HTTPS stunnel 错误:1408F09B:SSL 例程:ssl3_get_record:https 代理请求

tag-icon tag-icon proxy configuration squid stunnel
HTTPS stunnel 错误:1408F09B:SSL 例程:ssl3_get_record:https 代理请求

我正在使用 stunnel 和 squid 配置 HTTPS 代理。

但是,当我通过端口 44444(stunnel)发出浏览器请求时,我收到了 Mozilla 错误页面“安全连接失败”。

我错过了什么?

  1. 如果我直接向浏览器发出请求(https://192.168.0.101:44444) stunnel 正在 44444 端口上接受连接,并成功将流量转发到 squid 代理端口 (55555),结果收到 squid 错误页面。

  2. 如果我通过 squid 端口(55555)发出请求,一切都正常。

SSL 证书是自签名的。通过以下命令生成:

sudo openssl req -nodes -new -days 365 -newkey rsa:1024 -x509 -keyout serverkey.pem -out servercert.pem

隧道日志

2020.10.01 17:54:05 LOG7[main]: Found 1 ready file descriptor(s)
2020.10.01 17:54:05 LOG7[main]: FD=4 events=0x2001 revents=0x0
2020.10.01 17:54:05 LOG7[main]: FD=6 events=0x2001 revents=0x1
2020.10.01 17:54:05 LOG7[main]: Service [squid] accepted (FD=3) from 10.140.37.30:42284
2020.10.01 17:54:05 LOG7[33]: Service [squid] started
2020.10.01 17:54:05 LOG7[33]: Option TCP_NODELAY set on local socket
2020.10.01 17:54:05 LOG5[33]: Service [squid] accepted connection from 10.140.37.30:42284
2020.10.01 17:54:05 LOG6[33]: Peer certificate not required
2020.10.01 17:54:05 LOG7[33]: TLS state (accept): before SSL initialization
2020.10.01 17:54:05 LOG3[33]: SSL_accept: 1408F09B: error:1408F09B:SSL routines:ssl3_get_record:https proxy request

隧道配置文件

chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4

pid = /stunnel4.pid

debug = 7
output = /stunnel.log
syslog = no

cert = /etc/stunnel/servercert.pem
key = /etc/stunnel/serverkey.pem

verify = 1

CApath = /certs

CRLpath = /crls

client = no
[squid]
accept = 44444
connect = 55555

squid配置文件

acl localnet src 192.168.0.0/16

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all

http_port 55555

coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$     0       20%     2880
refresh_pattern .               0       20%     4320

答案1

stunnel 端的配置一切正常。问题出在我的客户端,由于配置错误,它无法启动 SSL\TLS 握手。

相关内容