我在 Squid 代理日志中看到,我无法在 HTTPS 连接中记录用户名。您认为这是我的配置错误,还是由于加密而无法记录?如果答案是第二个,则意味着 HTTPS 对匿名用户始终是免费的?
这是我的配置:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm MyDomain
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
external_acl_type nt_group ttl=0 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl to_localnet dst 10.0.0.0/8
acl to_localnet dst 172.16.0.0/12
acl to_localnet dst 192.168.0.0/16
acl loggedUser proxy_auth REQUIRED
acl proxyUser external nt_group ProxyUsers
acl proxySuperUser external nt_group ProxySuperUsers
acl allowDomains dstdomain "/etc/squid/allowdomains.txt"
acl pornDomains dstdomain "/etc/squid/porndomains.txt"
acl proxyDomains dstdomain "/etc/squid/webproxydomains.txt"
acl denyDomains dstdomain "/etc/squid/denydomains.txt"
acl denyKeywords url_regex -i "/etc/squid/denykeywords.txt"
acl SSL_ports port 443-444 # https
acl Safe_ports port 80 # http
acl Safe_ports port 20 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Ftp_ports port 20 21 # ftp
acl Ftp_ports port 1025-65535 # unregistered ports
acl purge method PURGE
acl CONNECT method CONNECT
acl authChallenge rep_header X-Squid-Error ERR_CACHE_ACCESS_DENIED
acl authChallenge2 rep_header X-Squid-Error ERR_ACCESS_DENIED
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access allow CONNECT Ftp_ports loggedUser
http_access deny CONNECT !SSL_ports
http_access deny !localnet
http_access allow to_localnet
http_access allow allowDomains
http_access deny !loggedUser
http_access deny pornDomains
http_access allow proxySuperUser
http_access deny proxyDomains
http_access deny denyDomains
http_access deny denyKeywords
http_access allow proxyUser
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 8080
hierarchy_stoplist cgi-bin ?
logformat squid_mysql %ts.%03tu %6tr %>a %Ss %03Hs %<st %rm %ru %un %Sh %<A %mt
access_log /var/log/squid/access.log squid
access_log daemon:/etc/squid/log_mysql_daemon.conf squid_mysql
log_access deny authChallenge
log_access deny authChallenge2
logfile_daemon /usr/lib/squid/log_mysql_daemon.pl
ftp_user [email protected]
ftp_passive on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
error_directory /var/www/proxy/pages
deny_info ERR_ACL_LOGGED loggedUser
deny_info ERR_ACL_PROXYUSER proxyUser
deny_info ERR_ACL_PORN pornDomains
deny_info ERR_ACL_PROXY proxyDomains
deny_info ERR_ACL_DOMAIN denyDomains
deny_info ERR_ACL_WORDS denyKeywords
hosts_file /etc/hosts
coredump_dir /var/spool/squid
答案1
HTTPS 的特性决定了除了连接的 IP 端点地址和 TCP 端口之外,不可能监听或拦截任何数据。
请参阅此处了解 Squid 如何处理 HTTPS:http://wiki.squid-cache.org/Features/HTTPS