-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME.md
119 lines (115 loc) · 3.39 KB
/
README.md
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
#! /bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
SECRETS_PATH=/root/secrets
if [[ $EUID -ne 0 ]]; then
echo "Error:This script must be run as root!" 1>&2
exit 1
fi
mkdir -p ${SECRETS_PATH}
setenforce 0
ulimit -n 800000
echo "* soft nofile 800000" >> /etc/security/limits.conf
echo "* hard nofile 800000" >> /etc/security/limits.conf
echo "alias net-pf-10 off" >> /etc/modprobe.d/dist.conf
echo "alias ipv6 off" >> /etc/modprobe.d/dist.conf
killall sendmail
/etc/init.d/postfix stop
chkconfig --level 2345 postfix off
chkconfig --level 2345 sendmail off
yum -y install squid
cat > /etc/squid/squid.conf <<-EOF
auth_param basic program /usr/bin/python /etc/squid/auth.py
auth_param basic children 5
auth_param basic realm Welcome to wofanvpn.cn proxy web server
acl manager proto cache_object
acl localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl squid_user proxy_auth REQUIRED
http_access allow squid_user
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_port 25
coredump_dir /var/spool/squid
refresh_pattern -i ^ftp: 525600 95% 525600 reload-into-ims
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 reload-into-ims
refresh_pattern -i . 525600 95% 525600 reload-into-ims
strip_query_terms off
visible_hostname wofanvpn.cn
cache_mgr hi@charlesbao.com
cache_store_log none
cache_access_log none
cache_mem 512 MB
cache_dir aufs /var/cache/squid 5000 128 128
cache_swap_low 90
cache_swap_high 95
maximum_object_size 128 MB
maximum_object_size_in_memory 128 MB
dns_nameservers 8.8.8.8 8.8.4.4
client_lifetime 1 minutes
half_closed_clients off
fqdncache_size 65535
ipcache_size 65535
ipcache_low 90
ipcache_high 95
EOF
cat > /etc/squid/proxy-secrets <<-EOF
iwofan 123123 #
EOF
cat > /etc/squid/auth.py <<-EOF
#!/usr/bin/python
#coding:utf-8
import sys
fp = open('/etc/squid/proxy-secrets','r')
contents = fp.read()
fp.close()
line = sys.stdin.readline()
fields = line.replace('\n',' #')
if fields in contents:
sys.stdout.write('OK\n')
else:
sys.stdout.write('ERR\n')
EOF
mkdir -p /var/cache/squid
chmod -R 777 /var/cache/squid
squid -z
service squid restart
chkconfig --level 2345 squid on
iptables -t nat -F
iptables -t nat -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -F
iptables -X
iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t raw -F
iptables -t raw -X
iptables -t raw -P PREROUTING ACCEPT
iptables -t raw -P OUTPUT ACCEPT
service iptables save
service iptables restart
ln -s /etc/squid/proxy-secrets ${SECRETS_PATH}/proxy-secrets