最后更新:我最终使用
nginx证明squid很难使用,请参阅最后的更新了解更多详细信息
我正在尝试使用 SNI(不解密)通过 squid 设置透明的 HTTPS 代理,但它不起作用。
我不知道我做错了什么,我将非常感激你的帮助。
记录期间发生的事件:
HTTP 调用
curl -v http://example.com
* Trying 127.0.0.1:80...
* Connected to example.com (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: example.com
> User-Agent: curl/7.82.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Age: 512560
< Cache-Control: max-age=604800
< Content-Type: text/html; charset=UTF-8
< Date: Sun, 11 Jun 2023 15:28:56 GMT
< ETag: "3147526947+ident"
< Expires: Sun, 18 Jun 2023 15:28:56 GMT
< Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
< Server: ECS (bsa/EB17)
< Vary: Accept-Encoding
< X-Cache: HIT
< Content-Length: 1256
< X-Cache: MISS from eb91c8aa314b
< X-Cache-Lookup: MISS from eb91c8aa314b:3128
< Via: 1.1 eb91c8aa314b (squid/5.7)
< Connection: keep-alive
HTTPS 调用
curl -v https://example.com
* Trying 127.0.0.1:443...
* Connected to example.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* CApath: none
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
对于 HTTPS,它卡住了。
squid.conf:
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*.conf
# http_access allow localhost
# http_access deny all
# http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# ---------------------- Added configs ----------------------
http_access allow all
# always_direct allow all
# Squid kept crashing and after checking out the logs and searching, I found following bug report
# which in first comment there was some suggested workarounds one of them was setting a value for max_filedescriptors
# https://bugs.launchpad.net/ubuntu-docker-images/+bug/1978272
max_filedescriptors 1048576
# transparent proxy for http
http_port 3128 accel vhost allow-direct
# transparent proxy for https
acl step1 at_step SslBump1
# acl step2 at_step SslBump2
# acl step3 at_step SslBump3
ssl_bump peek step1
ssl_bump splice all
# ssl_bump bump
https_port 3129 intercept ssl-bump cert=/etc/squid/squid.pem
访问日志:
1686498023.786 671 172.17.0.1 TCP_MISS/304 436 GET http://example.com/ - HIER_DIRECT/93.184.216.34 -
1686498025.905 0 172.17.0.1 NONE_NONE/000 0 - error:accept-client-connection - HIER_NONE/- -
缓存.日志:
2023/06/11 15:40:17 kid1| Set Current Directory to /var/spool/squid
2023/06/11 15:40:17 kid1| Starting Squid Cache version 5.7 for x86_64-pc-linux-gnu...
2023/06/11 15:40:17 kid1| Service Name: squid
2023/06/11 15:40:17 kid1| Process ID 9
2023/06/11 15:40:17 kid1| Process Roles: worker
2023/06/11 15:40:17 kid1| With 1048576 file descriptors available
2023/06/11 15:40:17 kid1| Initializing IP Cache...
2023/06/11 15:40:17 kid1| DNS Socket created at 0.0.0.0, FD 8
2023/06/11 15:40:17 kid1| Adding nameserver 1.1.1.1 from /etc/resolv.conf
2023/06/11 15:40:17 kid1| Adding nameserver 8.8.8.8 from /etc/resolv.conf
2023/06/11 15:40:17 kid1| Adding nameserver 9.9.9.9 from /etc/resolv.conf
2023/06/11 15:40:17 kid1| Adding domain . from /etc/resolv.conf
2023/06/11 15:40:17 kid1| helperOpenServers: Starting 5/32 'security_file_certgen' processes
2023/06/11 15:40:17 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2023/06/11 15:40:17 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2023/06/11 15:40:17 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2023/06/11 15:40:17 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2023/06/11 15:40:17 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2023/06/11 15:40:17 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2023/06/11 15:40:17 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2023/06/11 15:40:17 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2023/06/11 15:40:17 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2023/06/11 15:40:17 kid1| Store logging disabled
2023/06/11 15:40:17 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2023/06/11 15:40:17 kid1| Target number of buckets: 1008
2023/06/11 15:40:17 kid1| Using 8192 Store buckets
2023/06/11 15:40:17 kid1| Max Mem size: 262144 KB
2023/06/11 15:40:17 kid1| Max Swap size: 0 KB
2023/06/11 15:40:17 kid1| Using Least Load store dir selection
2023/06/11 15:40:17 kid1| Set Current Directory to /var/spool/squid
2023/06/11 15:40:17 kid1| Finished loading MIME types and icons.
2023/06/11 15:40:17 kid1| HTCP Disabled.
2023/06/11 15:40:17 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2023/06/11 15:40:17 kid1| Pinger socket opened on FD 24
2023/06/11 15:40:17 kid1| Squid plugin modules loaded: 0
2023/06/11 15:40:17 kid1| Adaptation support is off.
2023/06/11 15:40:17 kid1| Accepting reverse-proxy HTTP Socket connections at conn12 local=0.0.0.0:3128 remote=[::] FD 21 flags=9
2023/06/11 15:40:17 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at conn14 local=0.0.0.0:3129 remote=[::] FD 22 flags=41
2023/06/11 15:40:17| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback.
2023/06/11 15:40:17| pinger: Initialising ICMP pinger ...
2023/06/11 15:40:17| pinger: ICMP socket opened.
2023/06/11 15:40:17| pinger: ICMPv6 socket opened
2023/06/11 15:40:18 kid1| storeLateRelease: released 0 objects
2023/06/11 15:40:25 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on conn23 local=172.17.0.2:3129 remote=172.17.0.1:57978 FD 14 flags=33: (2) No such file or directory
listening port: 3129
2023/06/11 15:40:25 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on conn23 local=172.17.0.2:3129 remote=172.17.0.1:57978 FD 14 flags=33
listening port: 3129
环境:
我在 docker 容器内运行 squid,其已发布端口为 80:3128 和 443:3129
Host: Fedora 37
Docker version: 24.0.2
Docker image: my_own_dockerfile and ghcr.io/b4tman/squid-ssl-bump (tired both)
Squid version: 5.7 (squid-openssl debian package)
squid-ssl-bump图片来自b4tman@github
我已经尝试了这两个图像,但最终得到了相同的结果,我也尝试了 Docker 之外的结果也是一样的。
我的docker文件:
FROM debian:bookworm-slim
RUN apt-get update \
&& apt-get install -y squid-openssl \
&& rm -rf /var/lib/apt/lists/*
RUN /usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB
RUN touch /run/squid.pid && chmod o=rw /run/squid.pid
USER proxy
EXPOSE 3128 3129
CMD ["squid","--foreground"]
测试:
我一直在使用 /etc/hosts 将某些域(example.com)指向 127.0.0.1(仅用于测试目的)并使用 curl 和 Firefox 来测试结果。
把它们加起来:
目标:使用 SNI(解密流量)将 squid 作为透明的 HTTPS 代理。
非目标:解密 HTTPS 流量并在客户端上安装证书。
问题:就我而言,它不起作用(对于 HTTPS),并且搜索日志中出现的错误没有太大帮助。
PS:我对网络的了解非常有限。
更新 1:
根据评论中提到的它可能与 docker 有关,我在 docker 之外做了更多测试。
我已经在 Fedora 37 上进行了测试,它是我的主要机器,还有一个 Debian 11 服务器
Fedora 37 环境:
squid version: 5.8 (squid package on fedora)
Debian 11 环境:
squid version: 4.13 (squid-openssl package on debian)
两种情况下的结果几乎相同,并且都没有达到目标,但是与docker相比日志略有不同。
这是 Fedora 中的 conf 和日志文件:
squid配置文件
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny to_localhost
http_access deny to_linklocal
# For example, to allow access from your local networks, you may uncomment the
# following rule (and/or add rules that match your definition of "local"):
# http_access allow localnet
#http_access deny all
#http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# ---------------------- Added configs ----------------------
http_access allow all
# always_direct allow all
# Squid kept crashing and after checking out the logs and searching, I found following bug report
# which in first comment there was some suggested workarounds one of them was setting a value for max_filedescriptors
# https://bugs.launchpad.net/ubuntu-docker-images/+bug/1978272
#max_filedescriptors 1048576
# transparent proxy for http
http_port 80 accel vhost allow-direct
# transparent proxy for https
acl step1 at_step SslBump1
# acl step2 at_step SslBump2
# acl step3 at_step SslBump3
ssl_bump peek step1
ssl_bump splice all
https_port 443 intercept ssl-bump cert=/etc/squid/squid.pem
访问日志
1686566705.397 869 127.0.0.1 TCP_MISS/200 1708 GET http://example.com/ - HIER_DIRECT/93.184.216.34 text/html
1686567418.039 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.039 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.039 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.040 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.040 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.040 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.040 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.041 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.041 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.041 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.042 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.042 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.042 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.042 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.043 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.043 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.043 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.044 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.044 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.044 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.044 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.045 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.045 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.045 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.046 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567418.046 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
.........
1686567420.514 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567420.514 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567420.514 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
1686567420.515 0 127.0.0.1 NONE_NONE/000 0 CONNECT 127.0.0.1:443 - HIER_NONE/- -
缓存日志
2023/06/12 14:14:10 kid1| Set Current Directory to /var/spool/squid
2023/06/12 14:14:10 kid1| Starting Squid Cache version 5.8 for x86_64-redhat-linux-gnu...
2023/06/12 14:14:10 kid1| Service Name: squid
2023/06/12 14:14:10 kid1| Process ID 20583
2023/06/12 14:14:10 kid1| Process Roles: worker
2023/06/12 14:14:10 kid1| With 16384 file descriptors available
2023/06/12 14:14:10 kid1| Initializing IP Cache...
2023/06/12 14:14:10 kid1| DNS Socket created at [::], FD 8
2023/06/12 14:14:10 kid1| DNS Socket created at 0.0.0.0, FD 9
2023/06/12 14:14:10 kid1| Adding nameserver 127.0.0.53 from /etc/resolv.conf
2023/06/12 14:14:10 kid1| Adding domain . from /etc/resolv.conf
2023/06/12 14:14:10 kid1| helperOpenServers: Starting 5/32 'security_file_certgen' processes
2023/06/12 14:14:10 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2023/06/12 14:14:10 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2023/06/12 14:14:10 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2023/06/12 14:14:10 kid1| Store logging disabled
2023/06/12 14:14:10 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2023/06/12 14:14:10 kid1| Target number of buckets: 1008
2023/06/12 14:14:10 kid1| Using 8192 Store buckets
2023/06/12 14:14:10 kid1| Max Mem size: 262144 KB
2023/06/12 14:14:10 kid1| Max Swap size: 0 KB
2023/06/12 14:14:10 kid1| Using Least Load store dir selection
2023/06/12 14:14:10 kid1| Set Current Directory to /var/spool/squid
2023/06/12 14:14:10 kid1| Finished loading MIME types and icons.
2023/06/12 14:14:10 kid1| HTCP Disabled.
2023/06/12 14:14:10 kid1| Squid plugin modules loaded: 0
2023/06/12 14:14:10 kid1| Adaptation support is off.
2023/06/12 14:14:10 kid1| Accepting reverse-proxy HTTP Socket connections at conn13 local=[::]:80 remote=[::] FD 22 flags=9
2023/06/12 14:14:10 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at conn15 local=[::]:443 remote=[::] FD 23 flags=41
2023/06/12 14:14:11 kid1| storeLateRelease: released 0 objects
2023/06/12 14:27:00 kid1| WARNING! Your cache is running out of filedescriptors
listening port: 443
测试:
由于 squid 在主机操作系统上运行,我无法使用/etc/hosts(为了防止循环),因此我使用 进行了测试curl -x。
HTTP:
curl -x http://127.0.0.1:80 -v http://example.com
* Trying 127.0.0.1:80...
* Connected to (nil) (127.0.0.1) port 80 (#0)
> GET http://example.com/ HTTP/1.1
> Host: example.com
> User-Agent: curl/7.82.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Age: 370504
< Cache-Control: max-age=604800
< Content-Type: text/html; charset=UTF-8
< Date: Mon, 12 Jun 2023 10:45:05 GMT
< ETag: "3147526947+ident"
< Expires: Mon, 19 Jun 2023 10:45:05 GMT
< Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
< Server: ECS (nyb/1D20)
< Vary: Accept-Encoding
< X-Cache: HIT
< Content-Length: 1256
< X-Cache: MISS from fedora
< X-Cache-Lookup: MISS from fedora:80
< Via: 1.1 fedora (squid/5.8)
< Connection: keep-alive
HTTPS:
curl -x https://127.0.0.1:443 -v https://example.com
* Trying 127.0.0.1:443...
* Connected to (nil) (127.0.0.1) port 443 (#0)
* ALPN, offering http/1.1
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* CApath: none
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL connection timeout
* Operation timed out after 300000 milliseconds with 0 bytes received
* Closing connection 0
curl: (28) SSL connection timeout
更新 2
我按照步骤做了@tegan-yorekcache建议在我的 squid.conf 中添加:
cache_dir ufs /var/squidcache 100 16 256
ipcache_size 2048
fqdncache_size 2048
但又出现了一系列新错误。
我有一个nginx可以解决问题的设置,所以我没有按照错误来寻找解决方案。
最后更新:
由于鱿鱼很难处理,我最终开始寻找替代品,
并找到了nginx's ngx_stream_ssl_preread_module它满足了我的需要。
由于我没有让鱿鱼工作,所以我将留下这个问题而不给出可接受的答案,谢谢大家的帮助。
答案1
尝试将您的配置放在https_port 3129您的配置上方ssl_bump。另外,我还没有在 docker 中使用过 squid。我总是必须使用https_port拦截来配置我的,这需要从 进行转发443。
例如
#https_port 443 cert=/xyz
#https_port 3129 intercept ssl-bump cert=/xyz
ssl_bump peek step1
ssl_bump splice all
答案2
因此,经过一些测试,不幸的是,测试是在 Ubuntu 而不是 Fedora 上进行的。我想出了。Ssl_bump peek step1 ssl_bump splice all。我发现 squid 正在断开连接,因为 cdn 托管的网站正在触发主机头伪造检测。我的解决方法是添加一个单独的缓存,然后在第二个缓存行下添加 ipcache_size 和 fqdncache_size。Ipcache 是不言而喻的,fqdn 缓存服务器 ip 地址的域名。发生的情况是客户端计算机收到一个 ip 地址,而 squid 代理收到一个不同的 ip 地址。然后触发主机头伪造。
更新以帮助使用 squid sni 解决方法。在 squid 配置文件中设置另一个缓存行。cache_dir aufs /route/to/cache 2000 16 256 然后在其下方添加。ipcache_size # 无论单位大小 MB/KB/B
fqdncache_size # 无论单位大小 MB/KB/B 然后添加这两行。positive_dns_ttl # 无论时间单位 hr/min/sec negative_dns_ttl # 无论时间单位。注意,不设置存储单位大小,squid 将自动默认为字节。还要保持 negative_dns_ttl 低于正值,我将我的设置为 1 分钟。在文件中设置配置后,使用 sudo service squid stop 停止 squid。在配置中为分配的缓存创建目录 sudo mkdir -p /path/to/cache。然后使用 sudo chmod proxy:proxy /path/to/cache 授予 squid 所有权。根据 Linux 发行版,用户可能是 squid。代理是 ubuntu 中的默认设置。然后发出另一个命令来初始化缓存 sudo squid -z。然后使用 sudo service squid restart 重新启动 squid。检查您的日志,您会看到很多错误:transaction-end-before-headers,但随着时间的推移,它们会开始减弱。
我知道已经有一段时间了,但我还是想更新它以供将来参考,并供遇到类似问题的人参考。