Squid服务配置代理

1. 背景

公司出口IP是北京移动，一直用了很多年，结果昨天突然登录网页版抖音突然显示IP为"太原"了。咨询了服务商，也没办法。索性在公司托管IDC机房搭一个代理服务器，跳转一下。

2. 安装

2.1 安装Squid

1. Ubuntu

sudo apt update
sudo apt install squid -y

2. Centos7

sudo yum install epel-release -y
sudo yum install squid -y

2.2 安装htpasswd

1. 安装

# 安装密码工具
sudo apt install apache2-utils -y  # Ubuntu/Debian
sudo yum install httpd-tools -y    # CentOS/RHEL

2. 创建用户

# 创建密码文件（首次创建使用-c参数，创建/passwords文件）
# proxy_user 为创建的用户名
sudo htpasswd -c /etc/squid/passwords proxy_user
New password: 

3.查看用户

# 命令
cat /etc/squid/passwords 
# 显示结果
proxy_user:$apr1$knFfRHkL$9a/v6TrAzgDUYuDUyN7bv0
normal_user:$apr1$zJAf0dcm$z/UHf8O4hWQFSDYCZHl0G/

4.删除用户

sudo htpasswd -D /etc/squid/passwords normal_user

2.2 配置Squid

1. 备份

sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.bak

2. 配置

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
#### 新增配置 #########################################
#acl localnet src 0.0.0.0/0     # 允许所有IP访问
acl localnet src 0.0.0.0/0      # 允许所有IP访问
acl localnet src 161.178.31.23/32    # 允许XX职场访问
acl localnet src 221.207.51.17/32    # 允许xx职场访问

#######################################################

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
#### 新增配置 ###########################################
# 1. 认证参数
# 注意，basic_ncsa_auth 在ubuntu和centos中路径不一样
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm "Proxy Authentication"
auth_param basic children 5      # 认证子进程数
auth_param basic credentialsttl 12 hours  # 认证缓存时间

# 2. 定义认证用户组
acl authenticated_users proxy_auth REQUIRED

# 3. 允许认证用户 (必须放在deny规则前)
http_access allow authenticated_users

###########################################################

http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
#### 修改端口#####
http_port 12345
#################

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320


#### 新增配置 ##################################
# 禁用缓存（可选）
cache deny all

# 设置DNS解析器
dns_nameservers 211.136.17.107 211.136.20.203 223.5.5.5 

# 隐藏客户端IP（可选）
forwarded_for delete

# 匿名Via头部
via on
forwarded_for delete

# 自定义 Via 标识
header_replace Via "1.1 FireWallGateway"

# 选择性删除敏感头部
request_header_access X-Forwarded-For deny all
request_header_access Cookie deny all


# 提升连接处理能力
max_filedescriptors 65536    # 增加文件描述符上限（需系统级调整ulimit）
workers 12                   # 启动多进程（Squid 4+支持多核）

# 连接复用与超时控制
client_persistent_connections on   # 启用客户端持久连接
server_persistent_connections on   # 启用服务端持久连接
persistent_request_timeout 30 seconds  # 缩短持久连接超时
connect_timeout 15 seconds          # 加快连接失败判定

# 关闭非必要日志
cache_access_log none        # 关闭访问日志（大幅减少磁盘I/O）
cache_store_log none         # 关闭存储日志
debug_options ALL,0          # 禁用调试日志

#################################################

3. 验证

# 命令执行，输出没有ERROR
squid -k parse

# 重新加载配置
squid -k reconfigure

2.3 启动Squid

systemctl start squid && systemctl enable squid

systemctl status squid

● squid.service - Squid caching proxy
   Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
   Active: active (running) since 五 2025-08-01 18:41:20 CST; 2h 10min ago
 Main PID: 1858 (squid)
   CGroup: /system.slice/squid.service
           ├─1858 /usr/sbin/squid -f /etc/squid/squid.conf
           ├─1860 (squid-coord-13) -f /etc/squid/squid.conf
           ├─1861 (squid-12) -f /etc/squid/squid.conf
           ├─1862 (squid-11) -f /etc/squid/squid.conf
           ├─1863 (squid-10) -f /etc/squid/squid.conf
           ├─1864 (squid-9) -f /etc/squid/squid.conf
           ├─1865 (squid-8) -f /etc/squid/squid.conf
           ├─1866 (squid-7) -f /etc/squid/squid.conf
           ├─1867 (squid-6) -f /etc/squid/squid.conf
           ├─1868 (squid-5) -f /etc/squid/squid.conf
           ├─1869 (squid-4) -f /etc/squid/squid.conf
           ├─1870 (squid-3) -f /etc/squid/squid.conf
           ├─1871 (squid-2) -f /etc/squid/squid.conf
           ├─1872 (squid-1) -f /etc/squid/squid.conf
           ├─2217 (basic_ncsa_auth) /etc/squid/passwords
           ├─2218 (basic_ncsa_auth) /etc/squid/passwords
           ├─2219 (basic_ncsa_auth) /etc/squid/passwords
           ├─2220 (basic_ncsa_auth) /etc/squid/passwords
           ├─2221 (basic_ncsa_auth) /etc/squid/passwords
           ├─2222 (basic_ncsa_auth) /etc/squid/passwords
           ├─2223 (basic_ncsa_auth) /etc/squid/passwords
           ├─2224 (basic_ncsa_auth) /etc/squid/passwords
           ├─2225 (basic_ncsa_auth) /etc/squid/passwords
           ├─2226 (basic_ncsa_auth) /etc/squid/passwords
           ├─2227 (basic_ncsa_auth) /etc/squid/passwords
           └─2236 (basic_ncsa_auth) /etc/squid/passwords

3. 测试

1. 配置代理
   
   

2. 浏览器验证