Squid 错误地加载网页

Squid 错误地加载网页

我正在尝试将我的 VPS 服务器配置为一个简单的 HTTP 代理。我在 CentOS 7.1.1503 上安装了 Squid 3.3.8,并使用配置了基本身份验证ncsa_auth。虽然整个方案似乎正在运行,并且我成功地从另一台 PC 连接到我的代理,但我现在面临网页加载问题。例如,当我尝试打开http://mirrors.liquidweb.com/,网页无法正确加载,Firefox 只加载了一半,然后我看到消息“正在从 liquidweb.com 传输数据”一段时间。然后它消失了,没有任何结果:网页仍然显示一半加载。我对这个问题做了一些研究,但我能找到的唯一解决方案与 DNS 问题有关。这似乎不是与 DNS 相关的问题,dns_v4_first on在我的 squid 配置中添加选项也没有任何结果。我想特别指出,这不是与网站或浏览器相关的问题,因为它出现在我尝试打开网站的所有浏览器中,并且在浏览器设置中禁用代理可以立即解决问题。这似乎也不是与 ISP 相关的问题,因为我可以通过这个代理以平均约 50Mbps 的速度下载文件。我的squid.conf和未正确加载网页的屏幕截图如下,提前感谢任何猜测!

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic childred 5
auth_param basic realm liproxy
auth_param basic credentialsttl 2 hours

#acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
#acl Safe_ports port 21         # ftp
acl Safe_ports port 443         # https
#acl Safe_ports port 70         # gopher
#acl Safe_ports port 210        # wais
#acl Safe_ports port 1025-65535     # unregistered ports
#acl Safe_ports port 280        # http-mgmt
#acl Safe_ports port 488        # gss-http
#acl Safe_ports port 591        # filemaker
#acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

#http_access deny to_localhost

acl ncsaauth proxy_auth REQUIRED
http_access allow ncsaauth
dns_v4_first on

http_access deny all

http_port 0.0.0.0:3128

#cache_dir ufs /var/spool/squid 100 16 256

coredump_dir /var/spool/squid

refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .       0   20% 4320

etc/sysconfig/iptables

*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

-A INPUT -p tcp --dport 3128 -j ACCEPT

# Allows SSH connections 
# The --dport number is the same as in /etc/ssh/sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Now you should read up on iptables rules and consider whether ssh access 
# for everyone is really desired. Most likely you will only allow access from certain IPs.

# Allow ping
#  note that blocking other types of icmp packets is considered a bad idea by some
#  remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
#  https://security.stackexchange.com/questions/22711
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

在此处输入图片描述

答案1

您从互联网上的某个地方复制了防火墙,但显然没有完全阅读和理解它。

考虑一下这个部分:

# Allow ping
#  note that blocking other types of icmp packets is considered a bad idea by some
#  remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
#  https://security.stackexchange.com/questions/22711
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

阻止所有 ICMP 是“坏主意”的一个原因是,您还会阻止诸如“需要碎片化”响应之类的响应,而这些响应是路径 MTU 发现工作所必需的。如果这不起作用,那么您将遇到网页挂起、下载停滞等问题。

为了解决这个问题,你应该删除评论中的内容。


更好的是,完全放弃这个防火墙,然后返回到firewalldCentOS 7 附带的系统。它将配置一个适当的防火墙,而不会为粗心大意的人设置所有这些陷阱。

相关内容