相当长一段时间以来,我一直在尝试使用DrWeb防病毒软件制作一个透明的HTTPS squid代理。
我已经成功地使所有的东西都能用自己的证书工作,而且我可以看到HTTPS中的stream量正在被防病毒软件检测,因为它阻止了我要求阻止的内容。
但对于一些网站,如Gmail或9gag,该网站只是永远加载,永远不会进一步。
有没有人有鱿鱼和HTTPS的经验?
Squid.conf:
dns_v4_first on connect_timeout 2.0 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow Safe_ports http_access deny all http_port 3128 transparent https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/company.be.cert key=/usr/local/squid/ssl_cert/company.be.private options=NO_SSLv3,SINGLE_DH_USE sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/squid_ssldb/ssl_db -M 400MB sslcrtd_children 5 ssl_bump stare all ssl_bump bump all sslproxy_flags DONT_VERIFY_PEER sslproxy_cert_error allow all ssl_bump client-first all reply_header_access Alternate-Protocol deny all wccp2_router 192.168.0.1 wccp_version 2 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method mask wccp2_service standard 0 wccp2_service dynamic 70 wccp2_service_info 70 protocol=tcp flags=src_ip_hash,src_port_alt_hash priority=240 ports=443 always_direct allow all request_header_access Via deny all cache deny all cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256 coredump_dir /usr/local/squid/var/cache/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user squid cache_effective_group squid access_log /usr/local/squid/var/logs/access_logs.txt squid cache_log /usr/local/squid/var/logs/debug_logs.txt icap_enable on icap_service i_req reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod icap_service i_res respmod_precache bypass=0 icap://127.0.0.1:1344/respmod adaptation_access i_req allow all adaptation_access i_res allow all icap_preview_enable on icap_preview_size 0 adaptation_send_client_ip on adaptation_send_username on icap_persistent_connections on icap_log /usr/local/squid/var/logs/icap.txt 在路由器(思科)我已经设置WCCP将端口80和443的stream量redirect到代理。
我也有这个脚本来configurationUbuntu的:
#!/bin/bash echo "Configuring the gre0 tunnel..." ip tunnel add gre0 mode gre remote 192.168.0.1 local 192.168.1.32 ttl 255 ip link set gre0 up ip addr add 10.0.0.1/24 dev gre0 echo "Adding the rules in /proc/sys/net/ipv4/..." echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter echo "Adding the rules in iptables..." iptables -F -t nat iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.32:3128 iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.32:3129 echo "Done!"
正如我所说,一切正常,只是不gmail和9gag(可能其他网站,但我不知道哪一个)
提前感谢!