我已经设置了一个鱿鱼服务器,它将用户重定向到http://testas.lt/,但它仅适用于 HTTP 站点,使用 HTTPS 时我收到错误。这是代码:
http_port 8080 intercept
http_port 3128
acl Safe_ports port 80 # http
http_access deny !Safe_ports
http_access allow localhost manager
http_access deny manager
acl users-net src 192.168.0.0/8
acl users src 192.168.88.0/13
acl unknown src 192.168.80.0/13
acl police-block src 192.168.95.0./16
acl whitelist dstdomain .googleapis.com
acl whitelist dstdomain www.omdbapi.com
acl skola-www dstdomain testas.lt
http_access deny unknown
http_access allow users skola-www
http_access deny users
deny_info http://testas.lt users
http_access allow users-net whitelist
http_access allow localhost
http_access deny all
cache_mem 1024 MB
maximum_object_size_in_memory 2048 KB
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
如果我尝试使用 HTTP 打开站点,它会按预期重定向,但如果我尝试使用 HTTPS 打开站点:
1594793109.611 0 192.168.123.8 TCP_DENIED/302 354 CONNECT google.com:443 - HIER_NONE/- text/html
和http://y8.com测试日志:
1594793421.805 0 192.168.123.8 TCP_DENIED/302 354 GET http://y8.com/ - HIER_NONE/- text/html
1594793422.155 26684 192.168.123.8 TCP_TUNNEL_ABORTED/200 4428 CONNECT testas.lt:443 - HIER_DIRECT/141.136.37.203 -
答案1
在最简单的级别上,您没有定义任何规则来允许 HTTPS 流量通过鱿鱼进行连接。 (在更复杂的级别,您需要创建受信任的证书,以便您可以使用 拦截和验证 HTTPS 流量ssl-bump
。我在这里不展示这一点。)
acl CONNECT method CONNECT
acl SSL_ports port 443
acl Safe_ports port 443 # https
http_access deny CONNECT !SSL_ports