问Squid SSL透明代理

EN

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
ssl_bump splice all

#!/bin/sh

## Bypass Squid

ipset -L no-proxy >/dev/null 2>&1
if [ $? -ne 0 ]; then
        echo "Creating ipset: no-proxy."
        ipset create no-proxy hash:ip
fi

ipset flush no-proxy

if [ -f "/etc/squid/no-proxy-iptables.txt" ]; then
        for domain in $(cat /etc/squid/no-proxy-iptables.txt); do
                for address in $( dig a $domain +short | grep -P -e '^(\d{1,3}\.){3}\d{1,3}$' ); do
                        echo $domain " -> " $address
                        ipset add no-proxy $address
                done
        done
else
        echo "File doess not exist: /etc/squid/no-proxy-iptables.txt"
fi

#!/bin/sh

iptables -t nat -F
iptables -t mangle -F
iptables -F # Does NOT flush everything! Hence the other three commands.
iptables -X

# Squid: exceptions
ipset -L no-proxy >/dev/null 2>&1
if [ $? -eq 0 ]; then
        echo "Using ipset: no-proxy."
        iptables -t nat -A PREROUTING -i br0 -m set --match-set no-proxy dst -j ACCEPT
fi

# Squid: HTTP
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j DNAT --to 192.168.1.31:3128
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128

# Squid: HTTPS
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to 192.168.1.31:3129
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j REDIRECT --to-port 3129

# IP masquerade

iptables -A FORWARD -o wlan0 -i br0 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o enp0s6f1u2 -j MASQUERADE

# echo 1 > /proc/sys/net/ipv4/ip_forward

iptables-save > /etc/iptables/rules.v4