GCE 上に プロキシサーバーを立てる
概要
GCE インスタンスに Squid プロキシサーバーを立ててみたのでメモ。
そして、iPhone にプロキシを挟んでみた。
OS は ubuntu。
$ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=14.04 DISTRIB_CODENAME=trusty DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
Squid インストール
公式サイトでは、手順の詳細は書かれていない。多くのOSのパッケージシステムに Squid はあるとのこと。
$ apt-cache search squid 略 squid3 - Full featured Web Proxy cache (HTTP proxy) 略 squid - dependency package from squid to squid3 略
squid4 がリリースされているようだが、apt-get にはまだないので squid3 を使おうと思う。
$ sudo apt-get install squid3 -y $ sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.orig
Squid 設定
ダイジェスト認証を入れた。
ポートはデフォルトの3128から変更しておいた方が良い。
コメントアウトしていない箇所をピックアップ
##Recommended minimum configuration per scheme: auth_param digest program /usr/lib/squid3/digest_file_auth /etc/squid3/passwd auth_param digest children 20 startup=0 idle=1 auth_param digest realm Squid proxy-caching web server auth_param digest nonce_garbage_interval 5 minutes auth_param digest nonce_max_duration 30 minutes auth_param digest nonce_max_count 50 acl digest_pwd proxy_auth REQUIRED # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network #acl localnet src fc00::/7 # RFC 4193 local private network range #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http #acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https #acl Safe_ports port 70 # gopher #acl Safe_ports port 210 # wais #acl Safe_ports port 1025-65535 # unregistered ports #acl Safe_ports port 280 # http-mgmt #acl Safe_ports port 488 # gss-http #acl Safe_ports port 591 # filemaker #acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed #http_access allow localnet #http_access allow localhost # proxy with auth http_access allow all digest_pwd # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid3 # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 # example lin deb packages #refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600 refresh_pattern . 0 20% 4320
/etc/squid3/passwd
hogeuser:hogepassward
$ sudo service squid3 restart
GCP ファイアウォールルールを追加
$ gcloud compute instances add-tags インスタンス名 --tags squid-proxy --zone "asia-northeast1-a"
$ gcloud compute firewall-rules create allow-proxy --network default --allow tcp:3128 --target-tags=squid-proxy
確認
iPhone の設定
こちらを参考に設定。
ログを確認
プロキシのアクセスログを確認
$ sudo tail -f /var/log/squid3/access.log 1533110314.371 0 124.33.169.42 TCP_DENIED_REPLY/407 3876 CONNECT ogs.google.com:443 - HIER_NONE/- text/html 1533110321.390 7014 124.33.169.42 TCP_MISS/200 4858 CONNECT ogs.google.com:443 developer HIER_DIRECT/172.217.27.78 -
407で認証が必要となって、200を返しているから問題ないっぽい