1. 背景
公司出口IP是北京移动,一直用了很多年,结果昨天突然登录网页版抖音突然显示IP为"太原"了。咨询了服务商,也没办法。索性在公司托管IDC机房搭一个代理服务器,跳转一下。
2. 安装
2.1 安装Squid
- Ubuntu
bash
sudo apt update
sudo apt install squid -y
- Centos7
bash
sudo yum install epel-release -y
sudo yum install squid -y
2.2 安装htpasswd
- 安装
bash
# 安装密码工具
sudo apt install apache2-utils -y # Ubuntu/Debian
sudo yum install httpd-tools -y # CentOS/RHEL
- 创建用户
bash
# 创建密码文件(首次创建使用-c参数,创建/passwords文件)
# proxy_user 为创建的用户名
sudo htpasswd -c /etc/squid/passwords proxy_user
New password:
3.查看用户
bash
# 命令
cat /etc/squid/passwords
# 显示结果
proxy_user:$apr1$knFfRHkL$9a/v6TrAzgDUYuDUyN7bv0
normal_user:$apr1$zJAf0dcm$z/UHf8O4hWQFSDYCZHl0G/
4.删除用户
bash
sudo htpasswd -D /etc/squid/passwords normal_user
2.2 配置Squid
- 备份
bash
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.bak
- 配置
bash
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
#### 新增配置 #########################################
#acl localnet src 0.0.0.0/0 # 允许所有IP访问
acl localnet src 0.0.0.0/0 # 允许所有IP访问
acl localnet src 161.178.31.23/32 # 允许XX职场访问
acl localnet src 221.207.51.17/32 # 允许xx职场访问
#######################################################
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
#### 新增配置 ###########################################
# 1. 认证参数
# 注意,basic_ncsa_auth 在ubuntu和centos中路径不一样
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm "Proxy Authentication"
auth_param basic children 5 # 认证子进程数
auth_param basic credentialsttl 12 hours # 认证缓存时间
# 2. 定义认证用户组
acl authenticated_users proxy_auth REQUIRED
# 3. 允许认证用户 (必须放在deny规则前)
http_access allow authenticated_users
###########################################################
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
#### 修改端口#####
http_port 12345
#################
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#### 新增配置 ##################################
# 禁用缓存(可选)
cache deny all
# 设置DNS解析器
dns_nameservers 211.136.17.107 211.136.20.203 223.5.5.5
# 隐藏客户端IP(可选)
forwarded_for delete
# 匿名Via头部
via on
forwarded_for delete
# 自定义 Via 标识
header_replace Via "1.1 FireWallGateway"
# 选择性删除敏感头部
request_header_access X-Forwarded-For deny all
request_header_access Cookie deny all
# 提升连接处理能力
max_filedescriptors 65536 # 增加文件描述符上限(需系统级调整ulimit)
workers 12 # 启动多进程(Squid 4+支持多核)
# 连接复用与超时控制
client_persistent_connections on # 启用客户端持久连接
server_persistent_connections on # 启用服务端持久连接
persistent_request_timeout 30 seconds # 缩短持久连接超时
connect_timeout 15 seconds # 加快连接失败判定
# 关闭非必要日志
cache_access_log none # 关闭访问日志(大幅减少磁盘I/O)
cache_store_log none # 关闭存储日志
debug_options ALL,0 # 禁用调试日志
#################################################
- 验证
bash
# 命令执行,输出没有ERROR
squid -k parse
bash
# 重新加载配置
squid -k reconfigure
2.3 启动Squid
bash
systemctl start squid && systemctl enable squid
bash
systemctl status squid
bash
● squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
Active: active (running) since 五 2025-08-01 18:41:20 CST; 2h 10min ago
Main PID: 1858 (squid)
CGroup: /system.slice/squid.service
├─1858 /usr/sbin/squid -f /etc/squid/squid.conf
├─1860 (squid-coord-13) -f /etc/squid/squid.conf
├─1861 (squid-12) -f /etc/squid/squid.conf
├─1862 (squid-11) -f /etc/squid/squid.conf
├─1863 (squid-10) -f /etc/squid/squid.conf
├─1864 (squid-9) -f /etc/squid/squid.conf
├─1865 (squid-8) -f /etc/squid/squid.conf
├─1866 (squid-7) -f /etc/squid/squid.conf
├─1867 (squid-6) -f /etc/squid/squid.conf
├─1868 (squid-5) -f /etc/squid/squid.conf
├─1869 (squid-4) -f /etc/squid/squid.conf
├─1870 (squid-3) -f /etc/squid/squid.conf
├─1871 (squid-2) -f /etc/squid/squid.conf
├─1872 (squid-1) -f /etc/squid/squid.conf
├─2217 (basic_ncsa_auth) /etc/squid/passwords
├─2218 (basic_ncsa_auth) /etc/squid/passwords
├─2219 (basic_ncsa_auth) /etc/squid/passwords
├─2220 (basic_ncsa_auth) /etc/squid/passwords
├─2221 (basic_ncsa_auth) /etc/squid/passwords
├─2222 (basic_ncsa_auth) /etc/squid/passwords
├─2223 (basic_ncsa_auth) /etc/squid/passwords
├─2224 (basic_ncsa_auth) /etc/squid/passwords
├─2225 (basic_ncsa_auth) /etc/squid/passwords
├─2226 (basic_ncsa_auth) /etc/squid/passwords
├─2227 (basic_ncsa_auth) /etc/squid/passwords
└─2236 (basic_ncsa_auth) /etc/squid/passwords
3. 测试
- 配置代理

- 浏览器验证