编辑这是FW的一些内部规则,很抱歉给您带来不便,也感谢您的建议
我有一台服务器鱿鱼(2.7.STABLE9)在Debian(Wheezy 7.1)我添加Apache2 (2.2.22)用于发送聚合氯化铝文件发送给我的所有用户。
两者都已设置并运行,但如果我尚未连接到 Squid 服务器,则无法获取 pac 文件(仅当我使用带有 FoxyProxy 的本地 PAC 文件时)。
事实上,当我使用 pac 文件的本地副本为我的代理设置 FoxyProxy 时,如果我在浏览器中请求服务器的 IP 地址,我就可以下载 pac 文件。但如果我没有在浏览器上设置 orixy,就会出现错误(例如,在 Chrome 上为 ERR_CONNECTION_REFUSED)。
这是我的/etc/squid/squid.conf
#################### SQUID CONF FILE
#################### Version 2.7.STABLE9
########################################
# AUTHENTICATE
#See http://wiki.squid-cache.org/ConfigExamples/Authenticate/
## NTLM Authentification
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on
# See http://www.odrakir.com/blog/2009/11/19/integrating-squid-with-active-directory/
external_acl_type ADS %LOGIN /usr/lib/squid/wbinfo_group.pl
########################################
# SECURITY
forwarded_for off # Hide self.IP
httpd_suppress_version_string on # Hide squid version
#chroot on # Chroot squid deamon
debug_options ALL,1
########################################
# Acces List
#Global:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 # HTTPS
acl Safe_ports port 80 8080 # HTTP(s)
acl purge method PURGE
acl CONNECT method CONNECT
acl my_lab src 172.30.24.0/24
# authentification
acl ntlm proxy_auth REQUIRED
acl user_group external ADS my_user
########################################
# HTTP_ACCES
# Default HTTP Access
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow localnet
http_access allow localhost
# Hack for no popups (See: http://wiki.squid-cache.org/Features/Authentication#How_do_I_prevent_Login_Popups.3F )
http_access deny !ntlm all
# Check user come from right OU from AD
http_access deny !user_group all
# Allow subnet acces with HTTP ports
http_access allow my_lab Safe_ports all
# No Connect method on other port than 443
http_access deny CONNECT !SSL_ports
# At last but not the least !
http_access deny all
########################################
# HEADER_ACCESS
# http_anonymizer paranoid, see http://www.foo.be/scripts/anonymizer/squid.conf
via off # RFC2616 HTTP header Via
forwarded_for off
# return fail on some website
#header_access Allow allow all
#header_access Authorization allow all
#header_access WWW-Authenticate allow all
#header_access Proxy-Authorization allow all
#header_access Proxy-Authenticate allow all
#header_access Cache-Control allow all
#header_access Content-Encoding allow all
#header_access Content-Length allow all
#header_access Content-Type allow all
#header_access Date allow all
#header_access Expires allow all
#header_access Host allow all
#header_access If-Modified-Since allow all
#header_access Last-Modified allow all
#header_access Location allow all
#header_access Pragma allow all
#header_access Accept allow all
#header_access Accept-Charset allow all
#header_access Accept-Encoding allow all
#header_access Accept-Language allow all
#header_access Content-Language allow all
#header_access Mime-Version allow all
#header_access Retry-After allow all
#header_access Title allow all
#header_access Connection allow all
#header_access Proxy-Connection allow all
#header_access Referer allow all
#header_access All deny all
########################################
# ICP_ACCES
icp_access allow localnet
icp_access deny all
########################################
# GLOBAL SQUID CONF (port, cache, ...)
http_port 3128
icp_port 0 # 0 for diseable
htcp_port 0 # Same...
cache_mem 80 MB
cache_effective_group winbindd_priv
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid
cache_dir ufs /var/spool/squid 500 16 256
和/etc/apache2/sites-available/proxy
NameVirtualHost *:80
<VirtualHost 172.30.10.113:80 127.0.0.1:80>
ServerAdmin [email protected]
DocumentRoot /var/www/pac
DirectoryIndex proxy.pac
<Directory /var/www/pac/>
ForceType application/x-ns-proxy-autoconfig
Options -Indexes -FollowSymLinks -MultiViews -ExecCGI
Order allow,deny
Allow from all
RedirectMatch ^/$ /proxy.pac
</Directory>
# <LimitExcept GET>
# Require ip 10.0.0.0 172.16.0.0 192.168.0.0
# </LimitExcept>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
和/var/www/pac/proxy.pac
function FindProxyForURL(url, host)
{
// Let them go home !!
if (shExpMatch (url, "localhost*") || isInNet(host, "127.0.0.1", "255.255.255.255"))
return "DIRECT";
// See https://support.mozilla.org/sv/questions/804868#answer-166476
else if (!dnsResolve('my.domain.fr'))
return "DIRECT";
else
return "PROXY 172.30.10.113:3128";
}
我已经看到了这但他在配置文件中使用了 Squid3 选项。
编辑
而且没有iptables在服务器上也许我只需要在 ip:3128 上进行 iptables 重定向到 ip:80 ?
感谢您的帮助或任何建议。
答案1
不确定这是否只是一个剪切粘贴错误,但我读到:
ForceType applivation/x-ns-proxy-autoconfig
应该是:
ForceType application/x-ns-proxy-autoconfig
我发现缺少的另一件事是在 pac 文件中排除子网;我会将其添加到第一次检查中:
isInNet(dnsResolve(host), "172.30.10.0", "255.255.255.0")
为了简化设置,您可以实施代理自动发现:这是一个简单的配置,应该消除任何客户端配置的需要,并希望解决所有问题。
无论上述内容如何,我都会从您的 pac 站点(默认页面 & RedirectMatch)中删除任何重写:对 pac 文件的访问是一个自动化过程(没有用户浏览该文件),并且不需要任何重写或重定向,但会为任何调试活动增加一层不确定性,这不是一件好事。
也许删除重定向后实际的问题/错误最终会被写入到某个日志文件中。