配置 squid 使其支持 访问https站点
2016-12-11 12:57
369 查看
需求:让用户通过squid访问https网站注意和配置squid使其支持https不同网上的资料基本都是给squid配置一个证书,但直觉告诉我这并不能解决我们的问题 进入正题,通过之前配置好的squid访问http站点可以正常访问,但无法访问https开头的网站 查找问题最好的方法就是分析日志access.log中发现如下信息
但是配置了https,本身就是为了传输过程的安全而现在的架构是Browser <--->Squid <---> Https Site仅仅是squid和https网站之间的通信是https的Browser和suqid之间的通信仍是通过http的
此处原先理解有误,实际上https传输过程中从浏览器到对方服务器之间的通信都是加密的可以考虑在squid 上配置https端口和证书来加密 Browser和squid之间的通信,https_port 443cert=/path/to/your.crt key=/path/to/your.key
参考 http://wiki.squid-cache.org/Features/HTTPSEncrypted browser-Squid connection
While
HTTPS design efforts were focused on end-to-end communication, it would
also be nice to be able to encrypt the browser-to-proxy connection
(without creating a CONNECT tunnel that blocks Squid from accessing and
caching content). This would allow, for example, a secure use of remote
proxies located across a possibly hostile network. Squid can accept regular proxy traffic using https_port in the same way Squid does it using an http_port
directive. Unfortunately, popular modern browsers do not permit
configuration of TLS/SSL encrypted proxy connections. There are open bug
reports against most of those browsers now, waiting for support to
appear. If you have any interest, please assist browser teams with
getting that to happen. Meanwhile,
tricks using stunnel or SSH tunnels are required to encrypt the
browser-to-proxy connection before it leaves the client machine. These
are somewhat heavy on the network and can be slow as a result.
Chrome
The
Chrome browser is able to connect to proxies over SSL connections if
configured to use one in a PAC file or command line switch. GUI
configuration appears not to be possible (yet). More details at http://dev.chromium.org/developers/design-documents/secure-web-proxy
Firefox
The
Firefox 33.0 browser is able to connect to proxies over SSL connections
if configured to use one in a PAC file. GUI configuration appears not
to be possible (yet). There is still an important bug open: Using a client certificate authentication to a proxy: https://bugzilla.mozilla.org/show_bug.cgi?id=209312
大意就是目前主流的浏览器都无法直接通过GUI界面直接配置https代理,
但可以通过pac文件指定https代理服务器,
chrome也可以通过命令行的方式启动浏览器并指定代理服务器
NONE/400 4280CONNECT error:method-not-allowed - NONE/- text/html查看 squid.conf ,默认配置是允许CONNECT 目标443端口的
acl SSL_ports port443 # Deny CONNECT toother than secure SSL ports #always_directdeny !ssl_ports http_access denyCONNECT !SSL_ports继续 后台在squid.conf中把squid的debug日志打开debug_options ALL,133,2查看/var/log/squid/cache.log日志发现
2016/12/11 12:10:19|IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 10: (92) Protocol notavailable 2016/12/11 12:10:19|WARNING: CONNECT method received on http Accelerator port 3128 2016/12/11 12:10:19|WARNING: for request: CONNECT mail.qq.com:443 HTTP/1.1 User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0 Proxy-Connection:keep-alive Connection:keep-alive Host:mail.qq.com:443 Proxy-Authorization:Basic a2VubnkuemhhbzoxMjM0NTY= 2016/12/1112:10:19.494| clientProcessRequest: Invalid Request好了,好像看到了点不对劲的地方第一个问题,IpIntercept.cc(137)NetfilterInterception: NFgetsockopt(SO_ORIGINAL_DST) failed on FD 10: (92) Protocol not available经过查询,是因为一个module开机的时候没有加载执行modprobeip_conntrack再次访问,查看日子,此错误提示消失了,但这个错误并不是主要问题 继续查询第二行报错WARNING: CONNECTmethod received on http Accelerator port配置文件中有这么一行http_port 3128 transparent accel经过一番搜索,去掉配置中的accel参数即把http_port 3128 transparent accel改为http_port 3128 transparent 重新加载配置文件,squid -k reconfigure 重新访问https网站,发现已经可以正常通过squid访问,至此,问题已经得到解决. 不要忘了关掉debug日志
但是配置了https,本身就是为了传输过程的安全而现在的架构是Browser <--->Squid <---> Https Site仅仅是squid和https网站之间的通信是https的Browser和suqid之间的通信仍是通过http的
此处原先理解有误,实际上https传输过程中从浏览器到对方服务器之间的通信都是加密的可以考虑在squid 上配置https端口和证书来加密 Browser和squid之间的通信,https_port 443cert=/path/to/your.crt key=/path/to/your.key
参考 http://wiki.squid-cache.org/Features/HTTPSEncrypted browser-Squid connection
While
HTTPS design efforts were focused on end-to-end communication, it would
also be nice to be able to encrypt the browser-to-proxy connection
(without creating a CONNECT tunnel that blocks Squid from accessing and
caching content). This would allow, for example, a secure use of remote
proxies located across a possibly hostile network. Squid can accept regular proxy traffic using https_port in the same way Squid does it using an http_port
directive. Unfortunately, popular modern browsers do not permit
configuration of TLS/SSL encrypted proxy connections. There are open bug
reports against most of those browsers now, waiting for support to
appear. If you have any interest, please assist browser teams with
getting that to happen. Meanwhile,
tricks using stunnel or SSH tunnels are required to encrypt the
browser-to-proxy connection before it leaves the client machine. These
are somewhat heavy on the network and can be slow as a result.
Chrome
The
Chrome browser is able to connect to proxies over SSL connections if
configured to use one in a PAC file or command line switch. GUI
configuration appears not to be possible (yet). More details at http://dev.chromium.org/developers/design-documents/secure-web-proxy
Firefox
The
Firefox 33.0 browser is able to connect to proxies over SSL connections
if configured to use one in a PAC file. GUI configuration appears not
to be possible (yet). There is still an important bug open: Using a client certificate authentication to a proxy: https://bugzilla.mozilla.org/show_bug.cgi?id=209312
大意就是目前主流的浏览器都无法直接通过GUI界面直接配置https代理,
但可以通过pac文件指定https代理服务器,
chrome也可以通过命令行的方式启动浏览器并指定代理服务器
相关文章推荐
- 配置squid做二级代理,支持访问http和https
- Centos7.2下Nginx配置SSL支持https访问(站点是基于.Net Core2.0开发的WebApi)
- Squid 反向代理cdn搭建配置(支持https)
- nginx配置免费的ssl证书,支持https安全访问
- nginx使用ssl模块配置支持HTTPS访问
- nginx配置免费的ssl证书,支持https安全访问
- 什么是ssl证书,什么是https,nginx如何配置ssl证书,兼容https与http同时访问站点
- wdcp 下apache模式开启https访问,支持多站点
- centos lnmp环境配置ssl证书支持https访问
- nginx使用ssl模块配置支持HTTPS访问【解决ssl错误】
- 使用Apache,配置modSSL,使其支持https访问
- nginx使用ssl模块配置支持HTTPS访问的方法
- 用Nginx配置https加密站点 nginx学习之一Location,rewrite,防盗链,禁止访问
- nginx使用ssl模块配置支持HTTPS访问 AND 开启gzip
- Nginx配置域名同时支持 https 和 http 访问
- Nginx配置同一个域名同时支持http与https两种方式访问
- 配置squid使支持匿名访问
- 详解nginx使用ssl模块配置支持HTTPS访问
- 配置nginx支持host以https的形式访问
- nginx配置免费ssl证书支持https安全访问