我们正在使用透明代理 Squid(Squid 缓存:版本 3.5.28 服务名称:squid)。问题似乎类似于Squid SSL 碰撞 TAG_NONE / HEIR_NONE但我的访问日志略有不同。
我们有一个运行 Java8 的 EC2 实例和一个通过互联网与 GCP 通信的应用程序。此应用程序似乎能够成功从其他来源使用数据,但无法发布到 Google PubSub 帐户。通过 curl 发布似乎没问题。
以下是我们在访问日志中看到的内容,
{“event”:“2019-08-28 10:14:53 +1000.140 106 10.xxx TAG_NONE/200 0 CONNECT 172.217.167.106:443 - ORIGINAL_DST/172.217.167.106 - peek pubsub.googleapis.com”,“source_name”:“/var/log/squid/access.log”}
请注意,其他基于 Java 的应用程序使用相同的代理节点发布到 GCP 没有任何问题,在这种情况下我可以看到 TCP_TUNNEL/200。
知道上述访问日志实际上是什么意思吗?
Squid 配置如下,
#
# FILE MANAGED BY PUPPET - Module squid
# Adapted from the RedHat recommended minimum configuration.
#
visible_hostname devproxy-hostname.local
acl to_linklocal dst 169.254.0.0/16 fe80::/10
# Source networks that are allowed to use this proxy
acl localnet src 10.x.x.x/16
# Destination ports that are allowed to be proxied (not CONNECT method)
acl allow_proxy_port port 22
acl allow_proxy_port port 25
acl allow_proxy_port port 443
acl allow_proxy_port port 465
acl allow_proxy_port port 80
# Destination ports that are allowed to be proxied via the CONNECT method
acl allow_connect_port port 22
acl allow_connect_port port 25
acl allow_connect_port port 443
acl allow_connect_port port 465
acl CONNECT method CONNECT
# DON'T SEND AN ERROR MESSAGE BACK FROM SQUID WHEN THE SSL CERTIFICATE
# IS NOT VALID
sslproxy_flags DONT_VERIFY_PEER
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access allow manager
# Deny requests to certain unsafe ports
http_access deny !allow_proxy_port
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !allow_connect_port
# Deny access to localhost & link-local addresses
http_access deny to_localhost
http_access deny to_linklocal
acl explicit_http myportname 3128
acl transparent_http myportname 3129
acl transparent_https myportname 3130
# Allow access from clients within the IP ranges defined in localnet
# and the localhost itself for the explicit proxy
http_access allow localnet explicit_http
http_access allow localhost explicit_http
# Allow access from clients within the IP ranges defined in localnet
# and the localhost itself for the transparent proxy
http_access allow localnet transparent_http
http_access allow localhost transparent_http
# No whitelist here as its taken care during the peak and splice below
http_access allow localnet transparent_https
http_access allow localhost transparent_https
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
https_port 3130 ssl-bump intercept cert=/etc/squid/squid.crt key=/etc/squid/squid.key generate-host-certificates=on
# Disable any caching
cache deny all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
# Double peek required to get around an issue with https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
# as the DNS is looked up again and has a possibility that the IP has changed
ssl_bump peek step1 all
ssl_bump peek step2 all
ssl_bump splice step3 all
# Disable via and x-forwarded-for headers
via off
forwarded_for delete
max_filedescriptors 2048
workers 1
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Change epoch time to human readable time format - Squid 3.5
# Example: 1447998880.602 to 2015-11-20 16:57:40 +1100.107
logformat squid %{%Y-%m-%d %H:%M:%S %z}tl.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %ssl::bump_mode %ssl::>sni
access_log /var/log/squid/access.log squid
logfile_rotate 0```
Thanks