请教下各位:最近被这个问题折腾的头大
CentOS 7 10.211.55.3 直接 yum 安装
# yum -y install squid
查看版本:
# squid -v
Squid Cache: Version 3.5.20
一个简化的配置
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_version 4
sslproxy_options ALL
http_port 3127
http_port 3128 transparent
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/1_www.snsyr.com_bundle.crt key=/etc/squid/2_www.snsyr.com.key
# SSL Bump Config
ssl_bump stare all
ssl_bump bump all
说明及要求:
这个主机不能开启 /proc/sys/net/ipv4/ip_forward
其实如果可以开启这个参数,且 iptables 配置 nat 的情况下。局域网其他主机将网关指到这个 squid 所在的服务,那么是可以代理局域网主机上网的。
现在的要求是:
局域网主机 10.211.55.7 比如:
# cat /etc/hosts|grep baidu
10.211.55.3
www.baidu.com在这个主机:对 443 的请求转发到 3129
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-ports 3129
现在的问题客户端访问百度报 503
node2 root@node2:~# curl -klv
https://www.baidu.com -svo /dev/null
* About to connect() to
www.baidu.com port 443 (#0)
* Trying 10.211.55.3...
* Connected to
www.baidu.com (10.211.55.3) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=
www.baidu.com* start date: Oct 23 00:00:00 2020 GMT
* expire date: Oct 22 23:59:59 2021 GMT
* common name:
www.baidu.com* issuer: CN=
www.snsyr.com> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host:
www.baidu.com> Accept: */*
>
< HTTP/1.1 503 Service Unavailable
< Server: squid/3.5.20
< Mime-Version: 1.0
< Date: Thu, 11 Mar 2021 06:31:53 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3486
< X-Squid-Error: ERR_CONNECT_FAIL 111
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from parallels
< X-Cache-Lookup: NONE from parallels:3127
< Via: 1.1 parallels (squid/3.5.20)
< Connection: close
<
{ [data not shown]
* Closing connection 0
说明我用 nginx 实现类似功能的时候:
当我用 nginx 实现的时候如下日志:
node2 root@node2:~# curl -lv
https://www.baidu.com -svo /dev/null
* About to connect() to
www.baidu.com port 443 (#0)
* Trying 10.211.55.3...
* Connected to
www.baidu.com (10.211.55.3) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=
baidu.com,O="Beijing Baidu Netcom Science Technology Co., Ltd",OU=service operation department,L=beijing,ST=beijing,C=CN
* start date: Apr 02 07:04:58 2020 GMT
* expire date: Jul 26 05:31:02 2021 GMT
* common name:
baidu.com* issuer: CN=GlobalSign Organization Validation CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host:
www.baidu.com> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Connection: keep-alive
< Content-Length: 2443
< Content-Type: text/html
< Date: Thu, 11 Mar 2021 05:53:43 GMT
< Etag: "58860402-98b"
< Last-Modified: Mon, 23 Jan 2017 13:24:18 GMT
< Pragma: no-cache
< Server: bfe/1.0.8.18
< Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
<
{ [data not shown]
* Connection #0 to host
www.baidu.com left intact
现在就是想要 squid 能实现 nginx 的这种功能
关于 nginx 配置可以参考
https://www.alibabacloud.com/blog/how-to-use-nginx-as-an-https-forward-proxy-server_595799