公共接口上的Squid代理超时 – 端口3128上丢失的数据包

部分解决scheme

事实certificate，3128端口上的stream量在我的VPS路上正在消失。 我不知道这是Linode阻塞这个端口，还是在这个端口之间。 （我在其他云上使用过这个代理，而且工作。）

更改端口为53128，它的工作。

但是，我怎样才能探测端口3128来检查包裹掉落的地方？ 肯定是在他们到达我的VPS之前。

• 我们如何configurationnginx来防止代理滥用？
• Apache日志充斥着攻击ip的代理错误
• adfs代理和dmzconfiguration
• Couchbase XDCR通过代理或NAT
• 如何通过代理（隐藏真实IP）在Windows上使用Apache Web服务器？

问题

我在运行CentOS 6.7的VPS中安装了一个squid代理设置，以允许我在多个群集节点之间共享Web会话。

此代理正在云中工作，并且当所有节点都在同一个专用networking192.168.0.0/24一切正常。

这个星期，我在家里部署了几台服务器来做一些非常长的批量工作，而且我需要通过我的代理进行连接。 然而，鱿鱼超时在我的公共界面。

我的squid.conf几乎允许每个传入连接，因为我通过iptables限制。 但是，即使防火墙已停止，我也无法通过Internet连接到我的代理服务器。

testing来自VPS群集的连接

注意：公有IP和主机名有意省略。

 $ curl --proxy PUBLIC_HOSTNAME:3128 -v google.com.br * About to connect() to proxy PUBLIC_HOSTNAME port 3128 (#0) * Trying PUBLIC_IP... connected * Connected to PUBLIC_HOSTNAME (PUBLIC_IP) port 3128 (#0) [ OUTPUT OMITTED ] * Connection #0 to host PUBLIC_HOSTNAME left intact * Closing connection #0 $ curl --proxy PRIVATE_HOSTNAME:3128 -v google.com.br * About to connect() to proxy PRIVATE_HOSTNAME port 3128 (#0) * Trying PRIVATE_IP... connected * Connected to PRIVATE_HOSTNAME (PRIVATE_IP) port 3128 (#0) [ OUTPUT OMITTED ] * Connection #0 to host PRIVATE_HOSTNAME left intact * Closing connection #0 

从家里testing连接（Internet）

注意：公有IP和主机名有意省略。

3128端口上的数据包超时。 53128端口上的数据包可以工作。

 $ curl --proxy HOSTNAME:3128 -v google.com.br * About to connect() to proxy HOSTNAME port 3128 (#0) * Trying PUBLIC_IP... Connection timed out * couldn't connect to host * Closing connection #0 curl: (7) couldn't connect to host $ curl --proxy PUBLIC_HOSTNAME:53128 -v google.com.br * About to connect() to proxy PUBLIC_HOSTNAME port 53128 (#0) * Trying PUBLIC_IP... connected * Connected to PUBLIC_HOSTNAME (PUBLIC_IP) port 53128 (#0) [ OUTPUT OMITTED ] * Connection #0 to host PUBLIC_HOSTNAME left intact * Closing connection #0 

从上面的输出中可以看出，即使在云端也可以通过公共接口进行连接。

我的VPS托pipe在Linode上，他们的专用networking是通过虚拟接口完成的，所有的stream量都通过公共接口进行路由。 无论如何，我不认为这是问题。

squid.conf中

Squid正在侦听其默认端口。

 $ sudo netstat -ntlp | grep 3128 tcp 0 0 :::53128 :::* LISTEN 19282/(squid) tcp 0 0 :::3128 :::* LISTEN 19282/(squid) 

我的configuration文件是非常标准的，除了最后的斗篷外。

鱿鱼是通过yum安装的，这是CentOS 6.7的可用软件包。

 $ sudo cat /etc/squid/squid.conf # # Recommended minimum configuration: # acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network #acl localnet src fc00::/7 # RFC 4193 local private network range #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines visible_hostname cluster.proxy dns_nameservers 8.8.8.8 8.8.4.4 #hosts_file none hosts_file /etc/hosts # quick_abort_min 0 KB # quick_abort_max 0 KB strip_query_terms off log_icp_queries off client_db off buffered_logs on # half_closed_clients off connect_timeout 30 seconds forward_timeout 60 seconds request_timeout 60 seconds dns_timeout 30 seconds # positive_dns_ttl 8 hours # negative_dns_ttl 30 seconds acl localnet src all # Intentionally left open. Not sure if this is valid. acl ghome src OMITTED.ddns.net # Dynamic DNS for my home address acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports #http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports #http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost http_access allow ghome # Tried this rule for my home # And finally deny all other access to this proxy #http_access deny all http_access allow all # Tried this rule for world # Squid normally listens to port 3128 http_port 3128 http_port 53128 # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? cache deny all # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # Hide Proxy from destination server # Needed to share sessions via off forwarded_for off request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Proxy-Connection allow all request_header_access User-Agent allow all request_header_access Cookie allow all request_header_access All deny all 

有没有办法来检查我的连接是否到达VPS？

我没有发现超过它的access.log鱿鱼日志，这没有说我的家庭连接;

 $ sudo traceroute -p 3128 HOSTNAME --tcp traceroute to HOSTNAME (PUBLIC_IP), 30 hops max, 60 byte packets 1 192.168.0.254 (192.168.0.254) 0.922 ms 1.337 ms 2.016 ms 2 200.150.94.3 (200.150.94.3) 11.970 ms 12.337 ms 12.699 ms 3 trunk11-src1km3a-src1cos.copel.net (200.150.92.107) 11.980 ms 12.928 ms 12.962 ms 4 177.84.164.33 (177.84.164.33) 14.230 ms 15.943 ms 16.306 ms 5 149.3.181.42 (149.3.181.42) 17.045 ms 17.889 ms 18.127 ms 6 xe-7-2-1.ashburn2.ash.seabone.net (195.22.199.187) 171.647 ms xe-0-1-2.ashburn2.ash.seabone.net (89.221.40.3) 163.118 ms 161.458 ms 7 xe-7-0-1.ashburn2.ash.seabone.net (195.22.199.189) 163.412 ms xe-2-2-2.ashburn2.ash.seabone.net (195.22.199.183) 159.763 ms xe-7-0-1.ashburn2.ash.seabone.net (195.22.199.189) 162.821 ms 8 ae13.er2.iad10.us.zip.zayo.com (64.125.12.1) 161.005 ms 160.879 ms 161.481 ms 9 ae7.er1.iad10.us.zip.zayo.com (64.125.25.49) 146.142 ms 144.668 ms 146.361 ms 10 ae6.cr1.dca2.us.zip.zayo.com (64.125.20.117) 147.399 ms 147.831 ms 148.792 ms 11 ae2.mpr4.atl6.us.zip.zayo.com (64.125.25.46) 150.200 ms ae4.mpr3.atl6.us.zip.zayo.com (64.125.31.197) 144.751 ms ae2.mpr4.atl6.us.zip.zayo.com (64.125.25.46) 146.808 ms 12 ae4.mpr3.atl6.us.zip.zayo.com (64.125.31.197) 143.534 ms 143.451 ms 146.218 ms 13 * * * ... 30 * * * 

 $ sudo traceroute -p 53128 HOSTNAME --tcp traceroute to HOSTNAME (PUBLIC_IP), 30 hops max, 60 byte packets 1 192.168.0.254 (192.168.0.254) 0.931 ms 1.458 ms 1.968 ms 2 200.150.94.3 (200.150.94.3) 12.079 ms 12.222 ms 12.362 ms 3 trunk11-src1km3a-src1cos.copel.net (200.150.92.107) 51.764 ms 52.274 ms 52.466 ms 4 177.84.164.33 (177.84.164.33) 14.533 ms 14.910 ms 15.449 ms 5 149.3.181.42 (149.3.181.42) 16.408 ms 17.265 ms 17.720 ms 6 xe-2-2-2.ashburn2.ash.seabone.net (195.22.199.183) 171.688 ms xe-7-2-1.ashburn2.ash.seabone.net (195.22.199.187) 161.815 ms xe-0-1-2.ashburn2.ash.seabone.net (89.221.40.3) 162.661 ms 7 xe-2-3-1.ashburn2.ash.seabone.net (195.22.199.181) 163.044 ms xe-2-2-2.ashburn2.ash.seabone.net (195.22.199.183) 160.476 ms xe-7-0-2.ashburn2.ash.seabone.net (195.22.199.185) 161.247 ms 8 ae13.er2.iad10.us.zip.zayo.com (64.125.12.1) 162.917 ms 162.569 ms 164.899 ms 9 ae7.er1.iad10.us.zip.zayo.com (64.125.25.49) 149.290 ms 147.938 ms ae6.cr1.dca2.us.zip.zayo.com (64.125.20.117) 150.054 ms 10 ae2.mpr4.atl6.us.zip.zayo.com (64.125.25.46) 150.416 ms ae6.cr1.dca2.us.zip.zayo.com (64.125.20.117) 145.685 ms 146.062 ms 11 ae4.mpr3.atl6.us.zip.zayo.com (64.125.31.197) 145.271 ms ae2.mpr4.atl6.us.zip.zayo.com (64.125.25.46) 146.286 ms ae4.mpr3.atl6.us.zip.zayo.com (64.125.31.197) 143.456 ms 12 128.177.104.134.IPYX-092136-ZYO.zip.zayo.com (128.177.104.134) 143.646 ms ae4.mpr3.atl6.us.zip.zayo.com (64.125.31.197) 145.377 ms 143.066 ms 13 128.177.104.134.IPYX-092136-ZYO.zip.zayo.com (128.177.104.134) 147.494 ms 148.962 ms 148.619 ms 14 router1-atl.linode.com (64.22.106.10) 148.807 ms 146.101 ms PRIVATE_HOSTNAME.members.linode.com (PUBLIC_IP) 145.706 ms