需求:讓用戶通過squid訪問https網站
注意和配置squid使其支持https不同
網上的資料基本都是給squid配置一個證書,但直覺告訴我這並不能解決我們的問題
進入正題,通過之前配置好的squid訪問http站點可以正常訪問,
但無法訪問https開頭的網站
查找問題最好的方法就是分析日誌
access.log中發現如下信息
NONE/400 4280CONNECT error:method-not-allowed - NONE/- text/html
查看 squid.conf ,默認配置是允許CONNECT 目標443端口的
acl SSL_ports port443 # Deny CONNECT toother than secure SSL ports #always_directdeny !ssl_ports http_access denyCONNECT !SSL_ports
繼續
後臺在squid.conf中把squid的debug日誌打開
debug_options ALL,133,2
查看/var/log/squid/cache.log日誌發現
2016/12/11 12:10:19|IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 10: (92) Protocol notavailable 2016/12/11 12:10:19|WARNING: CONNECT method received on http Accelerator port 3128 2016/12/11 12:10:19|WARNING: for request: CONNECT mail.qq.com:443 HTTP/1.1 User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0 Proxy-Connection:keep-alive Connection:keep-alive Host:mail.qq.com:443 Proxy-Authorization:Basic a2VubnkuemhhbzoxMjM0NTY= 2016/12/1112:10:19.494| clientProce***equest: Invalid Request
好了,好像看到了點不對勁的地方
第一個問題,
IpIntercept.cc(137)NetfilterInterception: NFgetsockopt(SO_ORIGINAL_DST) failed on FD 10: (92) Protocol not available
經過查詢,是因爲一個module開機的時候沒有加載
執行modprobeip_conntrack
再次訪問,查看日子,此錯誤提示消失了,但這個錯誤並不是主要問題
繼續查詢第二行報錯
WARNING: CONNECTmethod received on http Accelerator port
配置文件中有這麼一行
http_port 3128 transparent accel
經過一番搜索,去掉配置中的accel參數
即把
http_port 3128 transparent accel
改爲
http_port 3128 transparent
重新加載配置文件,
squid -k reconfigure
重新訪問https網站,發現已經可以正常通過squid訪問,
至此,問題已經得到解決. 不要忘了關掉debug日誌
但是配置了https,本身就是爲了傳輸過程的安全
而現在的架構是
Browser <--->Squid <---> Https Site
僅僅是squid和https網站之間的通信是https的
Browser和suqid之間的通信仍是通過http的
此處原先理解有誤,實際上https傳輸過程中從瀏覽器到對方服務器之間的通信都是加密的
可以考慮在squid 上配置https端口和證書來加密 Browser和squid之間的通信,
https_port 443cert=/path/to/your.crt key=/path/to/your.key
參考 http://wiki.squid-cache.org/Features/HTTPS
Encrypted browser-Squid connection
While HTTPS design efforts were focused on end-to-end communication, it would also be nice to be able to encrypt the browser-to-proxy connection (without creating a CONNECT tunnel that blocks Squid from accessing and caching content). This would allow, for example, a secure use of remote proxies located across a possibly hostile network.
Squid can accept regular proxy traffic using https_port in the same way Squid does it using an http_port directive. Unfortunately, popular modern browsers do not permit configuration of TLS/SSL encrypted proxy connections. There are open bug reports against most of those browsers now, waiting for support to appear. If you have any interest, please assist browser teams with getting that to happen.
Meanwhile, tricks using stunnel or SSH tunnels are required to encrypt the browser-to-proxy connection before it leaves the client machine. These are somewhat heavy on the network and can be slow as a result.
Chrome
The Chrome browser is able to connect to proxies over SSL connections if configured to use one in a PAC file or command line switch. GUI configuration appears not to be possible (yet).
More details at http://dev.chromium.org/developers/design-documents/secure-web-proxy
Firefox
The Firefox 33.0 browser is able to connect to proxies over SSL connections if configured to use one in a PAC file. GUI configuration appears not to be possible (yet).
There is still an important bug open:
Using a client certificate authentication to a proxy: https://bugzilla.mozilla.org/show_bug.cgi?id=209312
大意就是目前主流的瀏覽器都無法直接通過GUI界面直接配置https代理,
但可以通過pac文件指定https代理服務器,
chrome也可以通過命令行的方式啓動瀏覽器並指定代理服務器