我想创建一个 HTTPS squid 代理(这种),任何人都可以使用它来访问任何网站。这不是反向代理,而是整个互联网的代理。出于安全原因,不应允许访问我子网上的 IP。我获得了 LetsEncrypt 证书,proxy.mydomain.com
我想知道如何为此正确配置 squid。这是我当前的配置文件:
########### squid.conf ###########
#
## interface, port and proxy type
#http_port 0.0.0.0:80 transparent
https_port 0.0.0.0:443 intercept tls-cert="/etc/letsencrypt/live/proxy.mydomain.com/fullchain.pem"
## timeouts
forward_timeout 30 seconds
connect_timeout 30 seconds
read_timeout 30 seconds
request_timeout 30 seconds
persistent_request_timeout 1 minute
client_lifetime 20 hours
## host definitions
acl all src 0.0.0.0/0
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
http_access deny localnet
## proxy server client access
acl mynetworks src 127.0.0.0/8 10.10.10.0/28
#http_access deny !mynetworks
## max connections per ip
acl maxuserconn src 127.0.0.0/8 10.0.10.0/28
acl limitusercon maxconn 500
http_access deny maxuserconn limitusercon
## disable caching
cache deny all
cache_dir null /tmp
## disable multicast icp
icp_port 0
icp_access deny all
## disable ident lookups
ident_lookup_access deny all
## no-trust for on-the-fly Content-Encoding
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
## logs
logformat combined [%tl] %>A %{Host}>h "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
cache_store_log /var/log/squid/store.log
cache_log /var/log/squid/cache.log
logfile_rotate 8
## support files
coredump_dir /tmp
pid_filename /var/log/squid/squid.pid
## ports allowed
acl Safe_ports port 80 443
http_access deny !Safe_ports
## ssl ports/method allowed
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports
## protocols allowed
acl Safe_proto proto HTTP SSL
http_access deny !Safe_proto
## methods allowed
acl Safe_method method CONNECT GET HEAD POST OPTIONS PUT PATCH
http_access deny !Safe_method
## allow replies to client requests
http_reply_access allow all
########## END ###########
我进行了编辑/etc/init.d/squid
,以使用标志运行 squid --with-openssl
。
运行sudo service squid status
结果一切看上去都很好。
然而,当我尝试通过连接到该代理时curl -p https://localhost:443 api.ipify.org -v
,我得到了curl: (7) Failed to connect to localhost port 443: Connection refused
。
我究竟做错了什么?
答案1
我认为您不需要在 squid 中配置 SSL 证书才能运行 HTTPS 代理。
如果你看看接受的答案对于您链接的问题,您应该明白为什么。
对于 HTTPS 代理,从您的浏览器到代理的连接 ( proxy.mydomain.com
) 并不安全,但浏览器对代理执行的第一件事就是CONNECT
向代理发出命令以启动与 HTTPS 目标的连接。
因此,从您的浏览器到 superuser.com 都是 HTTPS,并且proxy.mydomain.com
只是混洗数据,无法读取任何数据。