我有一个 Sqiud 代理服务器,我正尝试使用拦截功能添加透明度。目前,代理服务器可以接受并作为用户的独立代理正常运行。但是,当我将拦截参数添加到 conf 文件时,它停止工作。
我已经使用代理服务器上的 tcpdump 验证了我的 iptable 规则是否正确地将用户重定向到服务器。我还按照主 squid 网站上的说明使用 --enable-linux-netfliter 编译了 squid。见下文。
鱿鱼-v
Squid Cache: Version 3.3.4
configure options: '--sbindir=/usr/sbin' '--bindir=/usr/bin' '--includedir=/usr/include' '--libdir=/usr/lib' '--enable-linux-netfilter' '--enable-inline' '--enable-ssl' '--enable-ssl-crtd' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=session' '--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-open-ssl=/usr/lib/ssl/openssl.cnf' --enable-ltdl-convenience
在我的squid.conf 文件
acl network src 10.0.0.0/24
#port connections
acl Safe_ports port 80 # http
acl Safe_ports port 8080
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl SSL_ports port 443
acl SSL method CONNECT
acl CONNECT method CONNECT
http_access allow network
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# And finally deny all other access to this proxy
http_access deny all
#proxy port
http_port 10.0.1.5:3128
#intercept bind address
http_port 10.0.1.5:8080 intercept
...omitted...
我有两个端口 3128 和 8080。8080 设置为使用拦截参数接受透明连接。原因是为了迁移。
所以我对这个问题有点困惑,因为我有正确的编译选项并且 http 请求被 iptable 防火墙正确地重定向。
我的 ACL 有问题吗?
谢谢你,
吉姆
添加 iptables 规则:eth0 是公共接口
-A PREROUTING -s 10.0.0.0/24 ! -d 10.0.1.5/32 -p tcp -m tcp --dport 80 -m comment --comment "Redirect HTTP from Internal Network to SquidProxy Server" -j DNAT --to-destination 10.0.1.5:8080
这样,当任何不直接发往 10.0.1.5:80 的源 IP 都将被重定向到 10.0.1.5:8080 代理服务器。
以下是为 Squid 设置了 -d 标志的 syslog 输出:
May 14 16:20:40 squidproxy squid[22071]: Starting Squid Cache version 3.3.4 for x86_64-unknown-linux-gnu...
May 14 16:20:40 squidproxy squid[22071]: Process ID 22071
May 14 16:20:40 squidproxy squid[22071]: Process Roles: master worker
May 14 16:20:40 squidproxy squid[22071]: With 65536 file descriptors available
May 14 16:20:40 squidproxy squid[22071]: Initializing IP Cache...
May 14 16:20:40 squidproxy squid[22071]: DNS Socket created at [::], FD 6
May 14 16:20:40 squidproxy squid[22071]: DNS Socket created at 0.0.0.0, FD 7
May 14 16:20:40 squidproxy squid[22071]: Adding nameserver 10.0.1.3 from squid.conf
May 14 16:20:40 squidproxy squid[22071]: helperOpenServers: Starting 1/1 'ext_session_acl' processes
May 14 16:20:40 squidproxy squid[22071]: Logfile: opening log /var/log/squid3/access.log
May 14 16:20:40 squidproxy squid[22071]: WARNING: log parameters now start with a module name. Use 'stdio:/var/log/squid3/access.log'
May 14 16:20:40 squidproxy squid[22071]: Unlinkd pipe opened on FD 14
May 14 16:20:40 squidproxy squid[22071]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
May 14 16:20:40 squidproxy squid[22071]: Logfile: opening log /var/log/squid3/store.log
May 14 16:20:40 squidproxy squid[22071]: WARNING: log parameters now start with a module name. Use 'stdio:/var/log/squid3/store.log'
May 14 16:20:40 squidproxy squid[22071]: Swap maxSize 2097152 + 1048576 KB, estimated 241979 objects
May 14 16:20:40 squidproxy squid[22071]: Target number of buckets: 12098
May 14 16:20:40 squidproxy squid[22071]: Using 16384 Store buckets
May 14 16:20:40 squidproxy squid[22071]: Max Mem size: 1048576 KB
May 14 16:20:40 squidproxy squid[22071]: Max Swap size: 2097152 KB
May 14 16:20:40 squidproxy squid[22071]: Rebuilding storage in /home/user/squidcache/ (dirty log)
May 14 16:20:40 squidproxy squid[22071]: Using Least Load store dir selection
May 14 16:20:40 squidproxy squid[22071]: Current Directory is /root
May 14 16:20:40 squidproxy squid[22071]: Loaded Icons.
May 14 16:20:40 squidproxy squid[22071]: HTCP Disabled.
May 14 16:20:40 squidproxy squid[22071]: Squid plugin modules loaded: 0
May 14 16:20:40 squidproxy squid[22071]: Adaptation support is off.
May 14 16:20:40 squidproxy squid[22071]: Accepting HTTP Socket connections at local=10.0.1.5:3128 remote=[::] FD 18 flags=9
May 14 16:20:40 squidproxy squid[22071]: Accepting NAT intercepted HTTP Socket connections at local=10.0.1.5:8080 remote=[::] FD 19 flags=41
May 14 16:20:40 squidproxy squid[22071]: Done reading /home/user/squidcache/ swaplog (348 entries)
May 14 16:20:40 squidproxy squid[22071]: Finished rebuilding storage from disk.
May 14 16:20:40 squidproxy squid[22071]: 343 Entries scanned
May 14 16:20:40 squidproxy squid[22071]: 0 Invalid entries.
May 14 16:20:40 squidproxy squid[22071]: 0 With invalid flags.
May 14 16:20:40 squidproxy squid[22071]: 338 Objects loaded.
May 14 16:20:40 squidproxy squid[22071]: 0 Objects expired.
May 14 16:20:40 squidproxy squid[22071]: 5 Objects cancelled.
May 14 16:20:40 squidproxy squid[22071]: 0 Duplicate URLs purged.
May 14 16:20:40 squidproxy squid[22071]: 0 Swapfile clashes avoided.
May 14 16:20:40 squidproxy squid[22071]: Took 0.02 seconds (14687.35 objects/sec).
May 14 16:20:40 squidproxy squid[22071]: Beginning Validation Procedure
May 14 16:20:40 squidproxy squid[22071]: Completed Validation Procedure
May 14 16:20:40 squidproxy squid[22071]: Validated 338 Entries
May 14 16:20:40 squidproxy squid[22071]: store_swap_size = 4312.00 KB
May 14 16:20:41 squidproxy squid[22071]: storeLateRelease: released 0 objects
刚刚在日志中得到这些:
NF getsockopt(SO_ORIGINAL_DST) failed on local=10.0.1.5:8080 remote=10.0.0.231:49650 FD 31 flags=33: (92) Protocol not available