{ "version": "https://jsonfeed.org/version/1", "title": "Squid", "description": "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more.", "home_page_url": "go/squid", "feed_url": "feed/squid.json", "icon": "https://cdn.v2ex.com/navatar/15de/21c6/555_large.png?m=1361089638", "favicon": "https://cdn.v2ex.com/navatar/15de/21c6/555_normal.png?m=1361089638", "items": [ { "author": { "url": "member/LeviMarvin", "name": "LeviMarvin", "avatar": "https://cdn.v2ex.com/avatar/2426/6c4f/526568_large.png?m=1773377792" }, "url": "t/950157", "title": "\u840c\u65b0\u5165\u5751\u6c42\u6307\u6559", "id": "t/950157", "date_published": "2023-06-19T19:25:40+00:00", "content_html": "

\u76ee\u524d\u60f3\u505a\u9ad8\u533f\u670d\u52a1\uff0c\u4e86\u89e3\u5230 squid \uff0c\u88c5\u597d\u540e\u4ed6\u7684\u914d\u7f6e\u6587\u4ef6\u592a\u957f\u592a\u591a\u4e86\uff0c\u60f3\u8981\u8bbe\u7f6e\u90fd\u5f97\u67e5\u8be2\u3001\u8df3\u8dc3\u597d\u591a\u6b21\u3002\u8bf7\u95ee\u6709\u6ca1\u6709\u6781\u81f4\u7cbe\u7b80\u7248\u7684\u5462\uff1f\n\u76ee\u524d\u8bbe\u8ba1\u7684\u7ed3\u6784\uff1a\nWWW <-> Server [Squid \u7aef <-> Gost \u7aef] <-> [Gost \u7aef <-> Client] END\n\u4e2d\u62ec\u53f7\u8868\u793a\u62ec\u53f7\u5185\u4e0d\u540c\u670d\u52a1\u90e8\u7f72\u5728\u540c\u4e00\u7aef\u3002

\n" }, { "author": { "url": "member/yazoox", "name": "yazoox", "avatar": "https://cdn.v2ex.com/avatar/7b39/2690/111562_large.png?m=1635297358" }, "url": "t/804686", "title": "(Squid) is not configured to allow SSL tunnel to port 80", "id": "t/804686", "date_published": "2021-09-27T10:10:07+00:00", "content_html": "

\u56e0\u4e3a\u4e00\u4e2a\u7ec4\u4ef6\u9700\u8981\u8bbf\u95ee dropbox \u7684 API,\u6240\u4ee5\uff0c\u4e34\u65f6\u642d\u4e00\u4e2a proxy\uff0c\u501f\u7528\u7f8e\u56fd\u540c\u4e8b\u7684\u673a\u5668\u3002

\n

\u6211\u7528\u7684\u8fd9\u4e2a docker image,
\ndocker run --name squid -d -p 8010:3128 Datadog/squid

\n

\u5728 chrome \u91cc\u9762\uff0c\u8bbe\u7f6e\u4e86 switchy omega \u5230\u8be5\u673a\u5668\u7684\u5730\u5740\u7aef\u53e3\uff0c\u80fd\u591f\u6b63\u5e38\u5de5\u4f5c\uff0c\u6253\u5f00\u6cb9\u7ba1\u5565\u7684, etc.

\n

\u5982\u679c\u6211\u7528 proxifier, protocol \u8bbe\u7f6e http \u6a21\u5f0f\uff0ccheck \u90fd\u901a\u8fc7\uff0c\u4f46\u662f\u8bbe\u7f6e\u6210 https\uff0c\u5c31\u4f1a\u62a5\u9519\u3002

\n

\n[43:29] Testing Started.\n\tProxy Server\n\tAddress:\t10.35.35.87:8010\n\tProtocol:\tHTTPS\n\tAuthentication: NO\n\n[43:29] Starting: Test 1: Connection to the Proxy Server\n[43:29] IP Address: 10.35.35.87\n[43:29] Connection established\n[43:29] Test passed.\n[43:29] Starting: Test 2: Connection through the Proxy Server\n\tError: the proxy server (Squid) is not configured to allow SSL tunnel to port 80.\n\tTo fix the problem please find and comment the following line in the Squid\n\tconfiguration file (squid.conf):\n\t\thttp_access deny CONNECT !SSL_ports\n\tThe proxy server reply header is:\n\t\tHTTP/1.1 403 Forbidden\n\t\tServer: squid/3.5.12\n\t\tMime-Version: 1.0\n\t\tDate: Mon, 27 Sep 2021 09:43:32 GMT\n\t\tContent-Type: text/html;charset=utf-8\n\t\tContent-Length: 3441\n\t\tX-Squid-Error: ERR_ACCESS_DENIED 0\n\t\tVary: Accept-Language\n\t\tContent-Language: en\n\t\tX-Cache: MISS from cf3b7970725b\n\t\tX-Cache-Lookup: NONE from cf3b7970725b:3128\n\t\tVia: 1.1 cf3b7970725b (squid/3.5.12)\n\t\tConnection: keep-alive\n[43:29] Test failed.\n[43:29] Testing Finished.\n

\n

\u63d0\u793a\u6211\u628a\u8fd9\u53e5\u914d\u7f6e\u6ce8\u91ca\u6389
\n\"http_access deny CONNECT !SSL_ports\"

\n

\u4e8e\u662f \uff0c\u6211\u53bb https://gist.github.com/sritchie/1357652 \u4e0b\u8f7d\u4e86\u4e00\u4e2a\u6837\u672c\uff0c\u628a\u201c\u5934\u201d\u90a3\u90e8\u5206\u5220\u9664\u6389\u4e86\u3002\n\u7136\u540e\u628a\u8fd9\u53e5\u7ed9#\u6ce8\u91ca\u6389\u4e86\u3002

\u4f46\u662f\u8c8c\u4f3c\u6ca1\u6709\u5565\u7528\u3002\u4e0d\u77e5\u9053\u662f\u4e0d\u662f\u8fd9\u4e2a.conf \u592a\u8001\u4e86\uff0c\u6216\u8005\u6709\u592a\u591a\u4e0d\u9700\u8981\u7684\u914d\u7f6e\u4e86\uff0c\u8fd8\u662f\u8bf4\uff0c\u8981\u8d70 https \u7684 protocol\uff0c\u5f97\u914d\u7f6e\u76f8\u5173\u7684 cert\uff0c\u7b49\u7b49?

\u4e0d\u77e5\u9053\u6709\u6ca1\u6709 squid \u4e13\u5bb6\uff0c\u6307\u70b9\u4e00\u4e0b

\u8c22\u8c22\uff01

\u914d\u7f6e\u5982\u4e0b\uff1a

# Squid normally listens to port 3128\nalways_direct allow all\nssl_bump bump all\nsslproxy_cert_error allow all\nhttp_port 3128 ssl-bump cert=/etc/squid/squid.pem key=/etc/squid/squid.pem generate-host-certificates=on optiOns=NO_SSLv2\n#http_port 3128\n\ncache_peer 127.0.0.1 parent 10809 0 no-query\nnever_direct allow all\n

\u6211\u6d4b\u8bd5\u4e86\u4e00\u4e0b\uff0c\u5b83\u5e76\u6ca1\u6709\u901a\u8fc7 127.0.0.1:10809 \u4e0a\u7f51\uff1f\u4f46\u662f\u8ba9\u6211\u6539\u6210\u5982\u4e0b\u65f6\uff0c\u5374\u751f\u6548\u4e86\u3002

http_port 3128\n\ncache_peer 127.0.0.1 parent 10809 0 no-query\nnever_direct allow all\n

\u8fd9\u662f\u4e3a\u4ec0\u4e48\uff1f

\u5b8c\u6574\u914d\u7f6e

#\n# Recommended minimum configuration:\n#\n\n# Example rule allowing access from your local networks.\n# Adapt to list your (internal) IP networks from where browsing\n# should be allowed\nacl localnet src 10.0.0.0/8\t# RFC1918 possible internal network\nacl localnet src 172.16.0.0/12\t# RFC1918 possible internal network\nacl localnet src 192.168.0.0/16\t# RFC1918 possible internal network\nacl localnet src fc00::/7 # RFC 4193 local private network range\nacl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines\n\nacl SSL_ports port 443\nacl Safe_ports port 80\t\t# http\nacl Safe_ports port 21\t\t# ftp\nacl Safe_ports port 443\t\t# https\nacl Safe_ports port 70\t\t# gopher\nacl Safe_ports port 210\t\t# wais\nacl Safe_ports port 1025-65535\t# unregistered ports\nacl Safe_ports port 280\t\t# http-mgmt\nacl Safe_ports port 488\t\t# gss-http\nacl Safe_ports port 591\t\t# filemaker\nacl Safe_ports port 777\t\t# multiling http\nacl CONNECT method CONNECT\n\n#\n# Recommended minimum Access Permission configuration:\n#\n# Deny requests to certain unsafe ports\nhttp_access deny !Safe_ports\n\n# Deny CONNECT to other than secure SSL ports\nhttp_access deny CONNECT !SSL_ports\n\n# Only allow cachemgr access from localhost\nhttp_access allow localhost manager\nhttp_access deny manager\n\n# We strongly recommend the following be uncommented to protect innocent\n# web applications running on the proxy server who think the only\n# one who can access services on \"localhost\" is a local user\n#http_access deny to_localhost\n\n#\n# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS\n#\n\n# Example rule allowing access from your local networks.\n# Adapt localnet in the ACL section to list your (internal) IP networks\n# from where browsing should be allowed\nhttp_access allow localnet\nhttp_access allow localhost\n\n# And finally deny all other access to this proxy\nhttp_access deny all\n\n# Squid normally listens to port 3128\nalways_direct allow all\nssl_bump bump all\nsslproxy_cert_error allow all\nhttp_port 3128 ssl-bump cert=/etc/squid/squid.pem key=/etc/squid/squid.pem generate-host-certificates=on optiOns=NO_SSLv2\n#http_port 3128\n\ncache_peer 127.0.0.1 parent 10809 0 no-query\nnever_direct allow all\n\n# Uncomment and adjust the following to add a disk cache directory.\ncache_dir ufs /var/cache/squid 100 16 256\n\n# Leave coredumps in the first cache dir\ncoredump_dir /var/cache/squid\n\n#\n# Add any of your own refresh_pattern entries above these.\n#\nrefresh_pattern ^ftp:\t\t1440\t20%\t10080\nrefresh_pattern ^gopher:\t1440\t0%\t1440\nrefresh_pattern -i (/cgi-bin/|\\?) 0\t0%\t0\nrefresh_pattern .\t\t0\t20%\t4320\n\ndns_nameservers 8.8.8.8\n

\u65b0\u624b\uff0c\u6628\u5929\u642d\u4e86\u4e00\u4e2a squid \uff0c\u51c6\u5907\u53ea\u5141\u8bb8\u81ea\u5df1\u7684 ip \u8fde\u63a5\uff0c\u4f46\u662f\u6ca1\u8bbe\u7f6e\u6210\u529f\uff0c\u4ee5\u4e0b\u662f\u6211\u7684\u914d\u7f6e\u6587\u4ef6\u3002

\u53ea\u5141\u8bb8\u6307\u5b9a ip \u5ba2\u6237\u7aef\u8fde\u63a5\u7684\u6b63\u786e\u65b9\u6cd5\u662f\u600e\u4e48\u8bbe
\n\u7f6e\u5462\uff1f

http_port 3128\nhttp_port 80\n\n# not display IP address\nforwarded_for off\n\n# header\nrequest_header_access Referer deny all\nrequest_header_access X-Forwarded-For deny all\nrequest_header_access Via deny all\nrequest_header_access Cache-Control deny all\n\nacl Safe_ports port 80 # http\nacl Safe_ports port 21 # ftp\nacl Safe_ports port 443 563 # https, snews\nacl Safe_ports port 70 # gopher\nacl Safe_ports port 210 # wais\nacl Safe_ports port 280 # http-mgmt\nacl Safe_ports port 488 # gss-http\nacl Safe_ports port 591 # filemaker\nacl Safe_ports port 777 # multiling http\nacl Safe_ports port 1025-65535 # unregistered ports\nacl SSL_ports port 443 563\nacl CONNECT method CONNECT\n#acl unicomip dst "/etc/squid3/unicomip"\n\n#http_access deny !unicomip\nhttp_access deny !Safe_ports\nhttp_access deny CONNECT !SSL_ports\n\ncache_peer 127.0.0.1 parent 8123 0 no-query no-digest round-robin weight=1 name=shadowsocks\n# \u9ed8\u8ba4\u8d70 shadowsocks, \u56fd\u5185 ip \u8d70\u56fd\u5185\nacl chinaip dst "/etc/squid3/chinaip"\nalways_direct allow chinaip\nnever_direct allow !chinaip\n

\u6700\u8fd1\u8981\u7528 squid \uff0c\u5e76\u4e14\u8981\u5e26\u5bc6\u7801\u8ba4\u8bc1

\u524d\u4e24\u5929\u8bd5\u7740\u642d\u5efa\u6210\u529f\u8fc7\uff0c\u4f46\u662f\u56e0\u4e3a\u673a\u5668\u539f\u56e0\uff0c\u914d\u7f6e\u6587\u4ef6\u4e22\u5931\uff0c\u4eca\u5929\u6309\u7167\u540c\u6837\u7684\u6b65\u9aa4\u91cd\u65b0\u914d\u7f6e\u4e4b\u540e\u6bcf\u6b21\u542f\u52a8\u90fd\u4f1a\u63d0\u793a
\nhelperOpenServers: Starting 0/5 'basic_ncsa_auth' processes
\nhelperOpenServers: No 'basic_ncsa_auth' processes needed.

\u7528\u7684\u662f http://www.cyberciti.biz/tips/linux-unix-squid-proxy-server-authentication.html \u7684\u6b65\u9aa4\uff0c\u548c\u4e4b\u524d\u4e00\u6837\u7684

\u914d\u7f6e\u6587\u4ef6\uff1a
\nacl localnet src 10.0.0.0/8 # RFC1918 possible internal network
\nacl localnet src 172.16.0.0/12 # RFC1918 possible internal network
\nacl localnet src 192.168.0.0/16 # RFC1918 possible internal network
\nacl localnet src fc00::/7 # RFC 4193 local private network range
\nacl localnet src fe80::/10 # RFC 4291 link-local (directly plugged ) machines

acl SSL_ports port 443
\nacl Safe_ports port 80 # http
\nacl Safe_ports port 21 # ftp
\nacl Safe_ports port 443 # https
\nacl Safe_ports port 70 # gopher
\nacl Safe_ports port 210 # wais
\nacl Safe_ports port 1025-65535 # unregistered ports
\nacl Safe_ports port 280 # http-mgmt
\nacl Safe_ports port 488 # gss-http
\nacl Safe_ports port 591 # filemaker
\nacl Safe_ports port 777 # multiling http
\nacl CONNECT method CONNECT

http_access deny !Safe_ports
\nhttp_access deny CONNECT !SSL_ports
\nhttp_access allow localhost manager
\nhttp_access deny manager

http_access allow localnet
\nhttp_access allow localhost

http_access deny all

https_port 9000

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/users
\nauth_param basic children 5
\nauth_param basic credentialsttl 2 hours
\nacl Admin proxy_auth REQUIRED
\nhttp_access allow Admin
\nhttp_access deny all

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
\nrefresh_pattern ^gopher: 1440 0% 1440
\nrefresh_pattern -i (/cgi-bin/|\\?) 0 0% 0
\nrefresh_pattern . 0 20% 4320

/etc/squid/users \u8fd9\u4e2a\u6587\u4ef6\u662f\u5b58\u5728\u7684\uff0c\u7ecf\u8fc7\u6d4b\u8bd5\u6709\u6548\uff0c\u5185\u542b Admin \u7528\u6237\u5bc6\u7801\u4fe1\u606f

\u9664\u4e86\u5f00\u5934\u63d0\u5230\u7684\u4e00\u53e5\u63d0\u793a\u4ee5\u5916\u65e0\u4efb\u4f55\u9519\u8bef\u4fe1\u606f\uff0c\u6298\u817e\u4e00\u5929\uff0c\u6362\u4e86\u4e0d\u540c\u673a\u5668\uff0c\u4e0d\u540c\u7248\u672c\uff0c\u767e\u601d\u4e0d\u5f97\u5176\u89e3\uff0c\u5230\u5e95\u54ea\u91cc\u9519\u4e86\uff1f...