小贝子编程

Squid SslBump Peek和Slice导致HTTPS连接的OpenSSL SSL_connect:SSL_ER



我正试图在AWS EC2上使用Squid v3.5使用透明代理设置DNS过滤。它适用于HTTP流量,但不适用于HTTPS流量。对于HTTPS流量,我观察到以下内容:

  1. 对于不在允许列表中的网站,我会立即获得curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to google.com:443
  2. 对于允许列表中的网站,连接长时间处于TLSv1.2 (OUT), TLS handshake, Client hello (1):状态。然后最后抛出一个curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443

鱿鱼设置

Squid的版本是3.5.20和编译的--with-openssl(我是从百胜安装的,自己没有编译(。squid -v的全部输出如下所示:

Squid Cache: Version 3.5.20
Service Name: squid
configure options:  '--build=x86_64-koji-linux-gnu' '--host=x86_64-koji-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,rock,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' 'build_alias=x86_64-koji-linux-gnu' 'host_alias=x86_64-koji-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches    -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches    -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

squid.conf如下所示:

visible_hostname squid
cache deny all
# Log format and rotation
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %ssl::>sni %Sh/%<a %mt
logfile_rotate 10
debug_options rotate=10
# Handle HTTP requests
http_port 3128
http_port 3129 intercept
# Handle HTTPS requests
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
# Deny requests to proxy instance metadata
acl instance_metadata dst 169.254.169.254
http_access deny instance_metadata
# Filter HTTP requests based on the allowlist
acl allowed_http_sites dstdomain "/etc/squid/allowlist.txt"
http_access allow allowed_http_sites
# Filter HTTPS requests based on the allowlist
acl allowed_https_sites ssl::server_name "/etc/squid/allowlist.txt"
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all
http_access deny all

iptables:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130

AWS EC2/VPC设置

  1. squid代理EC2实例在公用子网中
  2. squid代理EC2实例已禁用源/目标检查
  3. 客户端EC2实例在另一个公用子网中
  4. 这些EC2实例的安全组允许所有内部入站流量(基于私有IP(,并允许所有出站流量

路由表:

  1. squid子网的路由:https://i.stack.imgur.com/IY3MG.jpg
  2. 客户端子网的路由:https://i.stack.imgur.com/5Zkmq.jpg(ENI ID用于squid代理的EC2(
如图所示,iptables规则将匹配80和443端口上的任何http/https流量,包括squid自身启动到目标资源的连接。

您需要添加&quot--uid所有者{squid uid}"或"--uid所有者{initiator uid}"选项到iptables命令行,因此它将匹配";不是squid发起的连接";或";由{initiator uid}"标识的特定进程发起的连接;只有

所以它们应该如下:

iptables -t nat -A PREROUTING -p tcp ! --uid-owner {squid uid} --dport 80 -j REDIRECT --to-port 3129
iptables -t nat -A PREROUTING -p tcp ! --uid-owner {squid uid} --dport 443 -j REDIRECT --to-port 3130


iptables -t nat -A PREROUTING -p tcp --uid-owner {initiator uid} --dport 80 -j REDIRECT --to-port 3129
iptables -t nat -A PREROUTING -p tcp --uid-owner {initiator uid} --dport 443 -j REDIRECT --to-port 3130

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium