EC2 インスタンス (Amazon Linux AMI) に Squid 導入

今現在は、Amazon Linux AMIではなく、Amazon Linux 2の利用が推奨されていますのでご注意ください。

Proxy (Squid) サーバの設定

$ sudo su -
# yum -y install squid
# vim /etc/squid/squid.conf
# squid -z
# service squid start
# chkconfig squid on
# vi /etc/sysconfig/iptables
# vi iptables-restore < /etc/sysconfig/iptables
# service iptables restart
# iptables -L

squid.conf

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on localhost is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
#http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

visible_hostname hayashier.info

acl myacl src all
http_access allow myacl
http_access deny all

forwarded_for off

request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all

iptables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FWINPUT - [0:0]
-A INPUT -j FWINPUT
-A FORWARD -j FWINPUT
-A FWINPUT -i lo -j ACCEPT
-A FWINPUT -p icmp --icmp-type any -j ACCEPT
-A FWINPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FWINPUT -p tcp -m tcp --dport 22 -s 0.0.0.0/0 -j ACCEPT
-A FWINPUT -p tcp -m tcp --dport 3128 -s 0.0.0.0 -j ACCEPT
COMMIT

別のインスタンスからプロキシ経由でのアクセス可能なことを確認。

$ curl hayashier.com -x 52.41.123.30:3128 -vvv > /dev/null
* Rebuilt URL to: hayashier.com/
*   Trying 52.41.123.30...
* TCP_NODELAY set
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 52.41.123.30 (52.41.123.30) port 3128 (#0)
> GET https://hayashier.com/ HTTP/1.1
> Host: hayashier.com
> User-Agent: curl/7.51.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Date: Tue, 04 Jul 2017 14:32:03 GMT
< Server: Apache
< X-Powered-By: PHP/7.0.12
< X-Pingback: https://hayashier.com/xmlrpc.php
< Link: <https://hayashier.com/wp-json/>; rel=https://api.w.org/, <http://wp.me/P8lnQs-2>; rel=shortlink
< X-Frame-Options: SAMEORIGIN
< Vary: Cookie,Accept-Encoding
< X-Mod-Pagespeed: 1.9.32.14-0
< Cache-Control: max-age=0, no-cache
< Content-Length: 17392
< Content-Type: text/html; charset=UTF-8
< X-Cache: MISS from hayashier.info
< X-Cache-Lookup: MISS from hayashier.info:3128
< Via: 1.0 hayashier.info (squid/3.1.23)
* HTTP/1.0 connection set to keep alive!
< Connection: keep-alive
<
{ [11790 bytes data]
* Curl_http_done: called premature == 0
100 17392  100 17392    0     0  38520      0 --:--:-- --:--:-- --:--:-- 38563
* Connection #0 to host 52.41.123.30 left intact
$ sudo tail -f /var/log/squid/access.log

アクセスのログが記録される。 access.log

1499178222.199    403 35.162.193.203 TCP_MISS/200 17067 GET https://hayashier.com/ - DIRECT/54.89.215.227 text/html
1499178556.929    379 35.162.193.203 TCP_MISS/200 17009 GET https://hayashier.com/ - DIRECT/54.89.215.227 text/html
1499178768.861    448 35.162.193.203 TCP_MISS/200 17974 GET https://hayashier.com/ - DIRECT/54.89.215.227 text/html

My Twitter & RSS

2 thoughts on “EC2 インスタンス (Amazon Linux AMI) に Squid 導入

  1. Hisashi Yamaguchi says:

    こちらはNoneSSLモードですよね?
    Amazon LinuxにyumでSquidをインストールして自己署名証明書を作成してSSLモードで起動しようとしているのですがうまくいかず。。。
    もしSSLモードで構築したご経験がお有りであれば掲載頂けると嬉しいです。

    1. hayashier says:

      おっしゃるとおり、TLSの設定にはなっていませんね。
      こちらの記事、随分前のものを上げ直したものとなり、当時のことを覚えておらずでして、即答することができません。
      ご期待に添えず、恐れ入ります。。

Leave a Reply

Your email address will not be published. Required fields are marked *