Squid で広告避け

Related Index Debian

_はじめに

手元で squid を上げています.

最初は職場, 居室, モバイル等でネットワーク環境が変わる際に いちいちプロキシの設定を変えるとかやってられん, ということで

という目的で上げていました.

それに加えて

ということで, これは広告避けにつかえるな, ということに.

Web 広告については, まあ, いろんな意見があって良いと思います. サービスの収益化は必要でしょうし, 邪魔にならない広告ならまあ良いんですけれど…

とか, そういう奴が多すぎます.

_導入と設定

導入

% sudo apt-get install squid

apt 万歳

現状の設定は以下の通り:

_広告避けの host ファイル

以下のスクリプトで適当に生成

#! /bin/bash
URL=()
# adaway default
URL=("${URL[@]}" "https://adaway.org/hosts.txt")
URL=("${URL[@]}" "http://winhelp2002.mvps.org/hosts.txt")
URL=("${URL[@]}" "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext")
URL=("${URL[@]}" "https://hosts-file.net/ad_servers.txt")
URL=("${URL[@]}" "https://sites.google.com/site/hosts2ch/ja")
URL=("${URL[@]}" "https://raw.githubusercontent.com/multiverse2011/adawaylist-jp/master/hosts")
URL=("${URL[@]}" "https://warui.intaa.net/adhosts/hosts.txt")
URL=("${URL[@]}" "https://280blocker.net/files/280blocker_host.txt")
#
echo "download hosts list"
for (( i = 0; i < ${#URL[@]}; ++i )); do
    echo wget -q "${URL[$i]}" -O tmp-$i.txt
    wget -q "${URL[$i]}" -O tmp-$i.txt
    echo "create tmp-$i-list.txt"
    cat tmp-$i.txt | \
        grep -v localhost | \
        grep -v 255.255.255.255 | \
        grep -v ^# | \
        grep -v ^white | \
        sed '/^$/d' | \
        sed -e 's/\t/ /g' | \
        nkf -w -Lu -d > tmp-$i-list.txt
    rm -f tmp-$i.txt
done
#
echo "merge tmp list"
for f in `/bin/ls -1 tmp-?-list.txt`; do
    cat $f | grep -v ^# >> tmp-list.txt
    rm -f $f
done
cat tmp-list.txt | \
    sed '/^$/d' | \
    sed -e 's/#.*$//g' | \
    sed -e 's/^0\.0\.0\.0/127\.0\.0\.1/g' | \
    sort -u > adaway.txt
# wget -q https://warui.intaa.net/adhosts/whitelist.txt -O tmp-white.txt
# cat tmp-white.txt | while read line
# do
#     sed -i -e '/$line/d' adaway.txt
# done
# whitelist
sed -i -e '/apis.google.com/d' adaway.txt
sed -i -e '/google-analytics.l.google.com/d' adaway.txt
sed -i -e '/google-analytics.com/d' adaway.txt
sed -i -e 's/127.0.0.1 //g' adaway.txt
echo -n '' > adaway_hosts.txt
cat adaway.txt | while read line
do
    echo 0.0.0.0 $line >> adaway_hosts.txt
done
# nginx hosts
cat adaway_hosts.txt | sed -e 's/^0\.0\.0\.0/server_name/g' -e 's/$/;/g' > adaway_nginx_hosts.txt
## ipv6
# cat adaway.txt | sed -e 's/127.0.0.1/::1/g' > adaway_ipv6.txt
# cat adaway.txt >> adaway_ipv6.txt
# mv adaway_ipv6.txt adaway.txt
echo "cleanup"
rm -f tmp-list.txt
rm -f tmp-white.txt

リストを保守して下さっている皆様に感謝.

_/etc/squid/common.conf

昔プロキシを切り替えていた頃の名残で, 上流を問わず全て同じ設定とする部分は common.conf に書いている. 現状は

といった所.

_/etc/squid/squid.conf

中身は現状これだけ

## Adblock
## DNS
# read hosts file -> 0.0.0.0
hosts_file /etc/squid/adaway_hosts.txt
acl ad_black dstdomain "/etc/squid/adaway.txt"
http_access deny ad_black
# Custom Error Page (force empty)
error_directory /etc/squid/error/
# dns_v4_first on
dns_nameservers 127.0.0.1

## ACL
acl local src 192.168.122.0/24 127.0.0.1 ::1 fe80::/10
http_access allow local
http_access deny all
## access port
#
# 20080 番で動作
#
# http_port 20080
http_port 20080 ssl-bump \
 generate-host-certificates=on \
 dynamic_cert_mem_cache_size=4MB \
 cert=/usr/local/share/ca-certificates/junkhub.org/iris_cert.crt \
 key=/usr/local/share/ca-certificates/junkhub.org/iris_key.pem \
 tls-dh=prime256v1:/etc/squid/dhparam.pem
sslcrtd_program /usr/lib/squid/security_file_certgen \
  -s /var/spool/squid/ssl_db \
  -M 4MB
tls_outgoing_options \
  cafile=/etc/ssl/certs/ca-certificates.crt \
  options=NO_SSLv3,ALL
acl step1 at_step SslBump1
acl ssl_exclude_domains dstdomain "/etc/squid/ssl_white.txt"
ssl_bump splice ssl_exclude_domains
ssl_bump peek step1
ssl_bump bump all

## ICAP
icap_enable off

## ICMP
#
# disable all ICMP request
#
pinger_enable off
query_icmp off

## Log Format
#
# Apache like
#
access_log stdio:/var/log/squid/access.log common
# logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" >Hs %<st %Ss:%Sh
# access_log stdio:/dev/null common

# Logs are managed by logrotate on Debian
# @see include /etc/squid/conf.d/debian.conf
logfile_rotate 0


## Cache
#
# don't use any cache
#
# no_cache deny all
cache_store_log none
cache_access_log none
cache_log /dev/null
logfile_rotate 0
coredump_dir /var/spool/squid
ipcache_size 0

## Anonymous
# forwarded_for transparent
forwarded_for off
visible_hostname unknown
request_header_access X-FORWARDED-FOR deny all
request_header_access VIA deny all
request_header_access CACHE-CONTROL deny all
request_header_access If-MODIFIED-SINCE deny all
# request_header_access CONNECTION deny all
request_header_access UPGRADE-INSECURE-REQUESTS deny all
request_header_access DNT deny all
reply_header_access X-FORWARDED-FOR deny all
reply_header_access VIA deny all
reply_header_access CACHE-CONTROL deny all
reply_header_access If-MODIFIED-SINCE deny all
reply_header_access UPGRADE-INSECURE-REQUESTS deny all
reply_header_access DNT deny all

pid_filename /run/squid.pid
## fast
pipeline_prefetch 0
shutdown_lifetime 0.01 seconds

#
always_direct allow local

もはや分割する意味が無い, とも言える.

_systemd と仲良く: /etc/systemd/system/squid.service

キャッシュを動かす気も無いので子プロセスは生成されない. ということで, systemd 用の service ファイルを以下の様にでっち上げた.

## Copyright (C) 1996-2018 The Squid Software Foundation and contributors
##
## Squid software is distributed under GPLv2+ license and includes
## contributions from numerous individuals and organizations.
## Please see the COPYING and CONTRIBUTORS files for details.
##

[Unit]
Description=Squid Web Proxy Server
Documentation=man:squid(8)
After=network.target network-online.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/squid.pid
ExecStartPre=/usr/sbin/squid --foreground -z
ExecStart=/usr/sbin/squid -sYC
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed

[Install]
WantedBy=multi-user.target

あとは

% sudo systemctl daemon-reload
% sudo systemctl enable squid
% sudo systemctl start squid

で快適. 適宜 HTTP_PROXY 等を設定しておく.