我有一个网关(+防火墙+代理)设置在2个网卡Squeeze框。 问题是客户端无法看到一些HTTPS(例如,他们可以去https://mail.google.com,但不是https://github.com )但是,当我尝试与curl或wget在服务器上是没有问题的。
这是我的“路由-n”结果
Destination Gateway Genmask Flags Metric Ref Use Iface vpn.server.ip.addr 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 virtual.vpn.ip.addr 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 192.168.250.0 0.0.0.0 255.255.255.252 U 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0 这是我的防火墙
SQUID_SERVER="192.168.1.14" # Interface connected to Internet INTERNET="ppp0" # Interface connected to LAN LAN_IN="eth1" # Squid port SQUID_PORT="3128" SIP1="5060" SIP2="5061" # DO NOT MODIFY BELOW # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system #iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # set this system as a router for Rest of LAN iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE iptables -A FORWARD -i $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 10000 -j ACCEPT iptables -A INPUT -p udp --dport $SIP1 -j ACCEPT iptables -A INPUT -p udp --dport $SIP2 -j ACCEPT iptables -A INPUT -p tcp --dport $SIP1 -j ACCEPT iptables -A INPUT -p tcp --dport $SIP2 -j ACCEPT
这是我的squid.conf
http_port 3128 transparent acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY acl NO-CACHE-SITES dstdomain "/root/not-to-cache-sites.txt" no_cache deny NO-CACHE-SITES cache_mem 50 MB cache_dir ufs /var/spool/squid 50000 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log pid_filename /var/run/squid.pid dns_nameservers 208.67.222.222 208.67.220.220 8.8.8.8 8.8.4.4 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl manager proto cache_object acl serveur src 192.168.1.14 acl multipostes src 192.168.1.1-192.168.1.254 #acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 20 # ftp-data acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # ssl acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT acl SSL method CONNECT acl SSL_ports port 10000 # webmin acl Safe_ports port 10000 # webmin acl Safe_ports port 137 138 139 445 acl Safe_ports port 500 acl Safe_ports port 47 acl Safe_ports port 4569 acl Safe_ports port 995 # pop3 of gmail acl Safe_ports port 587 # smtp of gmail acl Safe_ports port 465 # smtp of gmail acl Safe_ports port 993 # smtp of gmail acl Safe_ports port 25 # smtp acl Safe_ports port 110 # pop3 acl Safe_ports port 143 # pop3 http_access allow manager all http_access deny manager http_access allow purge localhost http_access deny purge http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow all http_reply_access allow all icp_access allow all cache_effective_user proxy cache_effective_group proxy visible_hostname serveur always_direct allow all
注意 :我已经用Wireshark检查过了,没有错误。 我也尝试了没有VPN的直接连接,它工作正常。