Squid 代理和证书问题

tag-icon tag-icon https squid
Squid 代理和证书问题

最近我在 Ubuntu 18.04 上安装了 squid 代理,它可以很好地处理 http 请求,但我遇到了一些需要 https 连接的应用程序的问题,因此我下载了源代码并使用以下配置选项对其进行了编译:

squid -v 
Squid Cache: Version 4.17
Service Name: squid

This binary uses OpenSSL 1.1.1  11 Sep 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--enable-ssl-crtd' '--with-openssl'

我想要的只是使用 squid 从远程系统传递 http/https 流量,因为存在一些地理限制,无论使用什么应用程序,但是当我使用 http/https 端口的证书时,根本没有传递任何流量!如果我不使用任何证书,则只有 http 端口有效。

我按照此处提到的说明生成证书(替代方法),创建并初始化 SSL 数据库,并在浏览器和系统范围内导入证书,但仍然没有运气:

安装和配置 Squid Proxy for SSL(Bumping 或 Peek-n-splice)

squid.conf:

acl all src all
http_access allow all
dns_v4_first on
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8     # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10      # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16     # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12      # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16     # RFC 1918 local private network (LAN)


acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
#http_access deny all

# Squid normally listens to port 3128
http_port 3128 ssl-bump cert=/usr/local/squid/etc/certs/squid-ca-cert-key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
https_port 3129 intercept ssl-bump cert=/usr/local/squid/etc/certs/squid-ca-cert-key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

acl step1 at_step SslBump1                       
ssl_bump peek step1                       
ssl_bump bump all
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/cache/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .       0   20% 4320

缓存.日志:

2023/03/20 16:38:28| Created PID file (/usr/local/squid/var/run/squid.pid)
2023/03/20 16:38:28 kid1| Set Current Directory to /usr/local/squid/var/cache/squid
2023/03/20 16:38:28 kid1| Starting Squid Cache version 4.17 for x86_64-pc-linux-gnu...
2023/03/20 16:38:28 kid1| Service Name: squid
2023/03/20 16:38:28 kid1| Process ID 85942
2023/03/20 16:38:28 kid1| Process Roles: worker
2023/03/20 16:38:28 kid1| With 655350 file descriptors available
2023/03/20 16:38:28 kid1| Initializing IP Cache...
2023/03/20 16:38:28 kid1| DNS Socket created at [::], FD 9
2023/03/20 16:38:28 kid1| DNS Socket created at 0.0.0.0, FD 13
2023/03/20 16:38:28 kid1| Adding nameserver 127.0.0.53 from /etc/resolv.conf
2023/03/20 16:38:28 kid1| Adding nameserver 8.8.8.8 from /etc/resolv.conf
2023/03/20 16:38:28 kid1| Adding nameserver 8.8.4.4 from /etc/resolv.conf
2023/03/20 16:38:28 kid1| helperOpenServers: Starting 5/5 'security_file_certgen' processes
2023/03/20 16:38:28 kid1| Logfile: opening log daemon:/usr/local/squid/var/logs/access.log
2023/03/20 16:38:28 kid1| Logfile Daemon: opening log /usr/local/squid/var/logs/access.log
2023/03/20 16:38:28 kid1| Store logging disabled
2023/03/20 16:38:28 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2023/03/20 16:38:28 kid1| Target number of buckets: 1008
2023/03/20 16:38:28 kid1| Using 8192 Store buckets
2023/03/20 16:38:28 kid1| Max Mem  size: 262144 KB
2023/03/20 16:38:28 kid1| Max Swap size: 0 KB
2023/03/20 16:38:28 kid1| Using Least Load store dir selection
2023/03/20 16:38:28 kid1| Set Current Directory to /usr/local/squid/var/cache/squid
2023/03/20 16:38:28 kid1| Finished loading MIME types and icons.
2023/03/20 16:38:28 kid1| HTCP Disabled.
2023/03/20 16:38:28 kid1| Squid plugin modules loaded: 0
2023/03/20 16:38:28 kid1| Adaptation support is off.
2023/03/20 16:38:28 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 26 flags=9
2023/03/20 16:38:28 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 27 flags=41
2023/03/20 16:38:29 kid1| storeLateRelease: released 0 objects

访问日志:

1679355519.102      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.554      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.555      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.556      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.556      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.557      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.558      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.559      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.559      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.560      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.561      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -

ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.106  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::2xx:xxxx:fexx:xxxx  prefixlen 64  scopeid 0x20<link>
        ether xx:xx:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 347695  bytes 334612753 (334.6 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 281191  bytes 166987314 (166.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

那么我在这里做错了什么?正如我之前提到的,我想要的只是通过 squid(如公共代理)不受任何限制地传递所有流量,因此如果有修复方法或任何其他方法,请告诉我。

问候

答案1

尝试通过在前台运行 squid 来排除故障,并查看它在 ubuntu 控制台中给出什么结果 squid -N -d999 -f /etc/squid/squid.conf

  • N 表示在前台运行
  • d999 显示调试消息
  • f 选择 squid 文件配置

在运行 squid 创建文件夹之前,你是否也运行过这个

/usr/local/squid/libexec/security_file_certgen -c-s /usr/local/squid/var/cache/squid/ssl_db -M 4MB

请将 squid 文件夹和所有子文件夹的所有权设置为“代理”(squid 将在 ubuntu 中以“代理”用户身份运行)

  • /usr/本地/squid/

相关内容