我在使用 squid 进行反向 DNS 查找时遇到问题,我使用 wccp 将 https 连接重定向到 squid 代理服务器。我还使用 squidguard 进行内容过滤。当 https 流量到达代理时,它已经经过了 DNS 查找过程并且是 https,所以我看不到 SNI 信息。因此服务器只能看到站点的 IP 地址。这导致内容过滤器的黑名单出现问题,因为它使用 fqdn。有没有人有设置 squid 以允许反向查找 https 流量的经验。我不想使用 MITM。
日志
1510234383.852 10522 x.x.100.21 TCP_TUNNEL/200 145 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x
1510234383.852 10571 x.x.100.21 TCP_TUNNEL/200 145 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x -
1510234383.852 10639 x.x.100.21 TCP_TUNNEL/200 145 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x -
1510234383.959 106 x.x.100.21 TCP_TUNNEL/200 482 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x -
1510234384.358 268 x.x.100.21 TCP_TUNNEL/200 5195 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x -
1510234384.421 5482 x.x.100.21 TCP_TUNNEL/200 780 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x -
1510234386.893 25 x.x.100.21 TAG_NONE/503 0 CONNECT x.x.x.x:443 - HIER_NONE/- -
1510234386.893 25 x.x.100.21 TAG_NONE/503 0 CONNECT x.x.x.x:443 - HIER_NONE/- -
1510234386.893 25 x.x.100.21 TAG_NONE/503 0 CONNECT x.x.x.x:443 - HIER_NONE/- -
1510234386.963 108 x.x.100.21 TCP_TUNNEL/200 482 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x -
1510234387.942 10081 x.x.100.21 TCP_TUNNEL/200 3573 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x -
1510234387.978 10117 x.x.100.21 TCP_TUNNEL/200 156 CONNECT x.x.x.x:443 - ORIGINAL_DST/x.x.x.x -
配置
acl localnet src x.x.x.x/8 # RFC1918 possible internal network
acl localnet src x.x.x.x/12 # RFC1918 possible internal network
acl localnet src x.x.x.x/16 # RFC1918 possible internal network
acl localnet src xxxx::/7 # RFC 4193 local private network range
acl localnet src xxxx::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
http_port 8080 intercept
wccp2_router x.x.120.254
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0
#
https_port 8081 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/squid_certs/proxyCAnew.pem
ssl_bump none all
sslcrtd_program /lib64/squid/ssl_crtd -s /lib64/squid/ssl_db -M 40MB
sslcrtd_children 10
wccp2_router x.x.120.254
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service dynamic 70
wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443
wccp2_assignment_method hash
log_fqdn on
always_direct allow all
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf