风景
运维

安装Squid代理

DB
文章目录 
用caddy做镜像仓库的太麻烦了,代理仓库地址要一个个去指定,用squid的https代理直接一步到位。

证书安装

# certbot会自动为证书续约
sudo yum install epel-release -y
sudo yum install certbot -y

# 指定端口,指定是挑战也是请求80端口,只是为了避免端口冲突,注意需要从80转发到8080
certbot certonly --standalone --http-01-port 8443 -d docker.proxy.forseasioning.top
# 默认80端口
# certbot certonly --standalone -d docker.proxy.xxxx.xxx

Squid安装配置

sudo yum install -y squid

sudo systemctl start squid
sudo systemctl enable squid

# 配置文件 添加以下信息
vi /etc/squid/squid.conf
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic children 5
auth_param basic credentialsttl 1 minute

acl auth proxy_auth REQUIRED

http_access deny !auth
http_access allow auth

# 开启https 8443端口 注意修改为正确的证书地址
https_port 8443 cert=/etc/letsencrypt/live/docker.proxy.xxxx.xxx/fullchain.pem key=/etc/letsencrypt/live/docker.proxy..xxxx.xxx/privkey.pem

账号密码配置

# 安装 Apache 工具包
yum install httpd-tools -y

# 创建文件并生成账号密码
htpasswd -c -bm /etc/squid/passwords username password

# 追加账号密码
htpasswd -bm /etc/squid/passwords username password

# 删除账号密码
htpasswd -D /etc/squid/passwords username

Docker配置

sudo mkdir -p /etc/systemd/system/docker.service.d

sudo cat << EOF > /etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
Environment="HTTP_PROXY=https://username:passwd@docker.proxy.xxxx.xxx:8443"
Environment="HTTPS_PROXY=https://username:passwd@docker.proxy.xxxx.xxx:8443"
Environment="NO_PROXY=localhost,127.0.0.1,.example.com"
EOF

sudo systemctl daemon-reload
sudo systemctl restart docker

docker info | grep -i proxy

# 删除代理
sudo rm /etc/systemd/system/docker.service.d/http-proxy.conf

sudo systemctl daemon-reload
sudo systemctl restart docker
# 删除后不一定要执行上面两行,docker info | grep -i proxy不会显示明文账号密码,这样保证了代理点的安全也让服务可以在重启前一直生效代理

# 记得删除history n为行号
history -d n
# 或者清除当前会话所有记录
history -c

问题

更换域名后squid异常

一个很有意思的问题,域名过期了,我换了一个域名,给新域名签了证书配置上去后,curl使用代理怎么也通不了,后面发现http代理能通,而且最好玩的是docker用https代理也能正常拉取镜像,就是curl不通提示:
client:
    curl: (56) Recv failure: Connection reset by peer
service:
    1741101044.910      0 114.55.88.175 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -

---
http代理请求baidu:
1741101232.782   1184 114.55.88.175 TCP_MISS/200 2861 GET http://www.baidu.com/ zjl HIER_DIRECT/103.235.46.115 text/html

---
docker 拉取数据时的日志:

1741101082.805    764 114.55.88.175 TCP_TUNNEL/200 4035 CONNECT dockerpull.org:443 zjl HIER_DIRECT/104.21.91.42 -
1741101086.149   1693 114.55.88.175 TCP_TUNNEL/200 4240 CONNECT dockerpull.pw:443 zjl HIER_DIRECT/172.67.177.194 -
1741101087.423    622 114.55.88.175 TCP_TUNNEL/200 3893 CONNECT dockerpull.org:443 zjl HIER_DIRECT/104.21.91.42 -
1741101089.150    977 114.55.88.175 TCP_TUNNEL/200 6203 CONNECT dockerpull.pw:443 zjl HIER_DIRECT/172.67.177.194 -
1741101092.066   2262 114.55.88.175 TCP_TUNNEL/200 4340 CONNECT dockerpull.pw:443 zjl HIER_DIRECT/172.67.177.194 -

离大普,换域名之前https curl好像也是能用的,看这个问题浪费我不少时间。现在docker代理可以用https,其他的先用着http

Related Posts

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注

We use cookies to improve your experience on our website