EC2 インスタンス (Amazon Linux AMI) に Squid 導入
hayashier今現在は、Amazon Linux AMIではなく、Amazon Linux 2の利用が推奨されていますのでご注意ください。
Proxy (Squid) サーバの設定
$ sudo su -
# yum -y install squid
# vim /etc/squid/squid.conf
# squid -z
# service squid start
# chkconfig squid on
# vi /etc/sysconfig/iptables
# vi iptables-restore < /etc/sysconfig/iptables
# service iptables restart
# iptables -L
squid.conf
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on localhost is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
#http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname hayashier.info
acl myacl src all
http_access allow myacl
http_access deny all
forwarded_for off
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all
iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FWINPUT - [0:0]
-A INPUT -j FWINPUT
-A FORWARD -j FWINPUT
-A FWINPUT -i lo -j ACCEPT
-A FWINPUT -p icmp --icmp-type any -j ACCEPT
-A FWINPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FWINPUT -p tcp -m tcp --dport 22 -s 0.0.0.0/0 -j ACCEPT
-A FWINPUT -p tcp -m tcp --dport 3128 -s 0.0.0.0 -j ACCEPT
COMMIT
別のインスタンスからプロキシ経由でのアクセス可能なことを確認。
$ curl hayashier.com -x 52.41.123.30:3128 -vvv > /dev/null
* Rebuilt URL to: hayashier.com/
* Trying 52.41.123.30...
* TCP_NODELAY set
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 52.41.123.30 (52.41.123.30) port 3128 (#0)
> GET https://hayashier.com/ HTTP/1.1
> Host: hayashier.com
> User-Agent: curl/7.51.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Date: Tue, 04 Jul 2017 14:32:03 GMT
< Server: Apache
< X-Powered-By: PHP/7.0.12
< X-Pingback: https://hayashier.com/xmlrpc.php
< Link: <https://hayashier.com/wp-json/>; rel=https://api.w.org/, <http://wp.me/P8lnQs-2>; rel=shortlink
< X-Frame-Options: SAMEORIGIN
< Vary: Cookie,Accept-Encoding
< X-Mod-Pagespeed: 1.9.32.14-0
< Cache-Control: max-age=0, no-cache
< Content-Length: 17392
< Content-Type: text/html; charset=UTF-8
< X-Cache: MISS from hayashier.info
< X-Cache-Lookup: MISS from hayashier.info:3128
< Via: 1.0 hayashier.info (squid/3.1.23)
* HTTP/1.0 connection set to keep alive!
< Connection: keep-alive
<
{ [11790 bytes data]
* Curl_http_done: called premature == 0
100 17392 100 17392 0 0 38520 0 --:--:-- --:--:-- --:--:-- 38563
* Connection #0 to host 52.41.123.30 left intact
$ sudo tail -f /var/log/squid/access.log
アクセスのログが記録される。 access.log
1499178222.199 403 35.162.193.203 TCP_MISS/200 17067 GET https://hayashier.com/ - DIRECT/54.89.215.227 text/html
1499178556.929 379 35.162.193.203 TCP_MISS/200 17009 GET https://hayashier.com/ - DIRECT/54.89.215.227 text/html
1499178768.861 448 35.162.193.203 TCP_MISS/200 17974 GET https://hayashier.com/ - DIRECT/54.89.215.227 text/html
こちらはNoneSSLモードですよね?
Amazon LinuxにyumでSquidをインストールして自己署名証明書を作成してSSLモードで起動しようとしているのですがうまくいかず。。。
もしSSLモードで構築したご経験がお有りであれば掲載頂けると嬉しいです。
おっしゃるとおり、TLSの設定にはなっていませんね。
こちらの記事、随分前のものを上げ直したものとなり、当時のことを覚えておらずでして、即答することができません。
ご期待に添えず、恐れ入ります。。