我正在尝试让 squid 使用 SSL,这样我就可以打开 gmail,但只能访问我们的域,这是我的配置
coredump_dir /var/spool/squid
workers 4
http_port 3128 ssl-bump \
dynamic_cert_mem_cache_size=16MB \
generate-host-certificates=on \
cert=/etc/squid/certs/squid-ca-cert-key.pem \
require-proxy-header
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/spool/squid/ssl -M 16MB
tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE
shutdown_lifetime 1 second
forwarded_for delete
via off
cache allow all
cache_mem 4 GB
cache_dir rock /var/spool/squid 1024
always_direct allow all
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320 ignore-reload
debug_options ALL,2 28,3
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl internal src 10.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 3128 # cachemgr
acl CONNECT method CONNECT
acl SSL method CONNECT
acl no_bump ssl::server_name_regex blah\.com$
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 no_bump
ssl_bump splice step3 no_bump
ssl_bump stare step2
ssl_bump bump
# allow replies to all
http_reply_access allow all
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
acl dst_google_http ssl::server_name accounts.google.com
acl dst_google_http ssl::server_name admin.google.com
acl dst_google_http ssl::server_name calendar.google.com
acl dst_google_http ssl::server_name fonts.googleapis.com
acl dst_google_http_re ssl::server_name_regex gstatic\.com$
acl dst_google_http_url url_regex ^http(s)?://www.google.com/accounts/(.+)?$
acl dst_google_http_url url_regex ^http(s)?://www.google.com/a/DOMAIN.com/(.+)?$
acl dst_google_connect ssl::server_name www.google.com
acl dst_google_connect_re ssl::server_name_regex gstatic\.com$
http_access allow CONNECT internal dst_google_connect
http_access allow CONNECT internal dst_google_connect_re
http_access allow CONNECT internal dst_google_http
http_access allow CONNECT internal dst_google_http_re
request_header_access Surrogate-Capability deny all
request_header_access X-GoogApps-Allowed-Domains deny all
request_header_add X-GoogApps-Allowed-Domains "DOMAIN.com" dst_google_http dst_google_http_re dst_google_connect dst_google_connect_re
# And finally deny all other access to this proxy
http_access deny all
当我删除该require-proxy-header选项时,我可以直接进入互联网并连接到 google/bbc/等
如果我把它们加回去我得到
2021/01/18 18:01:27.103| PROXY client not permitted by default ACL from local= <IP> remote=<IP>
FD 19 flags=1
并且 Squid 访问日志显示
1610993061.230 0 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- -
我确保将证书导入到浏览器中,我是否做错了什么
答案1
PROXY 协议用于将连接客户端信息(IP 地址)从负载均衡器(haproxy)传输到 Squid 或 Web 服务器(参见https://docs.diladele.com/administrator_guide_stable/active_directory_extra/redundancy/haproxy_proxy_protocol.html)。
你真正需要的是插入一个特定标头到所有对 gmail 的请求中,以强制浏览器仅使用公司域名。如果是这样,这应该可以通过request_header_add指令(注意,也可以在独立资本管理委员会如果需要的话)。