翻墙实例Squid-Privoxy-SSH


通过squid配置,将被墙的站点设置成通过SSH隧道走。因此中间加了个privoxy中转 把socket5转化为http由squid提供出去 image

squid代理最小化配置

  acl all src 0.0.0.0/0.0.0.0
  acl manager proto cache_object
  acl localhost src 127.0.0.1/255.255.255.255
  acl to_localhost dst 127.0.0.0/8
  acl SSL_ports port 443
  acl CONNECT method CONNECT

  http_access allow all
  icp_access allow all

  http_port 80 transparent
  cache_peer 10.18.2.209 parent 9999 0 round-robin no-query name=proxy9999

 hierarchy_stoplist cgi-bin ?
  acl QUERY urlpath_regex cgi-bin \\?
  cache deny QUERY

  access_log /var/log/squid/access.log squid
  coredump_dir /var/spool/squid

Privoxy安装配置

cd privoxy-3.0.16-stable
  ./configure --prefix=/usr/local/privoxy;make
  make -s install USER=privoxy GROUP=privoxy
  vi config
  添加修改如下行:
  listen-address  10.18.2.209:9999
  forward-socks5  /  127.0.0.1:8888 .
  启动:#cd /usr/local/privoxy/sbin
        #./privoxy --user privoxy --pidfile ../var/run/privoxy.pid ../etc/config
  此时,所有访问2.209的9999端口听http请求转化为socket请求转发至本机的8888端口

设置SSH隧道至国外某IP

  • ==ssh -CfNg -D 10.18.2.209:8887 root@国外某IP==
  • ==ssh -CfNg -D 10.18.2.209:8888 root@国外某IP==
  连接过程中报错:
  channel 11: open failed: connect failed: Connection refused
  处理:服务器上的sshd_config文件中的“AllowTcpForwarding yes”和“GatewayPorts yes”没有打开
浏览器设置翻墙代理
  http代理 10.18.2.209:9999 或 ssh的socket代理: 10.18.2.209 8887
  squid代理 10.18.2.209:80
多个国外IP,建立多个ssh通道,经过Privoxy转化,通过squid cache_peer提供代理
示例配置
cat squid.conf
  visible_hostname huaying.vm
  acl all src 0.0.0.0/0.0.0.0

  acl OverConnLimit maxconn 64  限制同一IP最大连接数
  acl domains_allow dstdomain .facebook.com 定义目标域为facebook.com的规则
  acl domains_deny dstdomain .taobao.com

  http_access deny OverConnLimit
  http_access deny domains_deny
  http_access allow !domains_deny
  always_direct deny !domains_deny 规则列表告诉squid某些请求必须直接转发到原始服务器
  always_direct allow domains_deny

  never_direct allow all  对从来不必直接发送到原始服务器的请求的访问列表
  http_access allow all
  icp_access allow all

 hierarchy_stoplist cgi-bin  指令控制squid转发不可层叠的请求的方法
  acl QUERY urlpath_regex cgi-bin
  cache deny QUERY

  logformat combined %>a %ui %un %Ss [%tl] %mt "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %>A
  access_log /var/log/squid/localhost_access_log.txt combined
  cache_store_log none

  http_port 10.18.4.168:80 transparent
  cache_peer 10.18.4.168 parent 8710 0 round-robin no-query name=proxy8710
   no-query 不做查询,直接获取数据
   round-robin 轮流查询父级服务器
  ...
  cache_peer 10.18.4.168 parent 8769 0 round-robin no-query name=proxy8769

  cachemgr_passwd 123645 all
  tcp_recv_bufsize 65535 bytes
  cache_dir null /tmp
  cache_mem 4096 MB 指定Squid可以使用的内存的理想值
 maximum_object_size 20 MB
 maximum_object_size_in_memory 5 MB
  negative_ttl 5 seconds
 memory_replacement_policy lru
  • 多条ssh隧道的守护脚本
  #cat sshtun_mon.sh
  #!/bin/sh
  host_id=1;
  port_last_id=1;
  this_ssh_pid=`ps -ef | grep "ssh -CfNg -D 127.0.0.1:17$host_id$port_last_id"`
  echo $this_ssh_pid

  hosts_total=6;
 ports_per_host=10;
  while [ 1 -eq 1 ]
  do
 for((i=1;i<=$hosts_total;i++)); do
   for((j=0;j<=$ports_per_host-1;j++)); do
   this_ssh_pid=`ps -ef | grep "ssh -CfNg -D 127.0.0.1:17$i$j" | grep host | wc -l`
    if [ $this_ssh_pid -lt 1 ]; then
       nohup ssh -CfNg -D 127.0.0.1:17$i$j cnproxy@host$i >> /dev/null 2>&1 &
       echo `date`" :: ssh_port 17"$i$j" not exists. We start it with this command: nohup ssh -CfNg -D 127.0.0.1:17$i$j cnproxy@host$i &" >> /tmp/sshport_mon.log
    else
       echo "ssh_port 17"$i$j" is online"
    fi
    done
  done
  sleep 2;
  done