使用squid开启https代理

需求

在陌生环境需要使用自己的网络，而又不想装软件，一般是通过http、socks代理。

然而openwrt-passwall2支持的外部代理是http协议的，如果要换成https代理，需要一道转发

使用squid进行https转发

在合适的机器、服务器上部署squid容器，然后通过路由转发或者直接连接进行代理访问：

1. docker-compose.yml

version: '3.4'

services:
  squid:
    image: b4tman/squid
    container_name: squid
    network_mode: host # 如果宿主机有公ipv6地址，这里直接使用host模式就行，无需使用额外的docker ipv6配置（太繁琐），端口可以在配置文件里自定义
    #ports:
    #  - "6666:3128"
    #  - "3333:3127"
    volumes:
      - ./cache:/var/spool/squid
      - ./squid.conf:/etc/squid/squid.conf
      - ./cert:/cert:ro  # 将证书存放目录~/.certs映射到容器中的/certs目录
      - ./htpasswd:/etc/squid/passwords # 密码文件

2. squid.conf:

# 基础配置
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords 
auth_param basic realm proxy
auth_param basic children 50
auth_param basic realm xlqdys Proxy Server
auth_param basic credentialsttl 2 hours
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all
visible_hostname xlqdys.proxy
 
http_port 3128
https_port 3127 \
cert=/cert/fullchain.pem \
key=/cert/privkey.pem
 
# ANONYMOUS PROXY 匿名防追踪
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
 
request_header_access Via deny all
request_header_access Forwarded-For deny all
request_header_access X-Forwarded-For deny all

3. 生成密码 docker run --rm xmartlabs/htpasswd 你自定义的账号 你自定义的密码 > htpasswd

ipv6相关

如果宿主机有了ipv6，使用squid代理的客户端即便没有ipv6也可以访问ipv6的地址

https证书相关

证书文件如果来自于其他服务器，可以参考分发证书文件给其他服务器，直接在证书续签后触发docker 容器重启，无需手动维护证书