Squid 日志中 HTTPS 的反向 DNS 查找问题

tag-icon tag-icon squid
Squid 日志中 HTTPS 的反向 DNS 查找问题

我在使用 squid 进行反向 DNS 查找时遇到问题,我使用 wccp 将 https 连接重定向到 squid 代理服务器。我还使用 squidguard 进行内容过滤。当 https 流量到达代理时,它已经经过了 DNS 查找过程并且是 https,所以我看不到 SNI 信息。因此服务器只能看到站点的 IP 地址。这导致内容过滤器的黑名单出现问题,因为它使用 fqdn。有没有人有设置 squid 以允许反向查找 https 流量的经验。我不想使用 MITM。

日志

1510234383.852  10522 x.x.100.21 TCP_TUNNEL/200 145 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x 
1510234383.852  10571 x.x.100.21 TCP_TUNNEL/200 145 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x -
1510234383.852  10639 x.x.100.21 TCP_TUNNEL/200 145 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x -
1510234383.959    106 x.x.100.21 TCP_TUNNEL/200 482 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x -
1510234384.358    268 x.x.100.21 TCP_TUNNEL/200 5195 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x -
1510234384.421   5482 x.x.100.21 TCP_TUNNEL/200 780 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x -
1510234386.893     25 x.x.100.21 TAG_NONE/503 0 CONNECT x.x.x.x:443 - HIER_NONE/- -
1510234386.893     25 x.x.100.21 TAG_NONE/503 0 CONNECT x.x.x.x:443 - HIER_NONE/- -
1510234386.893     25 x.x.100.21 TAG_NONE/503 0 CONNECT x.x.x.x:443 - HIER_NONE/- -
1510234386.963    108 x.x.100.21 TCP_TUNNEL/200 482 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x -
1510234387.942  10081 x.x.100.21 TCP_TUNNEL/200 3573 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x -
1510234387.978  10117 x.x.100.21 TCP_TUNNEL/200 156 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x -

配置

acl localnet src x.x.x.x/8     # RFC1918 possible internal network
acl localnet src x.x.x.x/12  # RFC1918 possible internal network
acl localnet src x.x.x.x/16 # RFC1918 possible internal network
acl localnet src xxxx::/7       # RFC 4193 local private network range
acl localnet src xxxx::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

http_port 3128

http_port 8080 intercept
wccp2_router x.x.120.254
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0
#
https_port 8081 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/squid_certs/proxyCAnew.pem
ssl_bump none all
sslcrtd_program /lib64/squid/ssl_crtd -s /lib64/squid/ssl_db -M 40MB
sslcrtd_children 10
wccp2_router x.x.120.254
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service dynamic 70
wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443
wccp2_assignment_method hash

log_fqdn on

always_direct allow all

coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

相关内容