SSL 碰撞是否与父代理一起工作?squid并pf设置如下:
squid.conf:
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on key=/usr/local/etc/squid/ssl/squid.key cert=/usr/local/etc/squid/ssl/squid.pem
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all
ssl_bump client-first none
ssl_bump server-first all
cache_peer proxy.office.com parent 8080 0 login=user:password
pf.conf
rdr pass on lo0 proto tcp from any to any port 80 -> 127.0.0.1 port 3128
rdr pass on lo0 proto tcp from any to any port 443 -> 127.0.0.1 port 3129
pass out on en0 route-to lo0 inet proto tcp from any to any port 80 keep state
pass out on en0 route-to lo0 inet proto tcp from any to any port 443 keep state
squid版本:
Squid Cache: Version 3.2.9
configure options: '--disable-debug' '--disable-dependency-tracking' '--prefix=/usr/local/Cellar/squid/3.2.9' '--localstatedir=/usr/local/var' '--enable-ssl' '--enable-ssl-crtd' '--disable-eui' '--enable-ipfw-transparent' 'CC=cc' 'CXX=c++' 'PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig:/usr/local/Library/ENV/pkgconfig/10.8'
对于 HTTP 来说一切都运行正常,但 HTTPS 连接数会增加1372080519.323 0 172.17.244.135 NONE/400 3998 NONE error:invalid-request - HIER_NONE/- text/html。cache.log如果在浏览器中设置为 HTTPS 代理,父代理就会起作用。
答案1
其中需要 3 行:
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump...
将浏览器的 HTTP 和 SSL 代理指向 3128,它应该可以正常工作。每当它收到安全的 CONNECT 请求时,它都会转到 3130 进行 https。无需其他防火墙条目,因为它都是 squid 内部的。