squid 3.5 https setup ubuntu 16.04

时间:2017-09-06 15:37:00

标签: ubuntu ssl squid

我想知道是否有人可以帮我解决鱿鱼问题。我试图在ubuntu 16.04上设置squid。我使用apt-get install来安装它。我有3.5版本。

我似乎无法让https方面的工作正常进行。我有一个服务器,有一个nic。我已经设置了ip表规则,如果我删除了ssl的东西,我可以让端口80的东西正常工作......

我拥有的Iptables规则是:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130

我似乎无法解决的错误是:

    systemctl status squid
● squid.service - LSB: Squid HTTP Proxy version 3.x
   Loaded: loaded (/etc/init.d/squid; bad; vendor preset: enabled)
   Active: active (exited) since Wed 2017-09-06 15:24:58 UTC; 3s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 31100 ExecStop=/etc/init.d/squid stop (code=exited, status=0/SUCCESS)
  Process: 31116 ExecStart=/etc/init.d/squid start (code=exited, status=0/SUCCESS)

Sep 06 15:24:58 ip-10-10-0-184 squid[31116]: 2017/09/06 15:24:58| WARNING: You should probably remove '10.10.8.0/24' from the ACL
Sep 06 15:24:58 ip-10-10-0-184 squid[31116]: 2017/09/06 15:24:58| FATAL: Invalid ACL type 'ssl::server_name'
Sep 06 15:24:58 ip-10-10-0-184 squid[31158]: Bungled /etc/squid/squid.conf line 73: acl allowed_https_sites ssl::server_name .ubu
Sep 06 15:24:58 ip-10-10-0-184 squid[31116]: FATAL: Bungled /etc/squid/squid.conf line 73: acl allowed_https_sites ssl::server_na
Sep 06 15:24:58 ip-10-10-0-184 squid[31116]: Squid Cache (Version 3.5.12): Terminated abnormally.
Sep 06 15:24:58 ip-10-10-0-184 squid[31116]: CPU Usage: 0.004 seconds = 0.004 user + 0.000 sys
Sep 06 15:24:58 ip-10-10-0-184 squid[31116]: Maximum Resident Size: 46928 KB
Sep 06 15:24:58 ip-10-10-0-184 squid[31116]: Page faults with physical i/o: 0
Sep 06 15:24:58 ip-10-10-0-184 squid[31116]:    ...fail!
Sep 06 15:24:58 ip-10-10-0-184 systemd[1]: Started LSB: Squid HTTP Proxy version 3.x.

conf文件如下所示:

    #Anonomize proxi connections

forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

visible_hostname gw.fairsquare.com

#ACL definitions
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 'this' network (LAN)
acl localnet src 10.0.0.0/8         # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10      # RFC 6598 shared address space (CGN)
acl localhet src 169.254.0.0/16     # RFC 3927 link-local (directly plugged) machines
acl localnet src 10.10.5.0/24       # RFC 1918 local private network (LAN)
acl localnet src 10.10.6.0/24       # RFC 1918 local private network (LAN)
acl localnet src 10.10.7.0/24       # RFC 1918 local private network (LAN)
acl localnet src 10.10.8.0/24       # RFC 1918 local private network (LAN)
acl localnet src fc00::/7           # RFC 4193 local private network range
acl localnet src fe80::/10          # RFC 4291 link-local (directly plugged) machines

acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl CONNECT method CONNECT

http_access allow localnet
http_access allow Safe_ports

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

#Handling HTTPS requests
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name .ubuntu.com
acl allowed_https_sites ssl::server_name .amazon.com
#acl allowed_https_sites ssl::server_name [you can add other domains to permit]
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all

#Handling HTTP requests
http_port 3129 intercept
acl allowed_http_sites dstdomain .amazonaws.com
acl allowed_http_sites dstdomain .amazon.com
acl allowed_http_sites dstdomain .ubuntu.com
#acl allowed_http_sites dstdomain [you can add other domains to permit]
http_access allow allowed_http_sites

via off
forwarded_for off
http_access deny all 

我试图找到配置的样本,我拼凑在一起...只想拥有一个访问列表,允许ssl网站出去。

有人可以指出我的错误,因为我不确定这个ssl名字有什么问题......

感谢您的帮助!

1 个答案:

答案 0 :(得分:0)

打开您的文件:

nano /etc/squid3/squid.conf

键入 Ctrl + w ,然后键入“server_name”并将server_name替换为您的服务器名称。

acl allowed_https_sites ssl::**server_name** .ubuntu.com
acl allowed_https_sites ssl::**server_name** .amazon.com

我不知道为什么但你也遇到网络10.10.8.0/24的问题,所以,如果你不使用它,你应该从ACL列表中删除10.10.8.0/24