V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
aibangjuxin
V2EX  ›  Squid

squid 正向代理问题

  •  
  •   aibangjuxin · 2021-03-11 15:41:16 +08:00 · 1305 次点击
    这是一个创建于 1383 天前的主题,其中的信息可能已经有所发展或是发生改变。
    请教下各位:最近被这个问题折腾的头大
    CentOS 7 10.211.55.3 直接 yum 安装
    # yum -y install squid
    查看版本:
    # squid -v
    Squid Cache: Version 3.5.20
    一个简化的配置
    sslproxy_cert_error allow all
    sslproxy_flags DONT_VERIFY_PEER
    sslproxy_version 4
    sslproxy_options ALL
    http_port 3127
    http_port 3128 transparent
    https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/1_www.snsyr.com_bundle.crt key=/etc/squid/2_www.snsyr.com.key
    # SSL Bump Config
    ssl_bump stare all
    ssl_bump bump all
    说明及要求:
    这个主机不能开启 /proc/sys/net/ipv4/ip_forward
    其实如果可以开启这个参数,且 iptables 配置 nat 的情况下。局域网其他主机将网关指到这个 squid 所在的服务,那么是可以代理局域网主机上网的。
    现在的要求是:
    局域网主机 10.211.55.7 比如:
    # cat /etc/hosts|grep baidu
    10.211.55.3 www.baidu.com
    在这个主机:对 443 的请求转发到 3129
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-ports 3129

    现在的问题客户端访问百度报 503
    node2 root@node2:~# curl -klv https://www.baidu.com -svo /dev/null
    * About to connect() to www.baidu.com port 443 (#0)
    * Trying 10.211.55.3...
    * Connected to www.baidu.com (10.211.55.3) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    * skipping SSL peer certificate verification
    * SSL connection using TLS_RSA_WITH_AES_256_GCM_SHA384
    * Server certificate:
    * subject: CN=www.baidu.com
    * start date: Oct 23 00:00:00 2020 GMT
    * expire date: Oct 22 23:59:59 2021 GMT
    * common name: www.baidu.com
    * issuer: CN=www.snsyr.com
    > GET / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: www.baidu.com
    > Accept: */*
    >
    < HTTP/1.1 503 Service Unavailable
    < Server: squid/3.5.20
    < Mime-Version: 1.0
    < Date: Thu, 11 Mar 2021 06:31:53 GMT
    < Content-Type: text/html;charset=utf-8
    < Content-Length: 3486
    < X-Squid-Error: ERR_CONNECT_FAIL 111
    < Vary: Accept-Language
    < Content-Language: en
    < X-Cache: MISS from parallels
    < X-Cache-Lookup: NONE from parallels:3127
    < Via: 1.1 parallels (squid/3.5.20)
    < Connection: close
    <
    { [data not shown]
    * Closing connection 0

    说明我用 nginx 实现类似功能的时候:
    当我用 nginx 实现的时候如下日志:
    node2 root@node2:~# curl -lv https://www.baidu.com -svo /dev/null
    * About to connect() to www.baidu.com port 443 (#0)
    * Trying 10.211.55.3...
    * Connected to www.baidu.com (10.211.55.3) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    * CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    * subject: CN=baidu.com,O="Beijing Baidu Netcom Science Technology Co., Ltd",OU=service operation department,L=beijing,ST=beijing,C=CN
    * start date: Apr 02 07:04:58 2020 GMT
    * expire date: Jul 26 05:31:02 2021 GMT
    * common name: baidu.com
    * issuer: CN=GlobalSign Organization Validation CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
    > GET / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: www.baidu.com
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    < Accept-Ranges: bytes
    < Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
    < Connection: keep-alive
    < Content-Length: 2443
    < Content-Type: text/html
    < Date: Thu, 11 Mar 2021 05:53:43 GMT
    < Etag: "58860402-98b"
    < Last-Modified: Mon, 23 Jan 2017 13:24:18 GMT
    < Pragma: no-cache
    < Server: bfe/1.0.8.18
    < Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
    <
    { [data not shown]
    * Connection #0 to host www.baidu.com left intact

    现在就是想要 squid 能实现 nginx 的这种功能

    关于 nginx 配置可以参考
    https://www.alibabacloud.com/blog/how-to-use-nginx-as-an-https-forward-proxy-server_595799
    目前尚无回复
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1002 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 19ms · UTC 20:55 · PVG 04:55 · LAX 12:55 · JFK 15:55
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.