通过 squid 配置访问 HTTPS 站点时出现“拦截端口不匹配 443”错误(http 3127 拦截)

问题描述 投票:0回答:0

我正在尝试使用 Squid 软件通过透明转发代理(“拦截”功能)设置 Web 过滤,具体来说,关注并感兴趣于 HTTPS-over-HTTP 连接的过滤。

我已经按照下一页 http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxLocalhost 中的说明配置了鱿鱼,并且在测试与“http://example. com”和“https://example.com”:

  1. 这些命令中的每一个(
    curl -x localhost:3128 http://example.com
    curl -x localhost:3128 https://example.com
    curl -x localhost:3127 http://example.com
    )都返回类似于以下内容,成功,请求响应。
root@squid:~# curl -v -x localhost:3128 https://example.com
*   Trying 127.0.0.1:3128...
* Connected to localhost (127.0.0.1) port 3128 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to example.com:443
> CONNECT example.com:443 HTTP/1.1
> Host: example.com:443
> User-Agent: curl/7.74.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Los Angeles; O=Internet�Corporation�for�Assigned�Names�and�Numbers; CN=www.example.org
*  start date: <REDACTED_TIMESTAMP> GMT
*  expire date: <REDACTED_TIMESTAMP> GMT
*  subjectAltName: host "example.com" matched cert's "example.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5621b60e0af0)
> GET / HTTP/2
> Host: example.com
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< age: 476096
< cache-control: max-age=604800
< content-type: text/html; charset=UTF-8
< date: <REDACTED>
< etag: "3147526947+ident"
< expires: Sun, <REDACTED> GMT
< last-modified: Thu, <REDACTED> GMT
< server: ECS (<REDACTED>)
< vary: Accept-Encoding
< x-cache: HIT
< content-length: 1256
<
<!doctype html>
<html>
<head>
<REDACTED>
</head>

<body>
<div>
    <h1>Example Domain</h1>
    <p>This domain is for use in illustrative examples in documents. You may use this
    domain in literature without prior coordination or asking for permission.</p>
    <p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>
* Connection #0 to host localhost left intact
  1. 但是,对于我尝试过的所有不同的 HTTPS URL,
    curl -x localhost:3127 https://example.com
    命令一直失败:
root@squid:~# curl -v -x localhost:3127 https://example.com
*   Trying 127.0.0.1:3127...
* Connected to localhost (127.0.0.1) port 3127 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to example.com:443
> CONNECT example.com:443 HTTP/1.1
> Host: example.com:443
> User-Agent: curl/7.74.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 409 Conflict
< Server: squid/4.13
< Mime-Version: 1.0
< Date: <REDACTED_TIMESTAMP> GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3714
< X-Squid-Error: ERR_CONFLICT_HOST 0
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from squid
< X-Cache-Lookup: NONE from squid:3128
< Via: 1.1 squid (squid/4.13)
< Connection: keep-alive
<
* Received HTTP code 409 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 0
curl: (56) Received HTTP code 409 from proxy after CONNECT
  1. Squid 
    cache.log
    一直在记录“安全警报”,只有在尝试执行 
    curl -x localhost:3127 https://example.com
    :
==> /var/log/squid/access.log <==
<REDACTED_TIMESTAMP>      0 127.0.0.1 TCP_MEM_HIT/200 1787 GET http://example.com/ - HIER_NONE/- text/html
<REDACTED_TIMESTAMP>    407 127.0.0.1 TCP_TUNNEL/200 5975 CONNECT example.com:443 - HIER_DIRECT/93.184.216.34 -
<REDACTED_TIMESTAMP>      0 127.0.0.1 TCP_MEM_HIT/200 1787 GET http://example.com/ - HIER_NONE/- text/html

==> /var/log/squid/cache.log <==
<REDACTED_TIMESTAMP> kid1| SECURITY ALERT: Host header forgery detected on local=127.0.0.1:3127 remote=127.0.0.1:36468 FD 48 flags=33 (intercepted port does not match 443)
<REDACTED_TIMESTAMP> kid1| SECURITY ALERT: By user agent: curl/7.74.0
<REDACTED_TIMESTAMP> kid1| SECURITY ALERT: on URL: example.com:443
<REDACTED_TIMESTAMP> kid1| kick abandoning local=127.0.0.1:3127 remote=127.0.0.1:36468 FD 48 flags=33

==> /var/log/squid/access.log <==
<REDACTED_TIMESTAMP>      0 127.0.0.1 NONE/409 4074 CONNECT example.com:443 - HIER_NONE/- text/html

环境信息

debian11, VM, iptables v1.8.7
....
Squid Cache: Version 4.13
Service Name: squid
Debian linux
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' 'BUILDCXXFLAGS=-g -O2 -ffile-prefix-map=/build/squid-Nhk3MN/squid-4.13=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now ' 'BUILDCXX=g++' '--with-build-environment=default' '--enable-build-info=Debian linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' '--with-systemd' '--with-openssl' '--enable-ssl-crtd' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/squid-Nhk3MN/squid-4.13=. -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now ' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -ffile-prefix-map=/build/squid-Nhk3MN/squid-4.13=. -fstack-protector-strong -Wformat -Werror=format-security'


squid.conf
内容:

acl localnet src 0.0.0.1-0.255.255.255
acl localnet src 10.0.0.0/8
acl localnet src 100.64.0.0/10
acl localnet src 169.254.0.0/16
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src 127.0.0.1
acl localnet src fc00::/7
acl localnet src fe80::/10
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*
http_access allow localhost
http_access allow localnet
http_access deny all

http_port 3127 intercept
http_port 3128
visible_hostname squid


ps -efww|grep squid
输出:

root@squid:~# ps -efww|grep squid
root         861       1  0 17:30 ?        00:00:00 squid
proxy        863     861  0 17:30 ?        00:00:00 (squid-1) --kid squid-1
proxy       1698     863  0 18:31 ?        00:00:00 (logfile-daemon) /var/log/squid/access.log
root        2200    2179  0 18:38 pts/0    00:00:00 tail -f /var/log/squid/access.log /var/log/squid/access.log.1 /var/log/squid/cache.log /var/log/squid/cache.log.1
root        2337    2191  0 19:56 pts/1    00:00:00 grep squid


iptables-save
输出:

root@squid:~# iptables-save
*mangle
:PREROUTING ACCEPT [3693:2795934]
:INPUT ACCEPT [3693:2795934]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3294:1785992]
:POSTROUTING ACCEPT [3294:1785992]
COMMIT
*filter
:INPUT ACCEPT [3693:2795934]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3294:1785992]
COMMIT
*nat
:PREROUTING ACCEPT [2:128]
:INPUT ACCEPT [2:128]
:OUTPUT ACCEPT [78:5467]
:POSTROUTING ACCEPT [87:6007]
-A PREROUTING -i ens5 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3127
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --gid-owner 13 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3127
COMMIT


netstat -tulpn|grep squid
输出:

root@squid:~# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp6       0      0 :::3127                 :::*                    LISTEN      863/(squid-1)
tcp6       0      0 :::3128                 :::*                    LISTEN      863/(squid-1)
udp        0      0 0.0.0.0:57054           0.0.0.0:*                           863/(squid-1)  
udp6       0      0 :::42514                :::*                                863/(squid-1)


ifconfig
输出:

root@squid:~# ifconfig
ens5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9001
        inet <REDACTED_PRIVATE_IP>  netmask 255.255.240.0  broadcast <REDACTED_PRIVATE_IP>
        inet6 fe80::83b:c9ff:fe75:bdfe  prefixlen 64  scopeid 0x20<link>
        ether 0a:3b:c9:75:bd:fe  txqueuelen 1000  (Ethernet)
        RX packets 18848  bytes 2857672 (2.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 15182  bytes 2744647 (2.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2708  bytes 2002622 (1.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2708  bytes 2002622 (1.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

问题

  1. 错误
    intercepted port does not match 443
    的原因是什么,为什么
    curl -v -x localhost:3127 http://example.com
    一直成功而
    curl -v -x localhost:3127 https://example.com
    不成功? (配置了“拦截”的同一个端口)?
  2. 如何在当前设置中解决这个问题?
  3. 在当前的 squid v4.13 中,仅当请求包含未经 Squid 验证的 CA 签名的 SSL 证书时,哪个特定功能允许指示 Squid 软件阻止客户端 HTTPS-over-HTTP 请求,以及如何配置它?

注意:我查看了以下和许多其他帖子,但没有一个解决方案有效:http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxLocalhost | http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect | https://wiki.squid-cache.org/SquidFaq/InterceptionProxy

linux ssl curl proxy squid
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.