基本上我只是跟随这来自 AWS 的指南,但本指南使用 Amazon Linux,但我需要使用 RHEL 8。我在 Amazon Linux 中测试过,运行良好。在 RHEL8 中,Squid 也可以使用安装附带的默认配置文件启动。当我将配置文件更改为 Amazon 提供的配置文件时,它无法启动,如下面的错误消息所示。
配置文件如下:
visible_hostname squid
cache deny all
# Log format and rotation
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %ssl::>sni %Sh/%<a %mt
logfile_rotate 10
debug_options rotate=10
# Handling HTTP requests
http_port 3128
http_port 3129 intercept
acl allowed_http_sites dstdomain "/etc/squid/whitelist.txt"
http_access allow allowed_http_sites
# Handling HTTPS requests
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name "/etc/squid/whitelist.txt"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all
http_access deny all
服务状态显示以下错误:
[root@ip-172-16-67-62 squid]# systemctl status squid
● squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2020-08-05 13:23:52 +08; 3min 48s ago
Docs: man:squid(8)
Process: 20320 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
Process: 20315 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
Main PID: 20322 (code=exited, status=1/FAILURE)
Aug 05 13:23:51 ip-172-16-67-62 squid[20322]: Squid Parent: (squid-1) process 20340 started
Aug 05 13:23:51 ip-172-16-67-62 squid[20322]: Squid Parent: squid-1 process 20340 exited with status 1
Aug 05 13:23:51 ip-172-16-67-62 squid[20322]: Squid Parent: (squid-1) process 20348 started
Aug 05 13:23:51 ip-172-16-67-62 squid[20322]: Squid Parent: squid-1 process 20348 exited with status 1
Aug 05 13:23:51 ip-172-16-67-62 squid[20322]: Squid Parent: (squid-1) process 20356 started
Aug 05 13:23:52 ip-172-16-67-62 squid[20322]: Squid Parent: squid-1 process 20356 exited with status 1
Aug 05 13:23:52 ip-172-16-67-62 squid[20322]: Squid Parent: squid-1 process 20356 will not be restarted for 3600 seconds due to repeated, frequent failures
Aug 05 13:23:52 ip-172-16-67-62 squid[20322]: Exiting due to repeated, frequent failures
Aug 05 13:23:52 ip-172-16-67-62 systemd[1]: squid.service: Main process exited, code=exited, status=1/FAILURE
Aug 05 13:23:52 ip-172-16-67-62 systemd[1]: squid.service: Failed with result 'exit-code'.
[root@ip-172-16-67-62 squid]#
日志显示以下错误:
-- The start-up result is done.
Aug 05 13:23:51 ip-172-16-67-62 squid[20322]: Squid Parent: will start 1 kids
Aug 05 13:23:51 ip-172-16-67-62 squid[20322]: Squid Parent: (squid-1) process 20324 started
Aug 05 13:23:51 ip-172-16-67-62 (squid-1)[20324]: FATAL: The /usr/lib64/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB helpers are crashing too rapidly, need help!
Aug 05 13:23:51 ip-172-16-67-62 squid[20322]: Squid Parent: squid-1 process 20324 exited with status 1
我确保已生成 SSL 证书,并且 squid 服务有权访问它。这是一个 CIS 强化映像,因此这可能是一个问题。除此之外,我不确定还要检查什么。
答案1
我使用带有firewalld 和 selinux 的 rhel8 ami 实现了这个功能 - 使用firewalld 的原因是客户端使用启用了防火墙的 STIG AMI。
#!/bin/bash
# Apply the latest security patches
dnf update -y --security
# Install and start Squid
dnf install -y squid firewalld vim policycoreutils-python-utils
systemctl enable --now firewalld
sleep 5
# Enable firewalld redirects
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=3129
firewall-cmd --add-forward-port=port=443:proto=tcp:toport=3130
firewall-cmd --runtime-to-permanent
cp -a /etc/squid /etc/squid_orig
# Create cache directories, set perms and set contexts
mkdir /var/spool/squid
mkdir /var/cache/squid
semanage fcontext -a -t squid_cache_t "/var/spool/squid(/.*)?"
restorecon -FRvv /var/spool/squid
chown -R squid:squid /var/spool/squid
chown -R squid:squid /var/cache/squid
# SELinux Configuration: Add additional squid ports to selinux
semanage port -a -t squid_port_t -p tcp 3129-3130
# Create a SSL certificate for the SslBump Squid module
mkdir /etc/squid/ssl
openssl genrsa -out /etc/squid/ssl/squid.key 4096
openssl req -new -key /etc/squid/ssl/squid.key -out /etc/squid/ssl/squid.csr -subj "/C=US/ST=VA/L=squid/O=squid/CN=squid"
openssl x509 -req -days 3650 -in /etc/squid/ssl/squid.csr -signkey /etc/squid/ssl/squid.key -out /etc/squid/ssl/squid.crt
cat /etc/squid/ssl/squid.key /etc/squid/ssl/squid.crt >> /etc/squid/ssl/squid.pem
chmod 600 /etc/squid/ssl/squid.pem
restorecon -FRvv /etc/squid/ssl/squid.pem
echo '.amazonaws.com' > /etc/squid/whitelist.txt
echo '.cloudfront.net' >> /etc/squid/whitelist.txt
# The following is for access to the RHUI repositories hosted in AWS.
echo '.aws.ce.redhat.com' >> /etc/squid/whitelist.txt
cat > /etc/squid/squid.conf << EOF
visible_hostname squid
cache deny all
# Log format and rotation
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %ssl::>sni %Sh/%<a %mt
logfile_rotate 10
debug_options rotate=10
# Handle HTTP requests
http_port 3128
http_port 3129 intercept
# Handle HTTPS requests
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
# Deny requests to proxy instance metadata
acl instance_metadata dst 169.254.169.254
http_access deny instance_metadata
# Filter HTTP requests based on the whitelist
acl allowed_http_sites dstdomain "/etc/squid/whitelist.txt"
http_access allow allowed_http_sites
# Filter HTTPS requests based on the whitelist
acl allowed_https_sites ssl::server_name "/etc/squid/whitelist.txt"
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all
http_access deny all
EOF
/usr/sbin/squid -k parse && /usr/sbin/squid -k reconfigure
/usr/lib64/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB
# Start and enable squid
systemctl enable --now squid