我想知道是否有人可以帮我解决鱿鱼问题。我试图在ubuntu 16.04上设置squid。我使用apt-get install来安装它。我有3.5版本。
我似乎无法让https方面的工作正常进行。我有一个服务器,有一个nic。我已经设置了ip表规则,如果我删除了ssl的东西,我可以让端口80的东西正常工作......
我拥有的Iptables规则是:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130
我似乎无法解决的错误是:
systemctl status squid
● squid.service - LSB: Squid HTTP Proxy version 3.x
Loaded: loaded (/etc/init.d/squid; bad; vendor preset: enabled)
Active: active (exited) since Wed 2017-09-06 15:24:58 UTC; 3s ago
Docs: man:systemd-sysv-generator(8)
Process: 31100 ExecStop=/etc/init.d/squid stop (code=exited, status=0/SUCCESS)
Process: 31116 ExecStart=/etc/init.d/squid start (code=exited, status=0/SUCCESS)
Sep 06 15:24:58 ip-10-10-0-184 squid[31116]: 2017/09/06 15:24:58| WARNING: You should probably remove '10.10.8.0/24' from the ACL
Sep 06 15:24:58 ip-10-10-0-184 squid[31116]: 2017/09/06 15:24:58| FATAL: Invalid ACL type 'ssl::server_name'
Sep 06 15:24:58 ip-10-10-0-184 squid[31158]: Bungled /etc/squid/squid.conf line 73: acl allowed_https_sites ssl::server_name .ubu
Sep 06 15:24:58 ip-10-10-0-184 squid[31116]: FATAL: Bungled /etc/squid/squid.conf line 73: acl allowed_https_sites ssl::server_na
Sep 06 15:24:58 ip-10-10-0-184 squid[31116]: Squid Cache (Version 3.5.12): Terminated abnormally.
Sep 06 15:24:58 ip-10-10-0-184 squid[31116]: CPU Usage: 0.004 seconds = 0.004 user + 0.000 sys
Sep 06 15:24:58 ip-10-10-0-184 squid[31116]: Maximum Resident Size: 46928 KB
Sep 06 15:24:58 ip-10-10-0-184 squid[31116]: Page faults with physical i/o: 0
Sep 06 15:24:58 ip-10-10-0-184 squid[31116]: ...fail!
Sep 06 15:24:58 ip-10-10-0-184 systemd[1]: Started LSB: Squid HTTP Proxy version 3.x.
conf文件如下所示:
#Anonomize proxi connections
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
visible_hostname gw.fairsquare.com
#ACL definitions
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 'this' network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localhet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 10.10.5.0/24 # RFC 1918 local private network (LAN)
acl localnet src 10.10.6.0/24 # RFC 1918 local private network (LAN)
acl localnet src 10.10.7.0/24 # RFC 1918 local private network (LAN)
acl localnet src 10.10.8.0/24 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow localnet
http_access allow Safe_ports
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
#Handling HTTPS requests
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name .ubuntu.com
acl allowed_https_sites ssl::server_name .amazon.com
#acl allowed_https_sites ssl::server_name [you can add other domains to permit]
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all
#Handling HTTP requests
http_port 3129 intercept
acl allowed_http_sites dstdomain .amazonaws.com
acl allowed_http_sites dstdomain .amazon.com
acl allowed_http_sites dstdomain .ubuntu.com
#acl allowed_http_sites dstdomain [you can add other domains to permit]
http_access allow allowed_http_sites
via off
forwarded_for off
http_access deny all
我试图找到配置的样本,我拼凑在一起...只想拥有一个访问列表,允许ssl网站出去。
有人可以指出我的错误,因为我不确定这个ssl名字有什么问题......
感谢您的帮助!
答案 0 :(得分:0)
打开您的文件:
nano /etc/squid3/squid.conf
键入 Ctrl + w ,然后键入“server_name”并将server_name替换为您的服务器名称。
acl allowed_https_sites ssl::**server_name** .ubuntu.com
acl allowed_https_sites ssl::**server_name** .amazon.com
我不知道为什么但你也遇到网络10.10.8.0/24的问题,所以,如果你不使用它,你应该从ACL列表中删除10.10.8.0/24
。