我用的这个 docker image,
docker run --name squid -d -p 8010:3128 Datadog/squid
在 chrome 里面,设置了 switchy omega 到该机器的地址端口,能够正常工作,打开油管啥的, etc.
如果我用 proxifier, protocol 设置 http 模式,check 都通过,但是设置成 https,就会报错。
[43:29] Testing Started. Proxy Server Address: 10.35.35.87:8010 Protocol: HTTPS Authentication: NO [43:29] Starting: Test 1: Connection to the Proxy Server [43:29] IP Address: 10.35.35.87 [43:29] Connection established [43:29] Test passed. [43:29] Starting: Test 2: Connection through the Proxy Server Error: the proxy server (Squid) is not configured to allow SSL tunnel to port 80. To fix the problem please find and comment the following line in the Squid configuration file (squid.conf): http_access deny CONNECT !SSL_ports The proxy server reply header is: HTTP/1.1 403 Forbidden Server: squid/3.5.12 Mime-Version: 1.0 Date: Mon, 27 Sep 2021 09:43:32 GMT Content-Type: text/html;charset=utf-8 Content-Length: 3441 X-Squid-Error: ERR_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from cf3b7970725b X-Cache-Lookup: NONE from cf3b7970725b:3128 Via: 1.1 cf3b7970725b (squid/3.5.12) Connection: keep-alive [43:29] Test failed. [43:29] Testing Finished. 提示我把这句配置注释掉
"http_access deny CONNECT !SSL_ports"
于是 ,我去 https://gist.github.com/sritchie/1357652 下载了一个样本,把“头”那部分删除掉了。 然后把这句给#注释掉了。
但是貌似没有啥用。不知道是不是这个.conf 太老了,或者有太多不需要的配置了,还是说,要走 https 的 protocol,得配置相关的 cert,等等?
不知道有没有 squid 专家,指点一下
谢谢!
]]># yum -y install squid
查看版本:
# squid -v
Squid Cache: Version 3.5.20
一个简化的配置
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_version 4
sslproxy_options ALL
http_port 3127
http_port 3128 transparent
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/1_www.snsyr.com_bundle.crt key=/etc/squid/2_www.snsyr.com.key
# SSL Bump Config
ssl_bump stare all
ssl_bump bump all
说明及要求:
这个主机不能开启 /proc/sys/net/ipv4/ip_forward
其实如果可以开启这个参数,且 iptables 配置 nat 的情况下。局域网其他主机将网关指到这个 squid 所在的服务,那么是可以代理局域网主机上网的。
现在的要求是:
局域网主机 10.211.55.7 比如:
# cat /etc/hosts|grep baidu
10.211.55.3 www.baidu.com
在这个主机:对 443 的请求转发到 3129
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-ports 3129
现在的问题客户端访问百度报 503
node2 root@node2:~# curl -klv https://www.baidu.com -svo /dev/null
* About to connect() to www.baidu.com port 443 (#0)
* Trying 10.211.55.3...
* Connected to www.baidu.com (10.211.55.3) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=www.baidu.com
* start date: Oct 23 00:00:00 2020 GMT
* expire date: Oct 22 23:59:59 2021 GMT
* common name: www.baidu.com
* issuer: CN=www.snsyr.com
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.baidu.com
> Accept: */*
>
< HTTP/1.1 503 Service Unavailable
< Server: squid/3.5.20
< Mime-Version: 1.0
< Date: Thu, 11 Mar 2021 06:31:53 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3486
< X-Squid-Error: ERR_CONNECT_FAIL 111
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from parallels
< X-Cache-Lookup: NONE from parallels:3127
< Via: 1.1 parallels (squid/3.5.20)
< Connection: close
<
{ [data not shown]
* Closing connection 0
说明我用 nginx 实现类似功能的时候:
当我用 nginx 实现的时候如下日志:
node2 root@node2:~# curl -lv https://www.baidu.com -svo /dev/null
* About to connect() to www.baidu.com port 443 (#0)
* Trying 10.211.55.3...
* Connected to www.baidu.com (10.211.55.3) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=baidu.com,O="Beijing Baidu Netcom Science Technology Co., Ltd",OU=service operation department,L=beijing,ST=beijing,C=CN
* start date: Apr 02 07:04:58 2020 GMT
* expire date: Jul 26 05:31:02 2021 GMT
* common name: baidu.com
* issuer: CN=GlobalSign Organization Validation CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.baidu.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Connection: keep-alive
< Content-Length: 2443
< Content-Type: text/html
< Date: Thu, 11 Mar 2021 05:53:43 GMT
< Etag: "58860402-98b"
< Last-Modified: Mon, 23 Jan 2017 13:24:18 GMT
< Pragma: no-cache
< Server: bfe/1.0.8.18
< Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
<
{ [data not shown]
* Connection #0 to host www.baidu.com left intact
现在就是想要 squid 能实现 nginx 的这种功能
关于 nginx 配置可以参考
https://www.alibabacloud.com/blog/how-to-use-nginx-as-an-https-forward-proxy-server_595799 ]]>
# Squid normally listens to port 3128 always_direct allow all ssl_bump bump all sslproxy_cert_error allow all http_port 3128 ssl-bump cert=/etc/squid/squid.pem key=/etc/squid/squid.pem generate-host-certificates=on optiOns=NO_SSLv2 #http_port 3128 cache_peer 127.0.0.1 parent 10809 0 no-query never_direct allow all 我测试了一下,它并没有通过 127.0.0.1:10809 上网?但是让我改成如下时,却生效了。
http_port 3128 cache_peer 127.0.0.1 parent 10809 0 no-query never_direct allow all 这是为什么?
完整配置
# # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 always_direct allow all ssl_bump bump all sslproxy_cert_error allow all http_port 3128 ssl-bump cert=/etc/squid/squid.pem key=/etc/squid/squid.pem generate-host-certificates=on optiOns=NO_SSLv2 #http_port 3128 cache_peer 127.0.0.1 parent 10809 0 no-query never_direct allow all # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/cache/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/cache/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 dns_nameservers 8.8.8.8 
故障表现为能访问所有 https 的网站,比如现在可以访问 v2 , http 的网站全部无法访问。
报如下错误:
DNS设置的是本地电信DNS,nslookup可以正常解析。 ]]>
只允许指定 ip 客户端连接的正确方法是怎么设
置呢?
http_port 3128 http_port 80 # not display IP address forwarded_for off # header request_header_access Referer deny all request_header_access X-Forwarded-For deny all request_header_access Via deny all request_header_access Cache-Control deny all acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 1025-65535 # unregistered ports acl SSL_ports port 443 563 acl CONNECT method CONNECT #acl unicomip dst "/etc/squid3/unicomip" #http_access deny !unicomip http_access deny !Safe_ports http_access deny CONNECT !SSL_ports cache_peer 127.0.0.1 parent 8123 0 no-query no-digest round-robin weight=1 name=shadowsocks # 默认走 shadowsocks, 国内 ip 走国内 acl chinaip dst "/etc/squid3/chinaip" always_direct allow chinaip never_direct allow !chinaip 前两天试着搭建成功过,但是因为机器原因,配置文件丢失,今天按照同样的步骤重新配置之后每次启动都会提示
helperOpenServers: Starting 0/5 'basic_ncsa_auth' processes
helperOpenServers: No 'basic_ncsa_auth' processes needed.
用的是 http://www.cyberciti.biz/tips/linux-unix-squid-proxy-server-authentication.html 的步骤,和之前一样的
配置文件:
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged ) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
https_port 9000
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/users
auth_param basic children 5
auth_param basic credentialsttl 2 hours
acl Admin proxy_auth REQUIRED
http_access allow Admin
http_access deny all
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
/etc/squid/users 这个文件是存在的,经过测试有效,内含 Admin 用户密码信息
除了开头提到的一句提示以外无任何错误信息,折腾一天,换了不同机器,不同版本,百思不得其解,到底哪里错了?...
]]>使用版本3.3.8,应该已经修复不能重新打包https请求的bug。--enable-ssl的编译选项已打开,而且客户端直连parent squid是可以翻墙的,这点已经测试。
本以为child squid在向parent squid的https_port转发请求时会重新使用ssl加密http请求,但是实际测试结果中,parent的cache_log中出现大量的
“SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request”
换句话说,收到的仍然是http请求。这样翻墙计划就破产了…
现在child squid的cache_peer选项配置如下:
cache_peer proxy.xxx.org parent 443 0 no-query \
ssl sslflags=DONT_VERIFY_PEER
请教有经验的兄弟:是不是squid没有重新加密普通http请求的能力? ]]>