安裝Transparent Proxy - Squid + squidGuard

apt-get install squid

-updated at 080317
-針對dynamic content 之修改

之後修改 /etc/squid/squid.conf

http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
#no_cache deny QUERY
cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 15 75% 4320
refresh_pattern /blog/ 0 15% 360
refresh_pattern /blog/images/ 15 75% 4320
refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private
quick_abort_min -1 KB
maximum_object_size 4 GB
acl youtube dstdomain .youtube.com
cache allow youtube
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.10.0/24
http_access allow our_networks
acl client_networks src 61.93.61.0/24 58.177.74.0/24
acl client_networks_name srcdomain home.ngwong.com
http_access allow client_networks
http_access allow client_networks_name
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr jeff@jktn.com
visible_hostname jktn.com

cache_access_log /var/log/squid/access.log
emulate_httpd_log off

coredump_dir /var/spool/squid
extension_methods REPORT MERGE MKACTIVITY CHECKOUT UPDATE

而且因為我有用svn 去做文件處理，所以最後我都要加一句，

extension_methods REPORT MERGE MKACTIVITY CHECKOUT

apt-get install squidguard


建立 /etc/squid/squidguard.conf

#
# CONFIG FILE FOR SQUIDGUARD
#

dbhome /var/lib/squidguard/db
logdir /var/log/squid

#
# TIME RULES:
# abbrev for weekdays:
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat

#time workhours {
# weekly mtwhf 08:00 - 16:30
# date *-*-01 08:00 - 16:30
#}

src privileged {
ip 192.168.10.1-192.168.10.20
}

destination porn {
domainlist porn/domains
urllist porn/urls
}

destination aggressive {
domainlist aggressive/domains
urllist aggressive/urls
}

#destination audio-video {
# domainlist audio-video/domains
# urllist audio-video/urls
#}

#destination drugs {
# domainlist drugs/domains
# urllist drugs/urls
#}

#destination gambling {
# domainlist gambling/domains
# urllist gambling/urls
#}

destination hacking {
domainlist hacking/domains
urllist hacking/urls
}

#destination mail {
# domainlist mail/domains
# urllist mail/urls
#}

#destination proxy {
# domainlist proxy/domains
# urllist proxy/urls
#}

#destination violence {
# domainlist violence/domains
# urllist violence/urls
#}

#destination warez {
# domainlist warez/domains
# urllist warez/urls
#}


acl {
privileged {
# pass !ads !aggressive !audio-video !drugs !gambling !hacking !mail !porn !proxy !violence !warez all
pass !porn !aggressive !hacking all
redirect http://192.168.10.1/stop.html
}

default {
pass none
redirect http://192.168.10.1/stop.html
#redirected http://
}
}

記得下載squidGuard Blacklist 或自訂一份

因為我想安裝的是transproxy，所以我的iptables 內要加上這句

$IPT (hyphen)t nat -A PREROUTING -i eth1 -p TCP -s $INNET --dport 80 -j REDIRECT --to-ports 3128

將所有LAN內對www 的要求，都轉到squid 的 3218 Port

Link:

Squid Optimization Guide