我有一个与 wireguard 隧道一起运行的 squid 实例。客户端流量通过 wireguard 隧道代理:
客户端 -> (网关 wireguard) -> (wireguard + squid)
网关 wireguard 具有 iptables 规则,用于 DNAT 到(wireguard + squid)实例:
iptables -t nat -A PREROUTING -p tcp --dport 80 -i wg+ -j DNAT --to 10.13.13.3:4128
iptables -t nat -A PREROUTING -p tcp --dport 443 -i wg+ -j DNAT --to 10.13.13.3:4128
当我请求非 HTTPS 网站时,我遇到了无效的 URL,并且access.log显示不完整的 URL:
1714043450.064 0 10.13.13.1 NONE_NONE/400 2151 - /connect - HIER_NONE/- text/html
有人知道这里发生了什么事吗?
我有一个简单的 squid 代理配置:
acl all src 0.0.0.0/0
http_access allow all
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
debug_options ALL,1
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB
http_port 3128
http_port 4128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/ssl/squid.pem
http_port 3129 intercept
http_port 4129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/ssl/squid.pem
我刚刚意识到拦截是在 3129 和 4129,如果我将其移动到 3128 和 4128,我会看到访问被拒绝Access control configuration prevents your request from being allowed at this time.,但是,不确定是什么原因导致的这种情况?
1714044516.469 0 10.13.13.3 TCP_MISS/403 2505 GET http://suconfig.apple.com/resource/registration/v1/denylist.plist - HIER_NONE/- text/html
1714044516.469 0 10.13.13.1 TCP_MISS/403 2594 GET http://suconfig.apple.com/resource/registration/v1/denylist.plist - ORIGINAL_DST/10.13.13.3 text/html
另一次编辑,改变了这一点后,我明白了为什么我被拒绝访问:有一个转发循环:cache.log 说WARNING: Forwarding loop detected for。
我怀疑这是因为 WG 的对等配置有AllowedIPs = 0.0.0.0/0, ::/0。这破坏了一切