Debian 10 使用鱿鱼作为透明代理。现在想添加SSL。
# apt-get install openssl
# mkdir -p /etc/squid/cert
# cd /etc/squid/cert
# openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem
# openssl x509 -in myCA.pem -outform DER -out myCA.der
#
# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to 192.168.1.51:3129
# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j REDIRECT --to-port 3129
# iptables-save > /etc/iptables/rules.v4
问题1:现在我读到的内容表明接下来我需要
/usr/lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 4MB
security_file_certgen但是我在我的系统上找不到。
问题2:如果我现在继续添加squid.conf:
https_port 3129 intercept ssl-bump cert=/etc/squid/cert/myCA.pem generate-host-certificates=on
那么鱿鱼无法启动:
2020/10/07 14:09:27| FATAL: Unknown https_port option 'ssl-bump'.
2020/10/07 14:09:27| FATAL: Bungled /etc/squid/squid.conf line 5: https_port 3129 int
2020/10/07 14:09:27| Squid Cache (Version 4.6): Terminated abnormally.
CPU Usage: 0.017 seconds = 0.017 user + 0.000 sys
Maximum Resident Size: 57792 KB
Page faults with physical i/o: 0
FATAL: Bungled /etc/squid/squid.conf line 5: https_port 3129 intercept ssl-bump cert=
squid.service: Control process exited, code=exited, status=1/FAILURE
squid.service: Failed with result 'exit-code'.
Failed to start Squid Web Proxy Server.
我注意到既不squid -v包含--enable-ssl-crtd也不包含--with-openssl,但我不明白该怎么办。
更新
在撰写本文时,互联网上的所有指南均已过时,因为
https://wiki.squid-cache.org/Features/SslBump ssl-bump
已替换为
https://wiki.squid-cache.org/Features/BumpSslServerFirst server-first
并server-first
已替换为
https://wiki.squid-cache.org/Features/SslPeekAndSplice peek-n-splice。
我希望这可能会起作用,我从https://serverfault.com/questions/743483/transparent-http-https-domain-filtering-proxy :
https_port 3129 intercept ssl-bump
ssl_bump peek all
ssl_bump splice all
但不是:
2020/10/08 09:57:49| FATAL: Unknown https_port option 'ssl-bump'.
2020/10/08 09:57:49| FATAL: Bungled /etc/squid/squid.conf line 6: https_port 3129 int
2020/10/08 09:57:49| Squid Cache (Version 4.6): Terminated abnormally.
CPU Usage: 0.017 seconds = 0.008 user + 0.008 sys
Maximum Resident Size: 57152 KB
Page faults with physical i/o: 0
FATAL: Bungled /etc/squid/squid.conf line 6: https_port 3129 intercept ssl-bump
squid.service: Control process exited, code=exited, status=1/FAILURE
squid.service: Failed with result 'exit-code'.
Failed to start Squid Web Proxy Server.
更新:使用 SSL 编译鱿鱼
# cd ~
# mkdir squid-build
# cd squid-build
# apt-get install openssh-server net-tools
# apt-get install openssl devscripts build-essential fakeroot libdbi-perl libssl-dev# libssl1.0-dev
# apt-get install dpkg-dev
# apt-get source squid
# apt-get build-dep squid
# cd squid-4.6/
# vi debian/rules
# dpkg-source --commit
在debian/rules文件中添加DEB_CONFIGURE_EXTRA_FLAGS标志:
--with-default-user=proxy \
--enable-ssl \
--enable-ssl-crtd \
--with-openssl \
--disable-ipv6
...并建立...
# debuild -us -uc
...并安装...
# cd ..
# pwd
/root/squid-build
# mv squid3*.deb squid3.deb.NotIncluded
# dpkg -i *.deb
然而,仍然没有ssl_crtd。
已经改名了吗security_file_certgen? (https://bugzilla.redhat.com/show_bug.cgi?id=1397644)
更新:编译鱿鱼
已为 HTTP 编译并运行了鱿鱼,但不知道如何处理 HTTPS ——显然其他人也不知道。难道不可能吗?这似乎与证书有关squid.conf。
答案1
这不是对您问题的直接答案,因为我只是使用鱿鱼作为本地缓存代理。无论如何,我已经在这里发布了,因为你的问题最接近我需要的,现在我已经解决了,我想分享。
在 Debian 11/Bullseye 中,您要安装的软件包是鱿鱼openssl(Squid v4.x 编译--with-openssl)。
apt install -y squid-openssl
然后设置(自签名)可信 CA 证书:
CERT_D=/etc/squid/cert
CERT=$CERT_D/squid_proxyCA.pem
rm -rf $CERT
mkdir -p $CERT_D
# Generate local self-signed CA certificate/key (in the same file)
openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout $CERT -out $CERT
chown -R proxy:proxy $CERT_D
chmod 0400 $CERT
# add squid_proxyCA cert to system so it's trusted by default
CA_CERT_D=/usr/local/share/ca-certificates
rm -rf $CA_CERT_D/*
mkdir -p $CA_CERT_D
openssl x509 -inform PEM -in $CERT -out $CA_CERT_D/squid_proxyCA.crt
update-ca-certificates
配置鱿鱼以动态生成证书:
/usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB
chown -R proxy:proxy /var/spool/squid
然后这是我的/etc/squid/squid.conf(注意它非常简约,只接受来自本地主机的连接并且只侦听 IPv4):
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_port 127.0.0.1:3128 ssl-bump cert=/etc/squid/cert/squid_proxyCA.pem generate-host-certificates=on options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE
ssl_bump bump all
coredump_dir /var/spool/squid
logfile_rotate 0
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_dir ufs /var/spool/squid 200 16 256
最后,重新启动鱿鱼:
systemctl reload squid
另一件值得一提的事情是代理 URLhttp://127.0.0.1:3028应该用于两个都这http_proxy,和(https_proxy注意http-不;即使用作 https 代理)。如果/当与 https 一起使用时,Squid 将升级连接以使用 TLS/SSL。
答案2
# apt-get install openssl
# mkdir -p /etc/squid/cert
# cd /etc/squid/cert
# openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem
# openssl x509 -in myCA.pem -outform DER -out myCA.der
# chown -R proxy:proxy /etc/squid/cert
# chmod 700 /etc/squid/cert
# /usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB
# chown -R proxy:proxy /var/spool/squid/ssl_db/
并在squid.conf:
https_port 3129 intercept ssl-bump cert=/etc/squid/cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_si
ze=4MB
ssl_bump peek all
ssl_bump splice all
对于拦截:
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to 192.168.1.51:3129
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j REDIRECT --to-port 3129
(这br0是我的内部网络。)
这是查看最常缓存的域的命令。 SSL 显示为空白。
awk 'BEGIN {FS="[ ]+"}; {print $7}' < /var/log/squid/access.log | awk 'BEGIN {FS="/"}; {print $3}' | sort | uniq -c |sort -k1,1nr -k2,2 | head
答案3
别打扰;这是浪费时间:
- 严格来说这是一个中间的人攻击,并且
- 缓存命中的数量微乎其微(我怀疑浏览器缓存已经在 Google 徽标等方面做得很好)。