MacPorts で Squid のインストール
海外からのアクセスを制限しているサイト対策に、 自宅鯖に Proxy をインストール。
$ sudo port install squid
設定ファイル(/opt/local/etc/squid/squid.conf)の編集。
追加した設定は以下の通り。
# アクセスを許可していないホストからも、
# ユーザ名/パスワードによる認証許可すればプロキシサーバーを利用できるようにする。
auth_param basic program /opt/local/libexec/ncsa_auth /opt/local/etc/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl password proxy_auth REQUIRED
http_access allow password
# プロキシ経由でアクセスしていることをアクセス先に知られないようにする
header_access X-Forwarded-For deny all
header_access Via deny all
header_access Cache-Control deny all
visible_hostname www.fraction.jp
# プロキシサーバーを使用しているマシンのローカルIPアドレスを隠蔽化
forwarded_for off
ほぼ、Fedoraで自宅サーバー構築 の設定通り。
起動。
$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.Squid.plist
失敗。
/var/log/messages を読むと、「/opt/local/libexec/ncsa_auth」が無いよ、っていうエラー。
400 Bad Request-Devel :: ssm: Squid の認証ライブラリ を参考に、/opt/local/libexec/ncsa_auth をインストール。
- squid の tarball を適当なところにコピー。
- make
- ncsa_auth の make と install
こんな感じ。
[yuanying@Kohrin] ~
$ cp /opt/local/var/macports/distfiles/squid/squid-2.7.STABLE4.tar.bz2 ~/Documents/temp/squid/
[yuanying@Kohrin] ~
$ cd ~/Documents/temp/squid/
[yuanying@Kohrin] ~/Documents/temp/squid
$ bzip2 -dc squid-2.7.STABLE4.tar.bz2 | tar xvf -
[yuanying@Kohrin] ~/Documents/temp/squid
$ cd squid-2.7.STABLE4/
[yuanying@Kohrin] ~/Documents/temp/squid/squid-2.7.STABLE4
$ ./configure --prefix=/opt/local CPPFLAGS=-I/opt/local/include
[yuanying@Kohrin] ~/Documents/temp/squid/squid-2.7.STABLE4
$ make
[yuanying@Kohrin] ~/Documents/temp/squid/squid-2.7.STABLE4
$ cd helpers/basic_auth/NCSA/
[yuanying@Kohrin] ~/Documents/temp/squid/squid-2.7.STABLE4/helpers/basic_auth/NCSA
$ make
[yuanying@Kohrin] ~/Documents/temp/squid/squid-2.7.STABLE4/helpers/basic_auth/NCSA
$ sudo make install
再起動。
$ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.Squid.plist
$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.Squid.plist
以上。
環境
- Mac OS X 10.5.5
- MacPorts 1.600
参考にしたサイト
設定ファイルの diff
$ diff -u squid.conf.default squid.conf
--- squid.conf.default 2008-09-24 22:25:27.000000000 +0900
+++ squid.conf 2008-09-25 01:00:26.000000000 +0900
@@ -88,6 +88,8 @@
# Then, set this line to something like
#
# auth_param basic program /opt/local/libexec/ncsa_auth /opt/local/etc/passwd
+# ADDED Yuanying
+auth_param basic program /opt/local/libexec/ncsa_auth /opt/local/etc/passwd
#
# "children" numberofchildren
# The number of authenticator processes to spawn. If you start too few
@@ -95,7 +97,8 @@
# verifications, slowing it down. When credential verifications are
# done via a (slow) network you are likely to need lots of
# authenticator processes.
-# auth_param basic children 5
+# UNCOMMENTED Yuanying
+auth_param basic children 5
#
# "concurrency" numberofconcurrentrequests
# The number of concurrent requests/channels the helper supports.
@@ -108,7 +111,8 @@
# Specifies the realm name which is to be reported to the client for
# the basic proxy authentication scheme (part of the text the user
# will see when prompted their username and password).
-# auth_param basic realm Squid proxy-caching web server
+# UNCOMMENTED Yuanying
+auth_param basic realm Squid proxy-caching web server
#
# "credentialsttl" timetolive
# Specifies how long squid assumes an externally validated
@@ -119,7 +123,8 @@
# using an one-time password system (such as SecureID). If you are using
# such a system, you will be vulnerable to replay attacks unless you
# also use the max_user_ip ACL in an http_access rule.
-# auth_param basic credentialsttl 2 hours
+# UNCOMMENTED Yuanying
+auth_param basic credentialsttl 2 hours
#
# "casesensitive" on|off
# Specifies if usernames are case sensitive. Most user databases are
@@ -621,6 +626,9 @@
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
+# ADDED Yuanying
+acl password proxy_auth REQUIRED
+
# TAG: http_access
# Allowing or Denying access based on defined access lists
#
@@ -664,6 +672,9 @@
# from where browsing should be allowed
http_access allow localnet
+# ADDED Yuanying
+http_access allow password
+
# And finally deny all other access to this proxy
http_access deny all
@@ -1117,6 +1128,7 @@
# Squid normally listens to port 3128
http_port 3128
+
# TAG: https_port
# Note: This option is only available if Squid is rebuilt with the
# --enable-ssl option
@@ -3081,6 +3093,11 @@
#
#Default:
# none
+# ADDED Yuanying
+header_access X-Forwarded-For deny all
+header_access Via deny all
+header_access Cache-Control deny all
+
# TAG: header_replace
# Usage: header_replace header_name message
@@ -3373,6 +3390,8 @@
#
#Default:
# none
+# ADDED Yuanying
+visible_hostname www.fraction.jp
# TAG: unique_hostname
# If you want to have multiple machines with the same
@@ -4723,6 +4742,9 @@
#
#Default:
# forwarded_for on
+# ADDED Yuanying
+forwarded_for off
+
# TAG: cachemgr_passwd
# Specify passwords for cachemgr operations.