:--proxy-insecure,忽略掉。