我有一个透明代理,Squid,版本 3.5.20(目前最新稳定版本)我需要进行域名白名单。Squid 配置为执行 SSLBumping(请参阅下面的 squid 配置)
我尝试在位于 squid 透明 NAT 后面的服务器上安装 Sumologic。
问题是 sumologic 无法通过透明 NAT 连接出去。为什么它无法通过应用程序连接,但我可以使用 curl 连接?
当我安装 Sumologic 时,出现以下错误:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at com.sumologic.scala.collector.rest.RestClient$class.getResponse(RestClient.scala:83)
at com.sumologic.scala.collector.rest.RestClient$class.makeGetRequest(RestClient.scala:68)
at com.sumologic.scala.collector.auth.CollectorRegistrationManager.makeGetRequest(CollectorRegistrationManager.scala:49)
at com.sumologic.scala.collector.rest.RestClient$class.makeRequest(RestClient.scala:119)
at com.sumologic.scala.collector.auth.CollectorRegistrationManager.com$sumologic$scala$collector$rest$RestClientRetries$$super$makeRequest(CollectorRegistrationManager.scala:49)
at com.sumologic.scala.collector.rest.RestClientRetries$$anonfun$makeRequest$1.apply(RestClientRetries.scala:42)
at com.sumologic.scala.collector.rest.RestClientRetries$$anonfun$makeRequest$1.apply(RestClientRetries.scala:35)
at com.sumologic.util.retry.Retry$.whileExceptionsAreThrown(Retry.scala:143)
at com.sumologic.scala.collector.rest.RestClientRetries$$anonfun$withRetries$1.apply(RestClientRetries.scala:23)
at com.sumologic.scala.collector.rest.RestClientRetries$$anonfun$withRetries$1.apply(RestClientRetries.scala:23)
at com.sumologic.scala.collector.rest.RestClientRetries$class.makeRequest(RestClientRetries.scala:35)
at com.sumologic.scala.collector.auth.CollectorRegistrationManager.com$sumologic$scala$collector$rest$RestClientDeploymentRedirection$$super$makeRequest(CollectorRegistrationManager.scala:49)
at com.sumologic.scala.collector.rest.RestClientDeploymentRedirection$class.makeRequest(RestClientDeploymentRedirection.scala:74)
at com.sumologic.scala.collector.auth.CollectorRegistrationManager.makeRequest(CollectorRegistrationManager.scala:49)
at com.sumologic.scala.collector.auth.CollectorRegistrationManager.ping(CollectorRegistrationManager.scala:361)
at com.sumologic.scala.collector.Collector.init(Collector.scala:546)
at com.sumologic.scala.collector.Collector$.main(Collector.scala:831)
at com.sumologic.scala.collector.Collector.main(Collector.scala)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:290)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(Unknown Source)
... 40 more
如果我打开 powershell 并对 'service.au.sumologic.com' 执行 curl,它就可以工作了......
PS > curl https://service.au.sumologic.com
StatusCode : 200
StatusDescription : OK
Content : <html>
<body>
<h2>Tweep</h2>
</body>
</html>
RawContent : HTTP/1.1 200 OK
Strict-Transport-Security: max-age=15552000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Connection: keep-alive
Accept-Ranges: byte...
Forms : {}
Headers : {[Strict-Transport-Security, max-age=15552000], [X-Content-Type-Options, nosniff],
[X-Frame-Options, SAMEORIGIN], [X-XSS-Protection, 1; mode=block]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : System.__ComObject
RawContentLength : 44
在我的 squid access.log 中我可以看到:
1470638115.212 164 172.26.192.122 TAG_NONE/200 0 CONNECT 54.252.91.36:443 - HIER_NONE/- -
即 service.au.sumologic.com....
我是否遗漏了 Squid 配置中的某些内容?
Squid 配置
visible_hostname squid
http_port 3129 intercept
acl allowed_http_sites dstdomain .amazonaws.com
acl allowed_http_sites dstdomain .newrelic.com
acl allowed_http_sites dstdomain .windowsupdate.com
acl allowed_http_sites dstdomain .microsoft.com
acl allowed_http_sites dstdomain ocsp.comodoca.com
acl allowed_http_sites dstdomain crl.usertrust.com
acl allowed_http_sites dstdomain ocsp.globalsign.com
acl allowed_http_sites dstdomain crl.globalsign.net
http_access allow allowed_http_sites
https_port 3130 ssl-bump intercept connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key c$acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name .amazonaws.com
acl allowed_https_sites ssl::server_name .newrelic.com
acl allowed_https_sites ssl::server_name .microsoft.com
acl allowed_https_sites ssl::server_name .windowsupdate.com
acl allowed_https_sites ssl::server_name .sumologic.com
acl allowed_https_sites ssl::server_name .datadoghq.com
sslproxy_cert_error allow all
acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/url.nobump"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump peek step2 NoSSLIntercept
ssl_bump splice step1 NoSSLIntercept
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all
http_access deny all
答案1
access.log 行是 TCP 连接到达并被接受以开始碰撞过程。
您的 ssl_bump 规则表示在步骤 1 处查看然后在步骤 2 处终止,除非客户端发送了一个 TLS SNI 值,该值包含 allowed_https_sites 或 NoSSLIntercept ACL 之一中的几个白名单服务器名称之一。
看来 Java 应用程序要么不发送 SNI,要么发送未列入白名单的值。当 TLS 失败(由另一个端点终止)时,它也会崩溃。
答案2
检查 selinux 状态
尝试以下命令
getenforce
更改为“允许”