现在这个时代

中文,大概是这个星球上为数不多的,使用人数在日益增长,本身却在日益萎缩的语言了。社交媒体越来越热闹,能用的数字、字词却越来越少;讲中文的人口虽越来越多,能直说的话却越来越少;自我审查的表单越来越长,因言获批似乎却越来越容易。仿佛「噤声」就是这个语境的终极目的,而「碍眼」就是你被问罪的一切根源。

这一年下来,只感觉这个系统的唯一机制,就是派给大家一把锄头,终其一生,自掘坟墓,实在提不起精神。

累了,毁灭吧

Windows Server2019 设置审核策略记录

事件ID 4720显示已创建用户帐户。
事件ID 4722显示已启用用户帐户。
事件ID 4740显示用户帐户已被锁定。
事件ID 4725显示用户帐户已禁用。
事件ID 4726显示用户帐户已删除。
事件ID 4738显示用户帐户已更改。
事件ID 4781显示帐户名称已更改
事件ID 4663显示文件对象已更改
事件ID 4724显示用户密码已更改
事件ID 4672显示用户分配了特殊权限
事件ID 4719显示审核策略修改
事件ID 7002显示用户实际注销
事件ID 6272显示用户通过820.1x登录

一手好牌打的稀烂

今天发现人类历史都是一手好牌打的稀烂。

唐朝如此,宋朝如此,明朝亦是如此。

如今,公司是如此,国家事如此,连我也亦是如此。

良辰美景终过眼,花开花谢亦自然。

How to Install Squid5.6 for Ubuntu20.4

Step 1

sudo apt -y install libssl-dev devscripts build-essential fakeroot debhelper dh-autoreconf dh-apparmor cdbs libcppunit-dev libsasl2-dev libxml2-dev libkrb5-dev libdb-dev libnetfilter-conntrack-dev libexpat1-dev libcap-dev libldap2-dev libpam0g-dev libgnutls28-dev libssl-dev libdbi-perl libecap3 libecap3-dev libsystemd-dev libtdb-dev

Step 2, git squid and configure

git clone https://github.com/squid-cache/squid.git squid
cd squid
git branch -r
git checkout v5
./bootstrap.sh
./configure --with-openssl --enable-ssl-crtd  --with-default-user=squid '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' '--with-gnutls'
make
sudo make install

Step 3, edit squid.service file

sudo vi /lib/systemd/system/squid.service

[Unit]
Description=Squid Web Proxy Server
Documentation=man:squid(8)
After=network.target network-online.target nss-lookup.target

[Service]
Type=notify
PIDFile=/var/run/squid.pid
ExecStartPre=/usr/sbin/squid --foreground -z
ExecStart=/usr/sbin/squid --foreground -sYC
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
NotifyAccess=all

[Install]
WantedBy=multi-user.target

sudo systemctl daemon-reload 

Step 4, edit Squid.conf file

sudo vi /etc/squid/squid.conf

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

acl nobumpSites ssl::server_name "/etc/squid/nobumpSites.list"
acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/etc/squid/certs/squid-ca-cert-key.pem cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/squid/bump_dhparam.pem

sslproxy_cert_error allow all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all 
ssl_bump peek step2 nobumpSites
ssl_bump splice step3 nobumpSites
ssl_bump stare step2
ssl_bump bump step3

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
cache_dir ufs /opt/squid/cache 3000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

Step 5 , Setting Certs

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squid-ca-key.pem -out squid-ca-cert.pem
cat squid-ca-cert.pem squid-ca-key.pem >> squid-ca-cert-key.pem
sudo cp squid-ca-cert-key.pem /etc/squid/certs/squid-ca-cert-key.pem
sudo chown proxy -R /etc/squid/certs/squid-ca-cert-key.pem
sudo openssl dhparam -outform PEM -out /etc/squid/bump_dhparam.pem 2048
sudo chown proxy -R /etc/squid/bump_dhparam.pem
sudo /usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB

Step 6, Setting cache and start

sudo mkdir /opt/squid/cache
sudo vi /etc/squid/nobumpSites.list
.apple.com
:wq
sudo chown proxy -R /etc/squid/nobumpSites.list
sudo chown proxy -R /opt/squid/cache
sudo chown proxy -R /var/log/squid
sudo squid -z
sudo systemctl start squid.service
sduo systemctl enable squid.service

Step 7, Copy the certificate”squid-ca-cert.pem’ to a computer or system and trust the certificate,Set porxy port 3128

Squid5.2/5.6 https proxy Ubuntu20 中间人 代理折腾大全

系统是ubuntu-20.04.4-live-server-amd64,Openssl版本是OpenSSL 1.1.1f 31 Mar 2020。VM虚拟机记得到配置文件写入 disk.EnableUUID = "TRUE"

1,把如下代码保存成sh可执行文件,并执行。自行生成证书文件

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squid-ca-key.pem -out squid-ca-cert.pem

cat squid-ca-cert.pem squid-ca-key.pem >> squid-ca-cert-key.pem
#!/bin/bash

# all packages are installed as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# add diladele apt key
wget -qO - https://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add new repo
echo "deb https://squid52.diladele.com/ubuntu/ focal main" \
    > /etc/apt/sources.list.d/squid52.diladele.com.list

# and install
apt-get update && apt-get install -y \
    squid-common \
    squid-openssl \
    squidclient \
    libecap3 libecap3-dev
systemctl daemon-reload

2,查看是否包含–enable-ssl-crtd。执行 squid -v

3,配置 squid.conf

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow localhost manager
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports


http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
htcp_port 4827
http_port 3218 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/squid/certs/squid-ca-cert-key.pem
sslproxy_cert_error allow all
ssl_bump stare all
ssl_bump bump all
ssl_bump splice all

# Uncomment the line below to enable disk caching - path format is /cygdrive/<full path to cache folder>, i.e.
#cache_dir aufs /cygdrive/d/squid/cache 3000 16 256
cache_dir aufs /squid/cache 3000 16 256

# Leave coredumps in the first cache dir
coredump_dir /squid/dump

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

dns_nameservers 8.8.8.8 8.8.4.4

4,启动前先初始化一个项目,否则无法启动

sudo /usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB

5,这里就可以完全启动了。自行测试下用如下命令

curl --proxy http://127.0.0.1:3218 --cacert squid-ca-cert.pem https://www.baidu.com

这时候,你可以vi打开squid-ca-cert.pem,复制里面的内容到 查错网 转换下证书格式为 cer,下载到Windows。双击打开安装到“可信任的证书颁发机构”,设置 Internet选项-连接-局域网代理 设置代理地址为这个Ubuntu机器的IP地址,端口设置为 3128 。至此打开百度,你可以在/var/log/syslog看到你访问的日志记录了。

6,尴尬了,这个5.2的容易崩溃。看下面编译5.6的

#准备环境
sudo apt -y install libssl-dev devscripts build-essential fakeroot debhelper dh-autoreconf dh-apparmor cdbs libcppunit-dev libsasl2-dev libxml2-dev libkrb5-dev libdb-dev libnetfilter-conntrack-dev libexpat1-dev libcap-dev libldap2-dev libpam0g-dev libgnutls28-dev libssl-dev libdbi-perl libecap3 libecap3-dev libsystemd-dev libtdb-dev
#克隆项目
git clone https://github.com/squid-cache/squid.git squid
cd squid
git branch -r
git checkout v5
#开始编译
./bootstrap.sh
./configure --with-openssl --enable-ssl-crtd  --with-default-user=squid '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' '--with-gnutls'

make
sudo make install
#设置Squid 服务
sudo vi /lib/systemd/system/squid.service
#粘贴如下
[Unit]
Description=Squid Web Proxy Server
Documentation=man:squid(8)
After=network.target network-online.target nss-lookup.target

[Service]
Type=notify
PIDFile=/var/run/squid.pid
ExecStartPre=/usr/sbin/squid --foreground -z
ExecStart=/usr/sbin/squid --foreground -sYC
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
NotifyAccess=all

[Install]
WantedBy=multi-user.target
#保存好后
sudo systemctl start squid.service
sudo systemctl enable squid.service
#增加tls代理
acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching
#为 Diffie-Hellman 算法生成设置文件
openssl dhparam -outform PEM -out /etc/squid/bump_dhparam.pem 2048
#放到http_port 3128 后面
cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/squid/bump_dhparam.pem
#排除不支持中间人证书的网站。子域名每行一个,格式如下  .dingtalk.com
acl nobumpSites ssl::server_name  "/etc/squid/donotbump.list"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
# 检测‘SNI’信息是否可以碰撞
ssl_bump peek step1 all  
# 可以碰撞,检测证书信息            
ssl_bump peek step2 nobumpSites
# 可以碰撞,拼接证书    
ssl_bump splice step3 nobumpSites 
# 不可以碰撞,放弃
ssl_bump stare step2
ssl_bump bump step3 

没有看明白的,点开上一篇文档,按图示操作