Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- chkconfig iptables off
- chkconfig ip6tables off
- vi /etc/selinux/config
- cd /home
- wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
- rpm -Uvh epel-release-6.8.noarch.rpm
- cd /etc/yum.repos.d
- vi SQUID.repo
- [Squid]
- name=SQUID repo for CentOS Linux 6 - $basearch
- #IL mirror
- baseurl=http://www1.ngtech.co.il/rpm/centos/6/i686
- failovermethod=priority
- enabled=1
- gpgcheck=0
- yum update
- yum install perl-Crypt-OpenSSL-X509
- yum install squid
- /usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db
- chown -R squid.squid /var/lib/ssl_db
- /etc/squid/squid.conf
- acl localnet src 192.168.201.0/24
- acl SSL_ports port 443
- acl Safe_ports port 80 # http
- acl Safe_ports port 21 # ftp
- acl Safe_ports port 443 # https
- acl Safe_ports port 70 # gopher
- acl Safe_ports port 210 # wais
- acl Safe_ports port 1025-65535 # unregistered ports
- acl Safe_ports port 280 # http-mgmt
- acl Safe_ports port 488 # gss-http
- acl Safe_ports port 591 # filemaker
- acl Safe_ports port 777 # multiling http
- acl CONNECT method CONNECT
- http_access deny !Safe_ports
- http_access deny CONNECT !SSL_ports
- http_access allow all
- http_port 3130
- http_port 3128 intercept
- https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem
- #always_direct allow all
- ssl_bump server-first all
- #sslproxy_cert_error deny all
- #sslproxy_flags DONT_VERIFY_PEER
- sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
- sslcrtd_children 8 startup=1 idle=1
- coredump_dir /var/spool/squid
- # Add any of your own refresh_pattern entries above these.
- refresh_pattern ^ftp: 1440 20% 10080
- refresh_pattern ^gopher: 1440 0% 1440
- refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
- refresh_pattern . 0 20% 4320
- shutdown_lifetime 1 second
- We will first edit our /etc/pki/tls/openssl.conf file , and alter only the following
- default_days = 1365 # How long to certify for
- ...
- [ req_distinguished_name ]
- countryName = Country Name (code)
- countryName_default = DE
- countryName_min = 2
- countryName_max = 2
- stateOrProvinceName = State or Province Name (full name)
- stateOrProvinceName_default = NRW
- localityName = Locality Name (eg, city)
- localityName_default = Paderborn
- 0.organizationName = Organization Name (eg, company)
- 0.organizationName_default = Home.LAN
- # we can do this but it is not needed normally :-)
- #1.organizationName = Second Organization Name (eg, company)
- #1.organizationName_default = World Wide Web Pty Ltd
- organizationalUnitName = Organizational Unit Name (eg, section)
- organizationalUnitName_default = Proxy Server
- commonName = Common Name (eg, your name or your server's hostname)
- # (Very Important, in order to keep mail clients and other user agents from complaining, this name must
- # match exactly the name that the user will be entering into their client settings. Whether that be
- # domain.extension or mail.domain.extension or what. It must be a valid DNS name pointing at your
- # server.
- commonName_default = proxy.home.lan # this line you need to add
- commonName_max = 64
- emailAddress = Email Address
- emailAddress_default = robert@proxy.home.lan # this line you need to add
- emailAddress_max = 64
- mkdir /etc/squid/ssl_cert
- chown -R squid.squid /etc/squid/ssl_cert
- cd /etc/squid/ssl_cert
- openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem -out myca.pem
- openssl x509 -in myca.pem -outform DER -out myca.der
- mkdir /var/named/home.lan
- touch /var/named/home.lan/db.home
- chown -R named.named /var/named/home.lan
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
