Squid代理与证书问题
Squid代理与证书问题
提问于 2023-03-20 23:56:08
最近,我在Ubuntu18.04上安装了squid代理,它在http请求中运行良好,但是我遇到了一些需要https连接的应用程序的问题,所以我下载了源代码并使用以下配置选项编译了它:
squid -v
Squid Cache: Version 4.17
Service Name: squid
This binary uses OpenSSL 1.1.1 11 Sep 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html
configure options: '--enable-ssl-crtd' '--with-openssl'我想要的只是使用squid从远程系统中传递http/https通信量,这是由于地理上的一些限制,不管使用的应用程序是什么,但是当我使用http/https端口的证书时,根本不传递任何通信量!只有http端口工作,如果我不使用任何证书与它。
我按照这里提到的指令生成cert (备用方法),创建和初始化SSL数据库,并在浏览器和系统范围内导入证书,但仍然没有成功:
为SSL安装和配置代理(颠簸或代理(颠簸或Peek-n-拼接)
squid.conf:
acl all src all
http_access allow all
dns_v4_first on
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
#http_access deny all
# Squid normally listens to port 3128
http_port 3128 ssl-bump cert=/usr/local/squid/etc/certs/squid-ca-cert-key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
https_port 3129 intercept ssl-bump cert=/usr/local/squid/etc/certs/squid-ca-cert-key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/cache/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320cache.log:
2023/03/20 16:38:28| Created PID file (/usr/local/squid/var/run/squid.pid)
2023/03/20 16:38:28 kid1| Set Current Directory to /usr/local/squid/var/cache/squid
2023/03/20 16:38:28 kid1| Starting Squid Cache version 4.17 for x86_64-pc-linux-gnu...
2023/03/20 16:38:28 kid1| Service Name: squid
2023/03/20 16:38:28 kid1| Process ID 85942
2023/03/20 16:38:28 kid1| Process Roles: worker
2023/03/20 16:38:28 kid1| With 655350 file descriptors available
2023/03/20 16:38:28 kid1| Initializing IP Cache...
2023/03/20 16:38:28 kid1| DNS Socket created at [::], FD 9
2023/03/20 16:38:28 kid1| DNS Socket created at 0.0.0.0, FD 13
2023/03/20 16:38:28 kid1| Adding nameserver 127.0.0.53 from /etc/resolv.conf
2023/03/20 16:38:28 kid1| Adding nameserver 8.8.8.8 from /etc/resolv.conf
2023/03/20 16:38:28 kid1| Adding nameserver 8.8.4.4 from /etc/resolv.conf
2023/03/20 16:38:28 kid1| helperOpenServers: Starting 5/5 'security_file_certgen' processes
2023/03/20 16:38:28 kid1| Logfile: opening log daemon:/usr/local/squid/var/logs/access.log
2023/03/20 16:38:28 kid1| Logfile Daemon: opening log /usr/local/squid/var/logs/access.log
2023/03/20 16:38:28 kid1| Store logging disabled
2023/03/20 16:38:28 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2023/03/20 16:38:28 kid1| Target number of buckets: 1008
2023/03/20 16:38:28 kid1| Using 8192 Store buckets
2023/03/20 16:38:28 kid1| Max Mem size: 262144 KB
2023/03/20 16:38:28 kid1| Max Swap size: 0 KB
2023/03/20 16:38:28 kid1| Using Least Load store dir selection
2023/03/20 16:38:28 kid1| Set Current Directory to /usr/local/squid/var/cache/squid
2023/03/20 16:38:28 kid1| Finished loading MIME types and icons.
2023/03/20 16:38:28 kid1| HTCP Disabled.
2023/03/20 16:38:28 kid1| Squid plugin modules loaded: 0
2023/03/20 16:38:28 kid1| Adaptation support is off.
2023/03/20 16:38:28 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 26 flags=9
2023/03/20 16:38:28 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 27 flags=41
2023/03/20 16:38:29 kid1| storeLateRelease: released 0 objectsaccess.log:
1679355519.102 0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.554 0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.555 0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.556 0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.556 0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.557 0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.558 0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.559 0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.559 0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.560 0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.561 0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.106 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::2xx:xxxx:fexx:xxxx prefixlen 64 scopeid 0x20<link>
ether xx:xx:xx:xx:xx:xx txqueuelen 1000 (Ethernet)
RX packets 347695 bytes 334612753 (334.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 281191 bytes 166987314 (166.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0那我在这里做错什么了?正如我前面提到的,我想要的只是不受任何限制地通过squid (就像一个公共代理)通过所有的流量,所以如果有修复或任何替代的方法,请告诉我。
问候
回答 1
Ask Ubuntu用户
发布于 2023-03-26 08:15:06
尝试通过在前台运行squid来排除故障,并查看它在ubuntu控制台squid -N -d999 -f /etc/squid/squid.conf中的作用。
- N意思是在前景中运行
- 显示调试消息的d999
- F选择squid文件配置。
在运行鱿鱼以创建文件夹之前,您是否也运行了这个程序?
/usr/local/squid/libexec/security_file_certgen -c-s /usr/local/squid/var/cache/squid/ssl_db -M 4MB请将鱿鱼文件夹和所有子文件夹的所有权设置为“代理”(在ubuntu中,squid将以“代理”用户的身份运行)
- /usr/local/squid/
页面原文内容由Ask Ubuntu提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://askubuntu.com/questions/1460195
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号