我试图在透明代理中运行SSL Bump的QLProxy虚拟设备,并且无法让我的生活得到它的工作。 我一直收到来自Squid(版本3.3.8)的“无效URL”错误。
Squidconfiguration如下
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all include "/opt/qlproxy/etc/squid/squid.acl" http_port 3128 http_port 3129 intercept http_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/qlproxy/etc/myca.pem acl mylocalnet src 0.0.0.0/0.0.0.0 http_access allow mylocalnet sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB forward_max_tries 25 cache_mem 1024 MB maximum_object_size_in_memory 1024 KB coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 shutdown_lifetime 3 seconds visible_hostname qlproxy always_direct allow all icap_enable on icap_service_failure_limit -1 icap_preview_enable on icap_persistent_connections on adaptation_send_client_ip on adaptation_send_username on icap_service qlproxy1 reqmod_precache icap://127.0.0.1:1344/reqmod bypass=0 icap_service qlproxy2 respmod_precache icap://127.0.0.1:1344/respmod bypass=0 acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf" acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf" adaptation_access qlproxy1 deny qlproxy_icap_edomains adaptation_access qlproxy2 deny qlproxy_icap_edomains adaptation_access qlproxy2 deny qlproxy_icap_etypes acl icap_bypass_to_localnet dst 10.0.0.0/8 # RFC1918 possible internal network acl icap_bypass_to_localnet dst 172.16.0.0/12 # RFC1918 possible internal network acl icap_bypass_to_localnet dst 192.168.0.0/16 # RFC1918 possible internal network adaptation_access qlproxy1 deny icap_bypass_to_localnet adaptation_access qlproxy2 deny icap_bypass_to_localnet adaptation_access qlproxy1 allow all adaptation_access qlproxy2 allow all dns_nameservers 8.8.8.8 4.2.2.2 dns_v4_first on 防火墙上有一条NAT规则,用于设置所有目的端口为80,443 TCP的stream量以转发到端口3128上的代理服务器。
任何人都可以发现我出错的地方吗?
编辑:应该值得注意的是,我正在尝试用代理上的单个NIC来做到这一点。 Webstream量通过MikroTik(作为主要防火墙)上的NAT规则被redirect到代理,并且从代理应该到互联网。
如果您使用基于策略的路由将stream量发送到代理服务器,则类似如下的内容会将HTTP和HTTPSstream量redirect到正确的squid端口:
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 127.0.0.1:3129 iptables -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 127.0.0.1:3130
如果你想维护客户端的原始IP地址来过滤鱿鱼,而不是所有的stream量src似乎是路由器的IP,那么你需要像这样的规则:
iptables -t nat -A PREROUTING -s 127.0.0.1:3129 -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 127.0.0.1:3129 iptables -t nat -A PREROUTING -s 127.0.0.1:3129 -p tcp --dport 443 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 127.0.0.1:3130 iptables -t nat -A POSTROUTING -j MASQUERADE iptables -t mangle -A PREROUTING -p tcp --dport 127.0.0.1:3129 -j DROP
我不确定这最后一种方法与基于策略的路由到鱿鱼有多好。 我只testing了通过DHCPconfiguration为networking网关的w / squid。
在iptables中,您需要将HTTPstream量redirect到squid 拦截端口,而不是标准的代理端口。 您还需要将HTTPSstream量redirect到拦截ssl-bump端口。