在RaspberryPi 3上自建Squid Proxy Server

6月時曾經簡略寫過如何在OrangePi上起OpenVPN Server,目的是方便remote control家中電腦及穿過公司內特定Access Control List (ACL). 今日就來玩玩自建Squid Proxy Server吧.

除了在家中自建VPN Server外,其實如果您好似我一樣有另一條broadband或無限4G, 那就可以在您的OrangePi或RasperryPi上建設Proxy Server方便逃離特定ACL外遊了. 當然proxy server主要功用不是用來出貓的, 而是控制user在web browsing的流量及作為caching用途.

先看看我的Hardware吧, 一台RaspberryPi 3再加上MSATA SSD board, 另外還有一塊舊256G SSD大概是當作 Proxy caching用.

選用RaspberryPi3的主要原因是Pi3的CPU比 Pi 及 Pi2快上不少,而且已經built-in WiFi(這也是主要原因).

建設Network

在RaspberryPi建設network時,LAN是接駁office network (i.e. 192.168.1.x)而WiFi則是接駁Broadband network (i.e. 172.16.x.x), 如下:

root@raspberrypi:/etc/squid# ifconfig


eth0      Link encap:Ethernet  HWaddr b8:27:eb:83:b8:bc
          inet addr:192.168.1.196  Bcast:192.168.1.255  Mask:255.255.255.0
         


wlan0     Link encap:Ethernet  HWaddr b8:27:eb:d6:ed:e9
          inet addr:172.16.62.94  Bcast:172.16.62.255  Mask:255.255.255.0

安裝Squid Proxy Server

在Linux上要做installation,第一個step當然係su做root啦

sudo -i

安裝Squid Proxy Server,其實很簡單, 只需要行下面呢幾個command就得架啦

apt-get update -y;apt-get upgrade -y
apt-get install squid

做完上面這兩句command, squid 基本安裝已經完成, 接下來的只是configuration.

因為我預備使用WiFi作外接internet口, 所以在設定上須要明確註明, 如果沒有清楚註明在configuration file, squid在一般情況下是會使用比較怏的LAN port. 如果您只是想架設基本proxy server, 可以跳過這個step.

註明out going port

作這個修改的話, 我會改動 /etc/squid/squid.conf及加入下面這一句註明outgoing port的IP是172.16.62.94
vi /etc/squid/squid.conf

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
tcp_outgoing_address 172.16.62.94 localnet

提供Proxy服務

要提供Proxy service, 其實只需在/etc/squid/squid.conf 放寬下面這一句就可以了:

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

起動Proxy服務

起動Proxy所需的command極為簡單, 只需打上

service squid restart
或
service squid start

而如果想知道proxy server是否正常運作, 可以打上

service squid status

root@raspberrypi:/etc/squid# service squid status
● squid.service - LSB: Squid HTTP Proxy
Loaded: loaded (/etc/init.d/squid)
Active: active (running) since Tue 2017-10-24 10:37:25 HKT; 1h 12min ago
Process: 2474 ExecStop=/etc/init.d/squid stop (code=exited, status=0/SUCCESS)
Process: 2482 ExecStart=/etc/init.d/squid start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/squid.service
├─2491 /usr/sbin/squid -D -YC
├─2493 (squid) -D -YC
└─2494 (unlinkd)

Oct 24 10:37:25 raspberrypi squid[2482]: Starting Squid HTTP proxy: squid.
Oct 24 10:37:25 raspberrypi squid[2491]: Squid Parent: child process 2493 started
Oct 24 10:37:25 raspberrypi systemd[1]: Started LSB: Squid HTTP Proxy.
root@raspberrypi:/etc/squid#

Firefox設定

在proxy setting位置打入LAN port的IP, 再用port 3128提供proxy就可以了.

後話

建好了proxy server,公司同事在一般情況下出internet是會比直出較快的, 而且也可以在proxy server上再加上特定ruleset,也可以log user traffic當作auditing的support material.

如果在RaspberryPi上做proxy server, 記得用比較快的TF card (class 10或U1/U3), 因為我試過用舊的class 4 TF card…..我當時既反應係當proxy server無起過出來.

Author: Adrian

Just a fxxking moron who see bad money drives out good!

Discover more from 廢老移澳亂記

Subscribe now to keep reading and get access to the full archive.

Continue reading