debian squid透明代理简单配置

实验环境

客户端配置

• 配置网关

   route add default gw 10.10.100.12
  

网关配置

• 1.开启转发

sysctl -w net.ipv4.ip_forward=1

• 2.配置squid代理
• nano /etc/squid/squid.conf

http_port 3128 
http_port 3129 intercept
http_access allow all #为了方便起见允许了全部规则（偷个懒~~）

• 3.配置iptable规则(重定向流量，允许端口)
  ip add
  以下环境非实验环境的图片 仅供参考~~🤭
  

iptables -t nat -I PREROUTING -i ens37 -s 10.10.100.0/24 -p tcp --dport 80 -j REDIRECT --to 3129
iptables -t nat -I PREROUTING -i eth37 -s 10.10.100.0/24 -p tcp --dport 443 -j REDIRECT --to 3129
iptables -I INPUT -p tcp --dport 3129 -j ACCEPT

网站配置

• 确保网站开启
• 指定网关

route add default gw 192.168.65.160 

测试

• 客户端是否能ping通网站（如果没做特殊配置的话）
• 网页测试

注意事项

• 保证三台主机时间相同

配置内帮助文档

#  TAG: http_port
#	Usage:	port [mode] [options]
#		hostname:port [mode] [options]
#		1.2.3.4:port [mode] [options]
#
#	The socket addresses where Squid will listen for HTTP client
#	requests.  You may specify multiple socket addresses.
#	There are three forms: port alone, hostname with port, and
#	IP address with port.  If you specify a hostname or IP
#	address, Squid binds the socket to that specific
#	address. Most likely, you do not need to bind to a specific
#	address, so you can use the port number alone.
#
#	If you are running Squid in accelerator mode, you
#	probably want to listen on port 80 also, or instead.
#
#	The -a command line option may be used to specify additional
#	port(s) where Squid listens for proxy request. Such ports will
#	be plain proxy ports with no options.
#
#	You may specify multiple socket addresses on multiple lines.
#
#	Modes:
#
#	   intercept	Support for IP-Layer NAT interception delivering
#			traffic to this Squid port.
#			NP: disables authentication on the port.
#
#	   tproxy	Support Linux TPROXY (or BSD divert-to) with spoofing
#			of outgoing connections using the client IP address.
#			NP: disables authentication on the port.
#
#	   accel	Accelerator / reverse proxy mode
#
#	   ssl-bump	For each CONNECT request allowed by ssl_bump ACLs,
#			establish secure connection with the client and with
#			the server, decrypt HTTPS messages as they pass through
#			Squid, and treat them as unencrypted HTTP messages,
#			becoming the man-in-the-middle.
#
#			The ssl_bump option is required to fully enable
#			bumping of CONNECT requests.
#
#	Omitting the mode flag causes default forward proxy mode to be used.
<-_
---
#标签:http_port
#使用:端口[模式][选项]
#主机名:port [mode] [options]
# 1.2.3.4:端口[模式][选项]
#
Squid监听HTTP客户端的套接字地址
#请求。
您可以指定多个套接字地址。
有三种形式:单独端口、带端口的主机名和
#带端口的ip地址。
如果您指定了主机名或IP
Squid将套接字绑定到特定的
#地址。
很可能，您不需要绑定到特定对象
# address，这样您就可以单独使用端口号。
#
#如果你在加速器模式下运行Squid，你会
#可能也想监听端口80，或者相反。
#
# -a命令行选项可以用来指定额外的
Squid监听代理请求的端口。
这样的港口
#使用没有选项的普通代理端口。
#
可以在多行中指定多个套接字地址。
#
#模式:
#
# intercept支持ip层NAT拦截交付
Squid港口的交通。
# np:在端口上禁用认证。
#
# TPROXY支持Linux TPROXY(或BSD转到)与欺骗
使用客户端IP地址的外出连接的编号。
# np:在端口上禁用认证。
#
#加速加速器/反向代理模式
#
# ssl-bump for每个连接请求允许的ssl_bump acl，
#与客户端建立安全连接
#服务器，解密通过的HTTPS消息
# squid，并将其视为未加密的HTTP消息，
#成为中间人。
#
# ssl_bump选项需要完全启用
#碰撞连接请求。
#
#省略mode标志将导致使用默认的转发代理模式。