HTTPS 连接中的 Squid 代理用户

HTTPS 连接中的 Squid 代理用户

我在 Squid 代理日志中看到,我无法在 HTTPS 连接中记录用户名。您认为这是我的配置错误,还是由于加密而无法记录?如果答案是第二个,则意味着 HTTPS 对匿名用户始终是免费的?

这是我的配置:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm MyDomain
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
external_acl_type nt_group ttl=0 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl to_localnet dst 10.0.0.0/8
acl to_localnet dst 172.16.0.0/12
acl to_localnet dst 192.168.0.0/16
acl loggedUser  proxy_auth REQUIRED
acl proxyUser external nt_group ProxyUsers
acl proxySuperUser external nt_group ProxySuperUsers
acl allowDomains dstdomain "/etc/squid/allowdomains.txt"
acl pornDomains dstdomain "/etc/squid/porndomains.txt"
acl proxyDomains dstdomain "/etc/squid/webproxydomains.txt"
acl denyDomains dstdomain "/etc/squid/denydomains.txt"
acl denyKeywords url_regex -i "/etc/squid/denykeywords.txt"
acl SSL_ports port 443-444  # https
acl Safe_ports port 80      # http
acl Safe_ports port 20 21   # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl Safe_ports port 631     # cups
acl Safe_ports port 873     # rsync
acl Safe_ports port 901     # SWAT
acl Ftp_ports port 20 21    # ftp
acl Ftp_ports port 1025-65535   # unregistered ports
acl purge method PURGE
acl CONNECT method CONNECT
acl authChallenge rep_header X-Squid-Error ERR_CACHE_ACCESS_DENIED
acl authChallenge2 rep_header X-Squid-Error ERR_ACCESS_DENIED
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access allow CONNECT Ftp_ports loggedUser
http_access deny CONNECT !SSL_ports
http_access deny !localnet
http_access allow to_localnet
http_access allow allowDomains
http_access deny !loggedUser
http_access deny pornDomains
http_access allow proxySuperUser
http_access deny proxyDomains
http_access deny denyDomains
http_access deny denyKeywords
http_access allow proxyUser
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 8080
hierarchy_stoplist cgi-bin ?
logformat squid_mysql  %ts.%03tu %6tr %>a %Ss %03Hs %<st %rm %ru %un %Sh %<A %mt
access_log /var/log/squid/access.log squid
access_log daemon:/etc/squid/log_mysql_daemon.conf squid_mysql
log_access deny authChallenge
log_access deny authChallenge2
logfile_daemon /usr/lib/squid/log_mysql_daemon.pl
ftp_user [email protected]
ftp_passive on
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern (Release|Packages(.gz)*)$   0   20% 2880
refresh_pattern .       0   20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
error_directory /var/www/proxy/pages
deny_info ERR_ACL_LOGGED loggedUser
deny_info ERR_ACL_PROXYUSER proxyUser
deny_info ERR_ACL_PORN pornDomains
deny_info ERR_ACL_PROXY proxyDomains
deny_info ERR_ACL_DOMAIN denyDomains
deny_info ERR_ACL_WORDS denyKeywords  
hosts_file /etc/hosts
coredump_dir /var/spool/squid

答案1

HTTPS 的特性决定了除了连接的 IP 端点地址和 TCP 端口之外,不可能监听或拦截任何数据。

请参阅此处了解 Squid 如何处理 HTTPS:http://wiki.squid-cache.org/Features/HTTPS

相关内容