Question

我的鱿鱼v3.5.27有问题。

的squid.conf

acl auth proxy_auth REQUIRED
acl basicauth           proxy_auth_regex -i service
http_access deny !auth
http_access deny basicauth
http_access allow all

http_port 0.0.0.0:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/etc/squidCA.pem
ssl_bump bump all
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /etc/squid/ssl_db -M 10MB

Iam由USERTEST认证，但当我尝试打开任何网站时获取TCP_DENIED / 403

的access.log：

17/May/2018:12:35:18 +0300 10.0.5.177         USERTEST     TCP_DENIED/403 https://rbc.ru "-"

cache.log里：

2018/05/17 12:35:18.484 kid1| 28,3| Checklist.cc(70) preCheck: 0x38457c8 checking slow rules
2018/05/17 12:35:18.484 kid1| 28,5| Acl.cc(138) matches: checking http_access
2018/05/17 12:35:18.484 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'DENIED/0' is not banned
2018/05/17 12:35:18.484 kid1| 28,5| Acl.cc(138) matches: checking http_access#1
2018/05/17 12:35:18.484 kid1| 28,5| Acl.cc(138) matches: checking !auth
2018/05/17 12:35:18.484 kid1| 28,5| Acl.cc(138) matches: checking auth
2018/05/17 12:35:18.484 kid1| 28,5| Acl.cc(36) AuthenticateAcl: SslBumped request: It is an encapsulated request do not authenticate
2018/05/17 12:35:18.484 kid1| 28,3| Acl.cc(158) matches: checked: auth = 1
2018/05/17 12:35:18.485 kid1| 28,3| Acl.cc(158) matches: checked: !auth = 0
2018/05/17 12:35:18.485 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 0
2018/05/17 12:35:18.485 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0' is not banned
2018/05/17 12:35:18.485 kid1| 28,5| Acl.cc(138) matches: checking http_access#2
2018/05/17 12:35:18.485 kid1| 28,5| Acl.cc(138) matches: checking basicauth
2018/05/17 12:35:18.485 kid1| 28,5| Acl.cc(36) AuthenticateAcl: SslBumped request: It is an encapsulated request do not authenticate
2018/05/17 12:35:18.485 kid1| 28,3| Acl.cc(158) matches: checked: basicauth = 1
2018/05/17 12:35:18.485 kid1| 28,5| Acl.cc(138) matches: checking sites1
2018/05/17 12:35:18.485 kid1| 28,3| DomainData.cc(108) match: aclMatchDomainList: checking 'www.rbc.ru'
2018/05/17 12:35:18.485 kid1| 28,3| DomainData.cc(113) match: aclMatchDomainList: 'www.rbc.ru' NOT found
2018/05/17 12:35:18.485 kid1| 28,3| Acl.cc(158) matches: checked: sites1 = 0
2018/05/17 12:35:18.485 kid1| 28,3| Acl.cc(158) matches: checked: http_access#2 = 0
2018/05/17 12:35:18.485 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'DENIED/0' is not banned
2018/05/17 12:35:18.485 kid1| 28,5| Acl.cc(138) matches: checking http_access#3
2018/05/17 12:35:18.485 kid1| 28,5| Acl.cc(138) matches: checking basicauth
2018/05/17 12:35:18.485 kid1| 28,5| Acl.cc(36) AuthenticateAcl: SslBumped request: It is an encapsulated request do not authenticate
2018/05/17 12:35:18.485 kid1| 28,3| Acl.cc(158) matches: checked: basicauth = 1
2018/05/17 12:35:18.485 kid1| 28,3| Acl.cc(158) matches: checked: http_access#3 = 1
2018/05/17 12:35:18.485 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1
2018/05/17 12:35:18.485 kid1| 28,3| Checklist.cc(63) markFinished: 0x38457c8 answer DENIED for match
2018/05/17 12:35:18.485 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x38457c8 answer=DENIED
2018/05/17 12:35:18.485 kid1| 28,5| Gadgets.cc(83) aclIsProxyAuth: aclIsProxyAuth: called for basicauth
2018/05/17 12:35:18.485 kid1| 28,9| Acl.cc(99) FindByName: ACL::FindByName 'basicauth'
2018/05/17 12:35:18.485 kid1| 28,5| Gadgets.cc(88) aclIsProxyAuth: aclIsProxyAuth: returning 1
2018/05/17 12:35:18.485 kid1| 28,8| Gadgets.cc(51) aclGetDenyInfoPage: got called for basicauth
2018/05/17 12:35:18.485 kid1| 28,8| Gadgets.cc(70) aclGetDenyInfoPage: aclGetDenyInfoPage: no match

正如你所看到的，我点击了acl basicauth = 1 和 http_access＃3 = 1 尽管我有不同的登录信息。如果我禁用SSLbump - 一切正常。

有什么想法吗？感谢

Answer 1

您可以执行以下操作。

对于基本身份验证：

 auth_param basic program  /usr/bin/python /home/test/auth.py
 auth_param basic realm Please enter username and password
 auth_param basic children 100
 auth_param basic credentialsttl 1 second
 acl AuthUsers proxy_auth REQUIRED

在上面，test.py表示您可以编写用于身份验证的自定义python脚本，也可以使用任何其他方法。

对于ssl-bump，您可以执行以下操作：

 http_port 3128 ssl-bump cert=/etc/squid/ssl/myca.pem generate-host- 
 certificates=on dynamic_cert_mem_cache_size=4MB

 sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
 sslcrtd_children 5

 acl tcp_level at_step SslBump1
 ssl_bump peek tcp_level all
 ssl_bump bump all

并允许访问

 http_access allow AuthUsers
 http_access deny all

带有SSLbump和身份验证的squid 403.这是一个封装的请求，不进行身份验证

1 个答案: