配置 squid 使其支持 访问https站点

需求:让用户通过squid访问https网站注意和配置squid使其支持https不同网上的资料基本都是给squid配置一个证书,但直觉告诉我这并不能解决我们的问题 进入正题,通过之前配置好的squid访问http站点可以正常访问,但无法访问https开头的网站 查找问题最好的方法就是分析日志access.log中发现如下信息

NONE/400 4280CONNECT error:method-not-allowed - NONE/- text/html

查看 squid.conf ,默认配置是允许CONNECT 目标443端口的

acl SSL_ports port443
# Deny CONNECT toother than secure SSL ports
#always_directdeny  !ssl_ports
http_access denyCONNECT !SSL_ports

继续 后台在squid.conf中把squid的debug日志打开debug_options ALL,133,2查看/var/log/squid/cache.log日志发现

2016/12/11 12:10:19|IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 10: (92) Protocol notavailable
2016/12/11 12:10:19|WARNING: CONNECT method received on http Accelerator port 3128
2016/12/11 12:10:19|WARNING: for request: CONNECT mail.qq.com:443 HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0
Proxy-Connection:keep-alive
Connection:keep-alive
Host:mail.qq.com:443
Proxy-Authorization:Basic a2VubnkuemhhbzoxMjM0NTY=

2016/12/1112:10:19.494| clientProcessRequest: Invalid Request

好了,好像看到了点不对劲的地方第一个问题,IpIntercept.cc(137)NetfilterInterception: NFgetsockopt(SO_ORIGINAL_DST) failed on FD 10: (92) Protocol not available经过查询,是因为一个module开机的时候没有加载执行modprobeip_conntrack再次访问,查看日子,此错误提示消失了,但这个错误并不是主要问题 继续查询第二行报错WARNING: CONNECTmethod received on http Accelerator port配置文件中有这么一行http_port 3128 transparent accel经过一番搜索,去掉配置中的accel参数即把http_port 3128 transparent accel改为http_port 3128 transparent 重新加载配置文件,squid -k reconfigure 重新访问https网站,发现已经可以正常通过squid访问,至此,问题已经得到解决. 不要忘了关掉debug日志

但是配置了https,本身就是为了传输过程的安全而现在的架构是Browser <--->Squid <---> Https Site仅仅是squid和https网站之间的通信是https的Browser和suqid之间的通信仍是通过http的
此处原先理解有误,实际上https传输过程中从浏览器到对方服务器之间的通信都是加密的可以考虑在squid 上配置https端口和证书来加密 Browser和squid之间的通信,https_port 443cert=/path/to/your.crt key=/path/to/your.key
参考 http://wiki.squid-cache.org/Features/HTTPSEncrypted browser-Squid connection
While
HTTPS design efforts were focused on end-to-end communication, it would
also be nice to be able to encrypt the browser-to-proxy connection
(without creating a CONNECT tunnel that blocks Squid from accessing and
caching content). This would allow, for example, a secure use of remote
proxies located across a possibly hostile network. Squid can accept regular proxy traffic using https_port in the same way Squid does it using an http_port
directive. Unfortunately, popular modern browsers do not permit
configuration of TLS/SSL encrypted proxy connections. There are open bug
reports against most of those browsers now, waiting for support to
appear. If you have any interest, please assist browser teams with
getting that to happen. Meanwhile,
tricks using stunnel or SSH tunnels are required to encrypt the
browser-to-proxy connection before it leaves the client machine. These
are somewhat heavy on the network and can be slow as a result.
Chrome
The
Chrome browser is able to connect to proxies over SSL connections if
configured to use one in a PAC file or command line switch. GUI
configuration appears not to be possible (yet). More details at http://dev.chromium.org/developers/design-documents/secure-web-proxy
Firefox
The
Firefox 33.0 browser is able to connect to proxies over SSL connections
if configured to use one in a PAC file. GUI configuration appears not
to be possible (yet). There is still an important bug open: Using a client certificate authentication to a proxy: https://bugzilla.mozilla.org/show_bug.cgi?id=209312

大意就是目前主流的浏览器都无法直接通过GUI界面直接配置https代理,
但可以通过pac文件指定https代理服务器,
chrome也可以通过命令行的方式启动浏览器并指定代理服务器