我正在尝试运行代理服务器虚拟设备在透明代理中使用 SSL Bump,但无论如何都无法让它工作。我一直收到来自 Squid(版本 3.3.8)的“无效 URL”错误。
Squid 配置如下
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
include "/opt/qlproxy/etc/squid/squid.acl"
http_port 3128
http_port 3129 intercept
http_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/qlproxy/etc/myca.pem
acl mylocalnet src 0.0.0.0/0.0.0.0
http_access allow mylocalnet
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB
forward_max_tries 25
cache_mem 1024 MB
maximum_object_size_in_memory 1024 KB
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
shutdown_lifetime 3 seconds
visible_hostname qlproxy
always_direct allow all
icap_enable on
icap_service_failure_limit -1
icap_preview_enable on
icap_persistent_connections on
adaptation_send_client_ip on
adaptation_send_username on
icap_service qlproxy1 reqmod_precache icap://127.0.0.1:1344/reqmod bypass=0
icap_service qlproxy2 respmod_precache icap://127.0.0.1:1344/respmod bypass=0
acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf"
acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf"
adaptation_access qlproxy1 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_etypes
acl icap_bypass_to_localnet dst 10.0.0.0/8 # RFC1918 possible internal network
acl icap_bypass_to_localnet dst 172.16.0.0/12 # RFC1918 possible internal network
acl icap_bypass_to_localnet dst 192.168.0.0/16 # RFC1918 possible internal network
adaptation_access qlproxy1 deny icap_bypass_to_localnet
adaptation_access qlproxy2 deny icap_bypass_to_localnet
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all
dns_nameservers 8.8.8.8 4.2.2.2
dns_v4_first on
防火墙上有一个 NAT 规则,将所有发往端口 80、443 TCP 的流量设置为 dst-nat,以转发到端口 3128 上的代理服务器。
有人能发现我哪里出错了吗?
编辑:值得注意的是,我正尝试使用代理上的单个 NIC 来执行此操作。 Web 流量通过 MikroTik(用作主防火墙)上的 NAT 规则重定向到代理,然后从代理转到互联网。
答案1
如果您使用基于策略的路由将流量传输到代理服务器,则类似下面的操作会将 HTTP 和 HTTPS 流量重定向到正确的 squid 端口:
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 127.0.0.1:3129
iptables -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 127.0.0.1:3130
如果您想要保留客户端的原始 IP 地址以供 squid 进行过滤,而不是让所有流量的 src 看起来都是路由器的 IP,那么您将需要如下规则:
iptables -t nat -A PREROUTING -s 127.0.0.1:3129 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 127.0.0.1:3129
iptables -t nat -A PREROUTING -s 127.0.0.1:3129 -p tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 127.0.0.1:3130
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport 127.0.0.1:3129 -j DROP
我不确定最后一种方法与基于策略的 squid 路由配合得如何。我只测试了通过 DHCP 将 squid 配置为网络网关的情况。
答案2
在 iptables 中,你需要将 HTTP 流量重定向到 squid截距端口,而不是标准代理端口。您还需要将 HTTPS 流量重定向到拦截 SSL 碰撞港口。