配置 squid 使其支持 訪問https站點

需求:讓用戶經過squid訪問https網站html

注意和配置squid使其支持https不一樣web

網上的資料基本都是給squid配置一個證書,但直覺告訴我這並不能解決咱們的問題chrome

 

進入正題,經過以前配置好的squid訪問http站點能夠正常訪問,瀏覽器

但沒法訪問https開頭的網站安全

 

查找問題最好的方法就是分析日誌服務器

access.log中發現以下信息架構

NONE/400 4280CONNECT error:method-not-allowed - NONE/- text/html

 

查看 squid.conf ,默認配置是容許CONNECT 目標443端口的app

acl SSL_ports port443
# Deny CONNECT toother than secure SSL ports
#always_directdeny  !ssl_ports
http_access denyCONNECT !SSL_ports

繼續ide

 

後臺在squid.conf中把squiddebug日誌打開網站

debug_options ALL,133,2

查看/var/log/squid/cache.log日誌發現

2016/12/11 12:10:19|IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 10: (92) Protocol notavailable
2016/12/11 12:10:19|WARNING: CONNECT method received on http Accelerator port 3128
2016/12/11 12:10:19|WARNING: for request: CONNECT mail.qq.com:443 HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0
Proxy-Connection:keep-alive
Connection:keep-alive
Host:mail.qq.com:443
Proxy-Authorization:Basic a2VubnkuemhhbzoxMjM0NTY=
 
2016/12/1112:10:19.494| clientProce***equest: Invalid Request

 

好了,好像看到了點不對勁的地方

第一個問題,

IpIntercept.cc(137)NetfilterInterception:  NFgetsockopt(SO_ORIGINAL_DST) failed on FD 10: (92) Protocol not available

通過查詢,是由於一個module開機的時候沒有加載

執行modprobeip_conntrack

再次訪問,查看日子,此錯誤提示消失了,但這個錯誤並非主要問題

 

繼續查詢第二行報錯

WARNING: CONNECTmethod received on http Accelerator port

配置文件中有這麼一行

http_port 3128 transparent accel

通過一番搜索,去掉配置中的accel參數

即把

http_port 3128 transparent accel

改成

http_port 3128 transparent

 

從新加載配置文件,

squid -k reconfigure

 

從新訪問https網站,發現已經能夠正常經過squid訪問,

至此,問題已經獲得解決. 不要忘了關掉debug日誌

 

可是配置了https,自己就是爲了傳輸過程的安全

而如今的架構是

Browser <--->Squid <---> Https Site

僅僅是squidhttps網站之間的通訊是https

Browsersuqid之間的通訊還是經過http

此處原先理解有誤,實際上https傳輸過程當中從瀏覽器到對方服務器之間的通訊都是加密的

能夠考慮在squid 上配置https端口和證書來加密 Browsersquid之間的通訊,

https_port 443cert=/path/to/your.crt key=/path/to/your.key


參考 http://wiki.squid-cache.org/Features/HTTPS

Encrypted browser-Squid connection

While HTTPS design efforts were focused on end-to-end communication, it would also be nice to be able to encrypt the browser-to-proxy connection (without creating a CONNECT tunnel that blocks Squid from accessing and caching content). This would allow, for example, a secure use of remote proxies located across a possibly hostile network.

Squid can accept regular proxy traffic using https_port in the same way Squid does it using an http_port directive. Unfortunately, popular modern browsers do not permit configuration of TLS/SSL encrypted proxy connections. There are open bug reports against most of those browsers now, waiting for support to appear. If you have any interest, please assist browser teams with getting that to happen.

Meanwhile, tricks using stunnel or SSH tunnels are required to encrypt the browser-to-proxy connection before it leaves the client machine. These are somewhat heavy on the network and can be slow as a result.


Chrome

The Chrome browser is able to connect to proxies over SSL connections if configured to use one in a PAC file or command line switch. GUI configuration appears not to be possible (yet).

More details at http://dev.chromium.org/developers/design-documents/secure-web-proxy


Firefox

The Firefox 33.0 browser is able to connect to proxies over SSL connections if configured to use one in a PAC file. GUI configuration appears not to be possible (yet).

There is still an important bug open:

Using a client certificate authentication to a proxy: https://bugzilla.mozilla.org/show_bug.cgi?id=209312

大意就是目前主流的瀏覽器都沒法直接經過GUI界面直接配置https代理,

但能夠經過pac文件指定https代理服務器,

chrome也能夠經過命令行的方式啓動瀏覽器並指定代理服務器

相關文章
相關標籤/搜索