简易apn代理搭建

参考 @bao3 的 这个和 这个

准备

  • 国内vps一台(上行要够)
  • 国外vps一台
  • 平台推荐ubuntu12.04/centos6.3/freebsd9。本人以第一个为准

步骤

http代理

  • apt-get install squid privoxy #安装squid和privoxy
    参考配置见下一节
  • 可选,用乱序补丁过的ssh,两边机器都要编译)
        git clone https://github.com/brl/obfuscated-openssh
        apt-get install build-essential zlib1g zlib1g-dev libssl-dev autossh
        cd obfuscated-openssh
        ./configure
        make
        make install
    • 国外vps(server侧)
      • vim /usr/local/etc/sshd_config
      • 加上这些

        Protocol 2
        ObfuscatedPort 4096 #你的自定义端口
        ObfuscateKeyword fdb713 #你的乱序密钥

      • 启动服务
          /usr/local/sbin/sshd
    • 国内vps(client侧)
      • 编辑环境变量 vim /etc/environment
      • 为了让autossh使用乱序补丁的ssh,加上

        AUTOSSH_PATH=”/usr/local/bin/ssh”

      • 在国外vps上专门开个ssh -D用帐号,shell就给/bin/false
        或者/usr/sbin/nologin好了,扔好公钥
      • autossh -M 9001 — 你的用户名@国外vps -fxND4444 -p你的端口 -z -Z 你的乱序密钥
        用 — 是为了隔绝autossh和ssh本身参数。比如
        autossh -M 9001 — fdbssh@192.168.1.1 -fxND4444 -p4096 -z -Z fdb713
      • ps aux | grep ssh
        同时看到ssh和autossh启动就算成功,如果失败加vv看调试信息。
      • 监视autossh脚本请自行发挥…

参考配置

squid

vim /etc/squid3/squid.conf

#include /etc/squid3/list/gfw.squid
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
# list自己去apnic挖吧,懒得挖的这里有 传送门
acl cernet dst “/etc/squid3/list/cernet”
acl mobile dst “/etc/squid3/list/mobile”
acl other dst “/etc/squid3/list/other”
acl telecom dst “/etc/squid3/list/telecom”
acl unicom dst “/etc/squid3/list/unicom”

#acl ConnLimt maxconn 3
#include /etc/squid3/list/gfw.squid

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
#http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on “localhost” is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# privoxy监听端口
cache_peer 127.0.0.1 parent 8117 0 no-query

always_direct allow cernet
always_direct allow mobile
always_direct allow other
always_direct allow telecom
always_direct allow unicom

#never_direct allow gfw
never_direct allow all
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
#http_access deny ConnLimt
# And finally deny all other access to this proxy
http_access allow all
logfile_rotate 10

visible_hostname unkown
forwarded_for off
request_header_access X-FORWARDED-FOR deny all
request_header_access Via deny all
request_header_access Cache-Control deny all
icp_query_timeout 50000

#logformat combined %>a %ui %un [%tl] “%rm %ru HTTP/%rv” %Hs %<st “%{Referer}>h” “%{User-Agent}>h” %Ss:%S
#access_log /var/log/squid/access.log combined

# Squid normally listens to port 3128
http_port 32768

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
#refresh_pattern ^ftp: 1440 20% 10080
#refresh_pattern ^gopher: 1440 0% 1440
#refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
#refresh_pattern . 0 20% 4320

privoxy

vim /etc/privoxy/config

user-manual /usr/share/doc/privoxy/user-manual
confdir /etc/privoxy
logdir /var/log/privoxy
actionsfile match-all.action
actionsfile default.action
#actionsfile block.action
filterfile default.filter
#filterfile user.filter
logfile logfile
forward-socks5 / 127.0.0.1:4444 . #国外流量走的ssh端口
listen-address *:8117
toggle 1
enable-remote-toggle 1
enable-remote-http-toggle 0
enable-edit-actions 0
enforce-blocks 0
buffer-limit 5120
#connection-sharing 0
forwarded-connect-retries 3
accept-intercepted-requests 0
allow-cgi-request-crunching 0
activity-animation 1
split-large-forms 0
keep-alive-timeout 0
socket-timeout 120
handle-as-empty-doc-returns-ok 1

到这里为止带分离国内外流量的http代理代理就算ok了。以上面配置文件来说地址就是
国内vps的ip:32768(squid.conf里设置的端口)

pac和apn代理配置文件生成(iOS)

  • pac文件生成,我选用的https://github.com/Leask/Flora_Pac
    生成的pac最后改成PROXY yourip:your port(见squid配置)
  • mobileconfig生成用iphone配置实用程序,填好代理ip和端口,导出的时候就不要签名好了。

android的设置

这篇