squid - 带有 SSLbump 和身份验证 403 的 Squid。这是一个封装的请求,不进行身份验证
问题描述
我的 squid v3.5.27 有问题。
squid.conf
acl auth proxy_auth REQUIRED
acl basicauth proxy_auth_regex -i service
http_access deny !auth
http_access deny basicauth
http_access allow all
http_port 0.0.0.0:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/etc/squidCA.pem
ssl_bump bump all
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /etc/squid/ssl_db -M 10MB
我通过 USERTEST 进行了身份验证,但是当我尝试打开任何站点时得到 TCP_DENIED/403
访问日志:
17/May/2018:12:35:18 +0300 10.0.5.177 USERTEST TCP_DENIED/403 https://rbc.ru "-"
缓存日志:
2018/05/17 12:35:18.484 kid1| 28,3| Checklist.cc(70) preCheck: 0x38457c8 checking slow rules
2018/05/17 12:35:18.484 kid1| 28,5| Acl.cc(138) matches: checking http_access
2018/05/17 12:35:18.484 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'DENIED/0' is not banned
2018/05/17 12:35:18.484 kid1| 28,5| Acl.cc(138) matches: checking http_access#1
2018/05/17 12:35:18.484 kid1| 28,5| Acl.cc(138) matches: checking !auth
2018/05/17 12:35:18.484 kid1| 28,5| Acl.cc(138) matches: checking auth
2018/05/17 12:35:18.484 kid1| 28,5| Acl.cc(36) AuthenticateAcl: SslBumped request: It is an encapsulated request do not authenticate
2018/05/17 12:35:18.484 kid1| 28,3| Acl.cc(158) matches: checked: auth = 1
2018/05/17 12:35:18.485 kid1| 28,3| Acl.cc(158) matches: checked: !auth = 0
2018/05/17 12:35:18.485 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 0
2018/05/17 12:35:18.485 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0' is not banned
2018/05/17 12:35:18.485 kid1| 28,5| Acl.cc(138) matches: checking http_access#2
2018/05/17 12:35:18.485 kid1| 28,5| Acl.cc(138) matches: checking basicauth
2018/05/17 12:35:18.485 kid1| 28,5| Acl.cc(36) AuthenticateAcl: SslBumped request: It is an encapsulated request do not authenticate
2018/05/17 12:35:18.485 kid1| 28,3| Acl.cc(158) matches: checked: basicauth = 1
2018/05/17 12:35:18.485 kid1| 28,5| Acl.cc(138) matches: checking sites1
2018/05/17 12:35:18.485 kid1| 28,3| DomainData.cc(108) match: aclMatchDomainList: checking 'www.rbc.ru'
2018/05/17 12:35:18.485 kid1| 28,3| DomainData.cc(113) match: aclMatchDomainList: 'www.rbc.ru' NOT found
2018/05/17 12:35:18.485 kid1| 28,3| Acl.cc(158) matches: checked: sites1 = 0
2018/05/17 12:35:18.485 kid1| 28,3| Acl.cc(158) matches: checked: http_access#2 = 0
2018/05/17 12:35:18.485 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'DENIED/0' is not banned
2018/05/17 12:35:18.485 kid1| 28,5| Acl.cc(138) matches: checking http_access#3
2018/05/17 12:35:18.485 kid1| 28,5| Acl.cc(138) matches: checking basicauth
2018/05/17 12:35:18.485 kid1| 28,5| Acl.cc(36) AuthenticateAcl: SslBumped request: It is an encapsulated request do not authenticate
2018/05/17 12:35:18.485 kid1| 28,3| Acl.cc(158) matches: checked: basicauth = 1
2018/05/17 12:35:18.485 kid1| 28,3| Acl.cc(158) matches: checked: http_access#3 = 1
2018/05/17 12:35:18.485 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1
2018/05/17 12:35:18.485 kid1| 28,3| Checklist.cc(63) markFinished: 0x38457c8 answer DENIED for match
2018/05/17 12:35:18.485 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x38457c8 answer=DENIED
2018/05/17 12:35:18.485 kid1| 28,5| Gadgets.cc(83) aclIsProxyAuth: aclIsProxyAuth: called for basicauth
2018/05/17 12:35:18.485 kid1| 28,9| Acl.cc(99) FindByName: ACL::FindByName 'basicauth'
2018/05/17 12:35:18.485 kid1| 28,5| Gadgets.cc(88) aclIsProxyAuth: aclIsProxyAuth: returning 1
2018/05/17 12:35:18.485 kid1| 28,8| Gadgets.cc(51) aclGetDenyInfoPage: got called for basicauth
2018/05/17 12:35:18.485 kid1| 28,8| Gadgets.cc(70) aclGetDenyInfoPage: aclGetDenyInfoPage: no match
如您所见,尽管我有不同的登录名,但我还是输入了 acl basicauth = 1和http_access#3 = 1 。如果我禁用 SSLbump - 一切正常。
有任何想法吗?谢谢
解决方案
你可以做这样的事情。
对于基本身份验证:
auth_param basic program /usr/bin/python /home/test/auth.py
auth_param basic realm Please enter username and password
auth_param basic children 100
auth_param basic credentialsttl 1 second
acl AuthUsers proxy_auth REQUIRED
在上面,test.py 表示您可以编写自定义 python 脚本进行身份验证,也可以使用任何其他方法。
对于 ssl-bump,您可以执行以下操作:
http_port 3128 ssl-bump cert=/etc/squid/ssl/myca.pem generate-host-
certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
sslcrtd_children 5
acl tcp_level at_step SslBump1
ssl_bump peek tcp_level all
ssl_bump bump all
并允许访问
http_access allow AuthUsers
http_access deny all
推荐阅读
- laravel - 有什么方法可以将 foreach 值存储在数据库中
- c# - 数据类型 varchar 和 varchar 在减法运算符 c# web 服务中不兼容
- xamarin - 错误消息 APK 未安装在 Xamarin 表单中
- angular - Angular 中的 MIME 类型问题
- java - weblogic上的Rest API-将根据请求有效负载生成线程-如何控制线程数
- css - 使用类的列表中的 CSS 选择器
- geocoding - 我可以使用 Geocoder API 从 here.com 保存响应(特别是坐标)吗?
- php - 印度时区在默认 php 时区设置中落后 40 分钟
- java - @Autowired Spring Boot 组件在父基类中初始化,但在子类中恰好为 null
- ios - 在 Xcode 11 中,Live Preview 按钮下方的按钮是什么?