我在我的Squid代理日志中看到我无法在HTTPS连接中login用户名。 你认为这是我的configuration错误,还是由于encryption是不可能的? 如果答案是第二个,这意味着HTTPS对于匿名用户来说总是免费的?
这是我的configuration:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm MyDomain auth_param basic credentialsttl 2 hours auth_param basic casesensitive off authenticate_cache_garbage_interval 10 seconds external_acl_type nt_group ttl=0 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl to_localnet dst 10.0.0.0/8 acl to_localnet dst 172.16.0.0/12 acl to_localnet dst 192.168.0.0/16 acl loggedUser proxy_auth REQUIRED acl proxyUser external nt_group ProxyUsers acl proxySuperUser external nt_group ProxySuperUsers acl allowDomains dstdomain "/etc/squid/allowdomains.txt" acl pornDomains dstdomain "/etc/squid/porndomains.txt" acl proxyDomains dstdomain "/etc/squid/webproxydomains.txt" acl denyDomains dstdomain "/etc/squid/denydomains.txt" acl denyKeywords url_regex -i "/etc/squid/denykeywords.txt" acl SSL_ports port 443-444 # https acl Safe_ports port 80 # http acl Safe_ports port 20 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl Ftp_ports port 20 21 # ftp acl Ftp_ports port 1025-65535 # unregistered ports acl purge method PURGE acl CONNECT method CONNECT acl authChallenge rep_header X-Squid-Error ERR_CACHE_ACCESS_DENIED acl authChallenge2 rep_header X-Squid-Error ERR_ACCESS_DENIED http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access allow CONNECT Ftp_ports loggedUser http_access deny CONNECT !SSL_ports http_access deny !localnet http_access allow to_localnet http_access allow allowDomains http_access deny !loggedUser http_access deny pornDomains http_access allow proxySuperUser http_access deny proxyDomains http_access deny denyDomains http_access deny denyKeywords http_access allow proxyUser http_access deny all icp_access allow localnet icp_access deny all http_port 8080 hierarchy_stoplist cgi-bin ? logformat squid_mysql %ts.%03tu %6tr %>a %Ss %03Hs %<st %rm %ru %un %Sh %<A %mt access_log /var/log/squid/access.log squid access_log daemon:/etc/squid/log_mysql_daemon.conf squid_mysql log_access deny authChallenge log_access deny authChallenge2 logfile_daemon /usr/lib/squid/log_mysql_daemon.pl ftp_user [email protected] ftp_passive on refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] upgrade_http0.9 deny shoutcast acl apache rep_header Server ^Apache broken_vary_encoding allow apache extension_methods REPORT MERGE MKACTIVITY CHECKOUT error_directory /var/www/proxy/pages deny_info ERR_ACL_LOGGED loggedUser deny_info ERR_ACL_PROXYUSER proxyUser deny_info ERR_ACL_PORN pornDomains deny_info ERR_ACL_PROXY proxyDomains deny_info ERR_ACL_DOMAIN denyDomains deny_info ERR_ACL_WORDS denyKeywords hosts_file /etc/hosts coredump_dir /var/spool/squid HTTPS的本质使得窥探或拦截连接的IP端点地址和TCP端口以外的任何数据成为不可能。
请参阅这里了解Squid如何处理HTTPS: http : //wiki.squid-cache.org/Features/HTTPS