为什么squid拒绝https请求但允许同一站点的http请求?

tag-icon tag-icon proxy https squid
为什么squid拒绝https请求但允许同一站点的http请求?

我想让开发人员只使用 github copilot 并拒绝其他请求。

根据github信息: https://docs.github.com/en/copilot/troubleshooting-github-copilot/troubleshooting-firewall-settings-for-github-copilot

我将网址添加到白名单中,以下是白名单信息:

[root@web-ide-squid-cache squid]# cat whitelist.txt
.baidu.com
.github.com/login/*
.api.github.com/user
.api.github.com/copilot_internal/*
.copilot-telemetry.githubusercontent.com/telemetry
.default.exp-tas.com/
.copilot-proxy.githubusercontent.com/
.origin-tracker.githubusercontent.com
*.githubcopilot.com

这是conf文件:

[root@web-ide-squid-cache squid]# cat squid.conf
#
# Recommended minimum configuration:
#
debug_options ALL,1 33,2 28,9
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl whitelist dstdomain "/etc/squid/whitelist.txt"
http_access allow whitelist
http_access deny all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 8080
http_port 3128 transparent
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl_cert/myCA.pem
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
ssl_bump splice all
sslproxy_cert_error allow  all
tls_outgoing_options cipher=ALL

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

卷曲没有 https 成功:

coder@cloudide:~$ curl  -v www.baidu.com
*   Trying 182.61.200.7:80...
* Connected to www.baidu.com (182.61.200.7) port 80 (#0)
> GET / HTTP/1.1
> Host: www.baidu.com
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Content-Length: 2381
< Content-Type: text/html
< Date: Thu, 25 Jan 2024 01:57:51 GMT
< ETag: "588604c1-94d"
< Last-Modified: Mon, 23 Jan 2017 13:27:29 GMT
< Pragma: no-cache
< Server: bfe/1.0.8.18
< Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
< X-Cache: MISS from web-ide-squid-cache.novalocal
< X-Cache-Lookup: MISS from web-ide-squid-cache.novalocal:8080
< Via: 1.1 web-ide-squid-cache.novalocal (squid/4.9)
< Connection: keep-alive
< 
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登录</a>');</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>&copy;2017&nbsp;Baidu&nbsp;<a href=http://www.baidu.com/duty/>使用百度前必读</a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a>&nbsp;京ICP证030173号&nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>
* Connection #0 to host www.baidu.com left intact

使用 https 卷曲同一站点失败:

curl  -v https://www.baidu.com
*   Trying 182.61.200.6:443...
* Connected to www.baidu.com (182.61.200.6) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=www.baidu.com
*  start date: Jan 11 12:21:14 2024 GMT
*  expire date: Jan  9 12:21:14 2029 GMT
*  subjectAltName: host "www.baidu.com" matched cert's "www.baidu.com"
*  issuer: C=CN; ST=Beijing; L=Beijing; O=ES; OU=IT Department; CN=easystack.cn; [email protected]
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.baidu.com
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Server: squid/4.9
< Mime-Version: 1.0
< Date: Thu, 25 Jan 2024 01:56:08 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3455
< X-Squid-Error: ERR_ACCESS_DENIED 0
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from web-ide-squid-cache.novalocal
< X-Cache-Lookup: NONE from web-ide-squid-cache.novalocal:8080
< Via: 1.1 web-ide-squid-cache.novalocal (squid/4.9)
< Connection: close
< 
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2019 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<style type="text/css"><!--
 /*
 * Copyright (C) 1996-2019 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/*
 Stylesheet for Squid Error pages
 Adapted from design by Free CSS Templates
 http://www.freecsstemplates.org
 Released for free under a Creative Commons Attribution 2.5 License
*/

/* Page basics */
* {
        font-family: verdana, sans-serif;
}

html body {
        margin: 0;
        padding: 0;
        background: #efefef;
        font-size: 12px;
        color: #1e1e1e;
}

/* Page displayed title area */
#titles {
        margin-left: 15px;
        padding: 10px;
        padding-left: 100px;
        background: url('/squid-internal-static/icons/SN.png') no-repeat left;
}

/* initial title */
#titles h1 {
        color: #000000;
}
#titles h2 {
        color: #000000;
}

/* special event: FTP success page titles */
#titles ftpsuccess {
        background-color:#00ff00;
        width:100%;
}

/* Page displayed body content area */
#content {
        padding: 10px;
        background: #ffffff;
}

/* General text */
p {
}

/* error brief description */
#error p {
}

/* some data which may have caused the problem */
#data {
}

/* the error message received from the system or other software */
#sysmsg {
}

pre {
}

/* special event: FTP / Gopher directory listing */
#dirmsg {
    font-family: courier, monospace;
    color: black;
    font-size: 10pt;
}
#dirlisting {
    margin-left: 2%;
    margin-right: 2%;
}
#dirlisting tr.entry td.icon,td.filename,td.size,td.date {
    border-bottom: groove;
}
#dirlisting td.size {
    width: 50px;
    text-align: right;
    padding-right: 5px;
}

/* horizontal lines */
hr {
        margin: 0;
}

/* page displayed footer area */
#footer {
        font-size: 9px;
        padding-left: 10px;
}


body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
 --></style>
</head><body id=ERR_ACCESS_DENIED>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>

<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="https://182.61.200.6/*">https://182.61.200.6/*</a></p>

<blockquote id="error">
<p><b>Access Denied.</b></p>
</blockquote>

<p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p>

<p>Your cache administrator is <a href="mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_ACCESS_DENIED&amp;body=CacheHost%3A%20web-ide-squid-cache.novalocal%0D%0AErrPage%3A%20ERR_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Thu,%2025%20Jan%202024%2001%3A56%3A08%20GMT%0D%0A%0D%0AClientIP%3A%2010.0.3.223%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AHost%3A%20182.61.200.6%0D%0A%0D%0A%0D%0A">webmaster</a>.</p>
<br>
</div>

<hr>
<div id="footer">
<p>Generated Thu, 25 Jan 2024 01:56:08 GMT by web-ide-squid-cache.novalocal (squid/4.9)</p>
<!-- ERR_ACCESS_DENIED -->
</div>
</body></html>
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):

以下是失败的缓存日志:

2024/01/24 19:52:38.494 kid1| 28,4| Eui48.cc(179) lookup: id=0x31f5fe4 query ARP table
2024/01/24 19:52:38.495 kid1| 28,4| Eui48.cc(224) lookup: id=0x31f5fe4 query ARP on each interface (120 found)
2024/01/24 19:52:38.495 kid1| 28,4| Eui48.cc(230) lookup: id=0x31f5fe4 found interface lo
2024/01/24 19:52:38.495 kid1| 28,4| Eui48.cc(230) lookup: id=0x31f5fe4 found interface eth0
2024/01/24 19:52:38.495 kid1| 28,4| Eui48.cc(239) lookup: id=0x31f5fe4 looking up ARP address for 10.0.3.223 on eth0
2024/01/24 19:52:38.495 kid1| 28,4| Eui48.cc(275) lookup: id=0x31f5fe4 got address fa:16:3e:09:f3:23 on eth0
2024/01/24 19:52:38.495 kid1| 28,3| Checklist.cc(70) preCheck: 0x3189708 checking slow rules
2024/01/24 19:52:38.495 kid1| 28,5| Acl.cc(124) matches: checking (ssl_bump rules)
2024/01/24 19:52:38.495 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'ALLOWED/3' is not banned
2024/01/24 19:52:38.495 kid1| 28,5| Acl.cc(124) matches: checking (ssl_bump rule)
2024/01/24 19:52:38.495 kid1| 28,5| Acl.cc(124) matches: checking step1
2024/01/24 19:52:38.495 kid1| 28,3| Acl.cc(151) matches: checked: step1 = 1
2024/01/24 19:52:38.495 kid1| 28,3| Acl.cc(151) matches: checked: (ssl_bump rule) = 1
2024/01/24 19:52:38.495 kid1| 28,3| Acl.cc(151) matches: checked: (ssl_bump rules) = 1
2024/01/24 19:52:38.495 kid1| 28,3| Checklist.cc(63) markFinished: 0x3189708 answer ALLOWED for match
2024/01/24 19:52:38.495 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x3189708 answer=ALLOWED
2024/01/24 19:52:38.495 kid1| 33,2| client_side.cc(2748) httpsSslBumpAccessCheckDone: sslBump action peekneeded for local=182.61.200.6:443 remote=10.0.3.223:4002 FD 12 flags=33
2024/01/24 19:52:38.495 kid1| 33,2| client_side.cc(3424) fakeAConnectRequest: fake a CONNECT request to force connState to tunnel for ssl-bump
2024/01/24 19:52:38.496 kid1| 28,3| Checklist.cc(70) preCheck: 0x31a4428 checking slow rules
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access
2024/01/24 19:52:38.496 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'DENIED/0' is not banned
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access#1
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking !Safe_ports
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking Safe_ports
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: Safe_ports = 1
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: !Safe_ports = 0
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access#1 = 0
2024/01/24 19:52:38.496 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'DENIED/0' is not banned
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access#2
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking CONNECT
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: CONNECT = 1
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking !SSL_ports
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking SSL_ports
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: SSL_ports = 1
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: !SSL_ports = 0
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access#2 = 0
2024/01/24 19:52:38.496 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'ALLOWED/0' is not banned
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access#3
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking localhost
2024/01/24 19:52:38.496 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.0.3.223:4002/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (10.0.3.223:4002)  vs [::1]-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
2024/01/24 19:52:38.496 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.0.3.223:4002/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (10.0.3.223:4002)  vs 127.0.0.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
2024/01/24 19:52:38.496 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.0.3.223:4002/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (10.0.3.223:4002)  vs 127.0.0.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
2024/01/24 19:52:38.496 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.0.3.223:4002' NOT found
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: localhost = 0
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access#3 = 0
2024/01/24 19:52:38.496 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'DENIED/0' is not banned
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access#4
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking manager
2024/01/24 19:52:38.496 kid1| 28,3| RegexData.cc(43) match: checking '182.61.200.6:443'
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: manager = 0
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access#4 = 0
2024/01/24 19:52:38.496 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'ALLOWED/0' is not banned
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access#5
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking whitelist
2024/01/24 19:52:38.496 kid1| 28,3| DomainData.cc(110) match: aclMatchDomainList: checking '182.61.200.6'
2024/01/24 19:52:38.496 kid1| 28,3| DomainData.cc(115) match: aclMatchDomainList: '182.61.200.6' NOT found
2024/01/24 19:52:38.496 kid1| 28,3| DestinationDomain.cc(96) match: Can't yet compare 'whitelist' ACL for 182.61.200.6
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: whitelist = -1 async
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access#5 = -1 async
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access = -1 async
2024/01/24 19:52:38.496 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x3189708
2024/01/24 19:52:38.496 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x3189708
2024/01/24 19:52:38.500 kid1| 28,5| InnerNode.cc(94) resumeMatchingAt: checking http_access at 4
2024/01/24 19:52:38.500 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'ALLOWED/0' is not banned
2024/01/24 19:52:38.500 kid1| 28,5| InnerNode.cc(94) resumeMatchingAt: checking http_access#5 at 0
2024/01/24 19:52:38.500 kid1| 28,5| Acl.cc(124) matches: checking whitelist
2024/01/24 19:52:38.500 kid1| 28,3| DomainData.cc(110) match: aclMatchDomainList: checking '182.61.200.6'
2024/01/24 19:52:38.500 kid1| 28,3| DomainData.cc(115) match: aclMatchDomainList: '182.61.200.6' NOT found
2024/01/24 19:52:38.500 kid1| 28,3| DomainData.cc(110) match: aclMatchDomainList: checking 'none'
2024/01/24 19:52:38.500 kid1| 28,3| DomainData.cc(115) match: aclMatchDomainList: 'none' NOT found
2024/01/24 19:52:38.500 kid1| 28,3| Acl.cc(151) matches: checked: whitelist = 0
2024/01/24 19:52:38.500 kid1| 28,3| InnerNode.cc(97) resumeMatchingAt: checked: http_access#5 = 0
2024/01/24 19:52:38.500 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'DENIED/0' is not banned
2024/01/24 19:52:38.500 kid1| 28,5| Acl.cc(124) matches: checking http_access#6
2024/01/24 19:52:38.500 kid1| 28,5| Acl.cc(124) matches: checking all
2024/01/24 19:52:38.500 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.0.3.223:4002/[::] ([::]:4002)  vs [::]-[::]/[::]
2024/01/24 19:52:38.500 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.0.3.223:4002' found
2024/01/24 19:52:38.500 kid1| 28,3| Acl.cc(151) matches: checked: all = 1
2024/01/24 19:52:38.500 kid1| 28,3| Acl.cc(151) matches: checked: http_access#6 = 1
2024/01/24 19:52:38.500 kid1| 28,3| InnerNode.cc(97) resumeMatchingAt: checked: http_access = 1
2024/01/24 19:52:38.500 kid1| 28,3| Checklist.cc(63) markFinished: 0x31a4428 answer DENIED for match
2024/01/24 19:52:38.500 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x31a4428 answer=DENIED
2024/01/24 19:52:38.500 kid1| 28,5| Gadgets.cc(81) aclIsProxyAuth: aclIsProxyAuth: called for all
2024/01/24 19:52:38.500 kid1| 28,9| Acl.cc(96) FindByName: ACL::FindByName 'all'
2024/01/24 19:52:38.500 kid1| 28,5| Gadgets.cc(86) aclIsProxyAuth: aclIsProxyAuth: returning 0
2024/01/24 19:52:38.500 kid1| 28,8| Gadgets.cc(49) aclGetDenyInfoPage: got called for all
2024/01/24 19:52:38.500 kid1| 28,8| Gadgets.cc(68) aclGetDenyInfoPage: aclGetDenyInfoPage: no match
2024/01/24 19:52:38.500 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffe2f431e20
2024/01/24 19:52:38.500 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffe2f431e20
2024/01/24 19:52:38.500 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffe2f431e20
2024/01/24 19:52:38.500 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffe2f431e20
2024/01/24 19:52:38.500 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x31a4428
2024/01/24 19:52:38.500 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x31a4428
2024/01/24 19:52:38.504 kid1| 28,3| Checklist.cc(70) preCheck: 0x7ffe2f431ba0 checking fast ACLs
2024/01/24 19:52:38.504 kid1| 28,5| Acl.cc(124) matches: checking access_log daemon:/var/log/squid/access.log
2024/01/24 19:52:38.504 kid1| 28,5| Acl.cc(124) matches: checking (access_log daemon:/var/log/squid/access.log line)
2024/01/24 19:52:38.504 kid1| 28,3| Acl.cc(151) matches: checked: (access_log daemon:/var/log/squid/access.log line) = 1
2024/01/24 19:52:38.504 kid1| 28,3| Acl.cc(151) matches: checked: access_log daemon:/var/log/squid/access.log = 1
2024/01/24 19:52:38.504 kid1| 28,3| Checklist.cc(63) markFinished: 0x7ffe2f431ba0 answer ALLOWED for match
2024/01/24 19:52:38.504 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffe2f431ba0
2024/01/24 19:52:38.504 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffe2f431ba0
2024/01/24 19:52:38.508 kid1| 33,2| client_side.cc(891) kick: local=182.61.200.6:443 remote=10.0.3.223:4002 flags=33 Connection was closed
2024/01/24 19:52:38.508 kid1| 28,3| Checklist.cc(70) preCheck: 0x7ffe2f431f10 checking fast ACLs
2024/01/24 19:52:38.508 kid1| 28,5| Acl.cc(124) matches: checking access_log daemon:/var/log/squid/access.log
2024/01/24 19:52:38.508 kid1| 28,5| Acl.cc(124) matches: checking (access_log daemon:/var/log/squid/access.log line)
2024/01/24 19:52:38.508 kid1| 28,3| Acl.cc(151) matches: checked: (access_log daemon:/var/log/squid/access.log line) = 1
2024/01/24 19:52:38.508 kid1| 28,3| Acl.cc(151) matches: checked: access_log daemon:/var/log/squid/access.log = 1
2024/01/24 19:52:38.508 kid1| 28,3| Checklist.cc(63) markFinished: 0x7ffe2f431f10 answer ALLOWED for match
2024/01/24 19:52:38.508 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffe2f431f10
2024/01/24 19:52:38.508 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffe2f431f10
2024/01/24 19:52:38.508 kid1| 33,2| client_side.cc(582) swanSong: local=182.61.200.6:443 remote=10.0.3.223:4002 flags=33

鱿鱼版本:

[root@web-ide-squid-cache squid]# squid -v
Squid Cache: Version 4.9

答案1

尝试了这个并且成功了。 https://squid-users.squid-cache.narkive.com/IifJxaRA/whitelist-only-exception-isn-t-working- Correctly

在我的白名单之前添加了这两行

acl step1 at_step SslBump1
http_access allow CONNECT step1

相关内容