安装Squid：

opkg update
opkg install squid
cd /etc/squid
mv squid.conf squid.conf.back
vim squid.conf

squid相关指令：

squid -k reconfigure #重置
squid -k parse  #检测配置文件
squid -k shutdown #关闭
squid -k rotate  #分割日记

iptables

# Rules for transparent proxying
iptables -N NO_PROXY -t nat
iptables -A NO_PROXY -t nat -d 0.0.0.0/8 -j ACCEPT
iptables -A NO_PROXY -t nat -d 10.0.0.0/8 -j ACCEPT
iptables -A NO_PROXY -t nat -d 127.0.0.0/8 -j ACCEPT
iptables -A NO_PROXY -t nat -d 169.254.0.0/16 -j ACCEPT
iptables -A NO_PROXY -t nat -d 172.16.0.0/12 -j ACCEPT
iptables -A NO_PROXY -t nat -d 192.168.0.0/16 -j ACCEPT
iptables -A NO_PROXY -t nat -d 224.0.0.0/4 -j ACCEPT
iptables -A NO_PROXY -t nat -d 240.0.0.0/4 -j ACCEPT
iptables -A NO_PROXY -t nat -j RETURN
iptables -A PREROUTING -t nat -p tcp --dport 80 -j NO_PROXY
iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -A PREROUTING -t nat -p tcp --dport 443 -j NO_PROXY
iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-ports 3130

squid.conf

ssl_bump splice all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/ca.crt key=/etc/squid/ssl/ca.key

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

never_direct allow all
cache_peer  parent  0 no-query no-digest default

生成证书文件

$ openssl genrsa -des3 -out squid-server.key 2048
Generating RSA private key, 1024 bit long modulus
............................++++++
...........................................................++++++
e is 65537 (0x10001)
Enter pass phrase for squid-server.key:
Verifying - Enter pass phrase for squid-server.key:

pass phrase 必須要打一串密碼進去，不可以留空

$ openssl req -new -key squid-server.key -out squid-server.csr
Enter pass phrase for squid-server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Hsichu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:NTHU
Organizational Unit Name (eg, section) []:SSLab
Common Name (e.g. server FQDN or YOUR name) []:maple52046.twbbs.org.tw
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

後面 extra 這邊全部直接按 enter 跳過。
然後接下來還有兩個指令：

$ openssl rsa -in squid-server.key -out squid-proxy.key
Enter pass phrase for squid-server.key:
writing RSA key

$ openssl x509 -req -days 365 -in squid-server.csr -signkey squid-proxy.key -out squid-proxy.crt
Signature ok
subject=/C=TW/ST=Taiwan/L=Hsichu/O=NTHU/OU=SSLab/CN=maple52046.twbbs.org.tw/[email protected]
Getting Private key

完成之後，在當前目錄下，會產生4個檔案：

$ ls
squid-proxy.crt  squid-proxy.key  squid-server.csr  squid-server.key

將 squid-proxy.crt 與 squid-proxy.key 放到 container 可以讀取到的地方，例如：/etc/squid3