squid-transparent

ayarlar/squid/transparent/squid.conf

@@ -0,0 +1,61 @@
+http_port 3128 intercept 
+
+https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/ca-key.pem
+
+visible_hostname milis
+cache_mem 8 MB
+cache_dir aufs /var/squid 900 16 256
+
+http_port 3129
+
+# For squid 3.5.x
+#always_direct allow all
+ssl_bump server-first all
+#sslproxy_cert_error deny all
+#sslproxy_flags DONT_VERIFY_PEER
+
+sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
+sslcrtd_children 8 startup=1 idle=1
+
+
+
+acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
+acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
+acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
+acl localnet src fc00::/7       # RFC 4193 local private network range
+acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
+
+acl SSL_ports port 443
+
+acl Safe_ports port 80          # http
+acl Safe_ports port 21          # ftp
+acl Safe_ports port 443         # https
+acl Safe_ports port 70          # gopher
+acl Safe_ports port 210         # wais
+acl Safe_ports port 280         # http-mgmt
+acl Safe_ports port 488         # gss-http
+acl Safe_ports port 591         # filemaker
+acl Safe_ports port 777         # multiling http
+acl Safe_ports port 1025-65535  # unregistered ports
+
+acl CONNECT method CONNECT
+
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+http_access allow localhost manager
+http_access deny manager
+
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
+
+http_access allow localnet
+http_access allow localhost
+http_access deny all
+
+coredump_dir /var/squid
+
+refresh_pattern ^ftp:           1440    20%     10080
+refresh_pattern ^gopher:        1440    0%      1440
+refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
+refresh_pattern .               0       20%     4320

ayarlar/squid/transparent/squid_iptables_yapilandir.sh

@@ -0,0 +1,12 @@
+# bütün kurallar temizlenir
+servis iptables clear
+
+# değişkenler ayarlanır
+SUID=$(id -u squid)
+agarayuz=wlp3s0
+
+# 80 ve 443 çıkışları squid e tahsis edilir.80 ve 443 çıkışları squid in ilgili portlarına yönlendirilir.
+iptables -t nat -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner --uid-owner 90 -j ACCEPT
+iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner 90 -j REDIRECT --to-port 3128
+iptables -t nat -A OUTPUT -p tcp --dport 443 -m owner ! --uid-owner 90 -j REDIRECT --to-port 3130
+iptables -A OUTPUT -o $agarayuz -p tcp -m multiport --dports 1024:65535 -m state --state NEW -j ACCEPT

ayarlar/squid/transparent/yapilacaklar

@@ -0,0 +1,52 @@
+# kendinden imzalı sertifika ayarlama
+
+cd /etc/squid
+
+mkdir ssl_cert
+
+chown squid:squid ssl_cert
+
+chmod 700 ssl_cert
+
+cd ssl_cert
+
+# sertifika oluştumak için alternatif
+
+#certtool --generate-privkey --outfile ca-key.pem
+
+#certtool --generate-self-signed --load-privkey ca-key.pem --outfile myca.pem
+
+
+
+# sertifikanın oluşturulması
+
+openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout ca-key.pem  -out myca.pem
+
+
+
+# firefox a yüklenecek der dosyasının oluşturulması
+
+openssl x509 -in myca.pem -outform DER -out myca.der
+
+
+# squid sertifika veritabanı ayarlanması
+
+/usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db
+
+chown -R squid.squid /var/lib/ssl_db
+
+
+# yeni squid ayarlarının kopyalanması.(eskisi varsa yedekleyin.)
+
+cp -f /sources/milis.git/ayarlar/squid/transparent/squid.conf /etc/squid/ 
+
+
+# iptables kurallarının yüklenmesi-Not: squid_iptables_yapilandir.sh içinde ağ arayüzünü kendi arayüzünüze ayarlayın.
+
+./sources/milis.git/ayarlar/squid/transparent/squid_iptables_yapilandir.sh
+
+# squid başlatılması 
+
+servis squid start
+
+