LINUX.ORG.RU
ФорумAdmin

Как настроить SQUID и HTTPS?

 ,


0

2

На сервере стоит ubuntu 20.04, пытаюсь сделать себе прокси и чтобы https работал. Нашёл несколько статей, все они примерно одинакового содержания, как вот эта тема. В итоге у меня https через прокси не работает.

squid --version
Squid Cache: Version 4.13
Service Name: squid
Ubuntu linux

This binary uses OpenSSL 1.1.1f  31 Mar 2020. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/home/builder/ubuntu20/build/squid/squid-4.13=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now ' 'BUILDCXX=g++' '--with-build-environment=default' '--enable-build-info=Ubuntu linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-ssl' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' '--with-systemd' '--with-openssl' '--enable-ssl-crtd' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/home/builder/ubuntu20/build/squid/squid-4.13=. -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now ' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/home/builder/ubuntu20/build/squid/squid-4.13=. -fstack-protector-strong -Wformat -Werror=format-security'

Конфиг:

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
acl all src all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost

http_access allow authenticated
http_access allow all

# And finally deny all other access to this proxy
http_access deny all

http_port 3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squidca.pem

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER # Accept certificates that fail verification.

sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db/ -M 4MB

Сертификат сгенерировал так:

cd /etc/squid/certs/

sudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout squidca.pem -out squidca.pem

sudo openssl x509 -outform der -in squidca.pem -out squidca.crt

Затем скопировал его в /etc/pki/ca-trust/source/anchors/squidca.crt у себя локально и выполнил sudo update-ca-trust, так же пробовал импортировать непосредственно в браузер (в authorities). Firefox, например, говорит:

Secure Connection Failed

An error occurred during a connection to duckduckgo.com. PR_CONNECT_RESET_ERROR

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

CURL вообще записает:

curl --proxy https://xxx.xxx.xxx.xxx:3128 -u 'user:password' https://google.com -vvv
*   Trying xxx.xxx.xxx.xxx:3128...
* Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) port 3128 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):

Логи запуска:

-- The job identifier is 458725.
Mar 29 08:05:51 ubuntu-server squid[1508803]: 2022/03/29 08:05:51| WARNING: (B) '::/0' is a subnetwork of (A) '::/0'
Mar 29 08:05:51 ubuntu-server squid[1508803]: 2022/03/29 08:05:51| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
Mar 29 08:05:51 ubuntu-server squid[1508803]: 2022/03/29 08:05:51| WARNING: You should probably remove '::/0' from the ACL named 'all'
Mar 29 08:05:51 ubuntu-server squid[1508803]: 2022/03/29 08:05:51| ERROR: Directive 'sslproxy_flags' is obsolete.
Mar 29 08:05:51 ubuntu-server squid[1508803]: 2022/03/29 08:05:51| Created PID file (/run/squid.pid)
Mar 29 08:05:51 ubuntu-server squid[1508803]: Squid Parent: will start 1 kids
Mar 29 08:05:51 ubuntu-server squid[1508803]: Squid Parent: (squid-1) process 1508819 started
Mar 29 08:05:51 ubuntu-server squid[1508819]: 2022/03/29 08:05:51 kid1| WARNING: (B) '::/0' is a subnetwork of (A) '::/0'
Mar 29 08:05:51 ubuntu-server squid[1508819]: 2022/03/29 08:05:51 kid1| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
Mar 29 08:05:51 ubuntu-server squid[1508819]: 2022/03/29 08:05:51 kid1| WARNING: You should probably remove '::/0' from the ACL named 'all'
Mar 29 08:05:51 ubuntu-server squid[1508819]: 2022/03/29 08:05:51 kid1| ERROR: Directive 'sslproxy_flags' is obsolete.
Mar 29 08:05:51 ubuntu-server squid[1508819]: 2022/03/29 08:05:51 kid1| Set Current Directory to /var/spool/squid
Mar 29 08:05:51 ubuntu-server squid[1508819]: 2022/03/29 08:05:51 kid1| Creating missing swap directories
Mar 29 08:05:51 ubuntu-server squid[1508819]: 2022/03/29 08:05:51 kid1| No cache_dir stores are configured.
Mar 29 08:05:51 ubuntu-server squid[1508803]: Squid Parent: squid-1 process 1508819 exited with status 0
Mar 29 08:05:51 ubuntu-server squid[1508803]: 2022/03/29 08:05:51| Removing PID file (/run/squid.pid)
Mar 29 08:05:51 ubuntu-server squid[1508821]: 2022/03/29 08:05:51| WARNING: (B) '::/0' is a subnetwork of (A) '::/0'
Mar 29 08:05:51 ubuntu-server squid[1508821]: WARNING: (B) '::/0' is a subnetwork of (A) '::/0'
Mar 29 08:05:51 ubuntu-server squid[1508821]: 2022/03/29 08:05:51| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
Mar 29 08:05:51 ubuntu-server squid[1508821]: WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
Mar 29 08:05:51 ubuntu-server squid[1508821]: 2022/03/29 08:05:51| WARNING: You should probably remove '::/0' from the ACL named 'all'
Mar 29 08:05:51 ubuntu-server squid[1508821]: WARNING: You should probably remove '::/0' from the ACL named 'all'
Mar 29 08:05:51 ubuntu-server squid[1508821]: 2022/03/29 08:05:51| ERROR: Directive 'sslproxy_flags' is obsolete.
Mar 29 08:05:51 ubuntu-server squid[1508821]: ERROR: Directive 'sslproxy_flags' is obsolete.
Mar 29 08:05:51 ubuntu-server squid[1508821]: Created PID file (/run/squid.pid)
Mar 29 08:05:51 ubuntu-server squid[1508821]: Squid Parent: will start 1 kids
Mar 29 08:05:51 ubuntu-server squid[1508821]: Squid Parent: (squid-1) process 1508823 started
Mar 29 08:05:51 ubuntu-server (squid-1)[1508823]: WARNING: (B) '::/0' is a subnetwork of (A) '::/0'
Mar 29 08:05:51 ubuntu-server (squid-1)[1508823]: WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
Mar 29 08:05:51 ubuntu-server (squid-1)[1508823]: WARNING: You should probably remove '::/0' from the ACL named 'all'
Mar 29 08:05:51 ubuntu-server (squid-1)[1508823]: ERROR: Directive 'sslproxy_flags' is obsolete.
Mar 29 08:05:51 ubuntu-server squid[1508823]: Set Current Directory to /var/spool/squid
Mar 29 08:05:51 ubuntu-server squid[1508823]: Starting Squid Cache version 4.13 for x86_64-pc-linux-gnu...
Mar 29 08:05:51 ubuntu-server squid[1508823]: Service Name: squid
Mar 29 08:05:51 ubuntu-server squid[1508823]: Process ID 1508823
Mar 29 08:05:51 ubuntu-server squid[1508823]: Process Roles: worker
Mar 29 08:05:51 ubuntu-server squid[1508823]: With 1024 file descriptors available
Mar 29 08:05:51 ubuntu-server squid[1508823]: Initializing IP Cache...
Mar 29 08:05:51 ubuntu-server squid[1508823]: DNS Socket created at [::], FD 5
Mar 29 08:05:51 ubuntu-server squid[1508823]: DNS Socket created at 0.0.0.0, FD 10
Mar 29 08:05:51 ubuntu-server squid[1508823]: Adding nameserver 127.0.0.53 from /etc/resolv.conf
Mar 29 08:05:51 ubuntu-server squid[1508823]: helperOpenServers: Starting 5/32 'security_file_certgen' processes
Mar 29 08:05:51 ubuntu-server squid[1508823]: helperOpenServers: Starting 0/20 'basic_ncsa_auth' processes
Mar 29 08:05:51 ubuntu-server squid[1508823]: helperOpenServers: No 'basic_ncsa_auth' processes needed.
Mar 29 08:05:51 ubuntu-server squid[1508823]: Logfile: opening log daemon:/var/log/squid/access.log
Mar 29 08:05:51 ubuntu-server squid[1508823]: Logfile Daemon: opening log /var/log/squid/access.log
Mar 29 08:05:51 ubuntu-server squid[1508823]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
Mar 29 08:05:51 ubuntu-server squid[1508823]: Store logging disabled
Mar 29 08:05:51 ubuntu-server squid[1508823]: Swap maxSize 0 + 262144 KB, estimated 20164 objects
Mar 29 08:05:51 ubuntu-server squid[1508823]: Target number of buckets: 1008
Mar 29 08:05:51 ubuntu-server squid[1508823]: Using 8192 Store buckets
Mar 29 08:05:51 ubuntu-server squid[1508823]: Max Mem  size: 262144 KB
Mar 29 08:05:51 ubuntu-server squid[1508823]: Max Swap size: 0 KB
Mar 29 08:05:51 ubuntu-server squid[1508823]: Using Least Load store dir selection
Mar 29 08:05:51 ubuntu-server squid[1508823]: Set Current Directory to /var/spool/squid
Mar 29 08:05:51 ubuntu-server squid[1508823]: Finished loading MIME types and icons.
Mar 29 08:05:51 ubuntu-server squid[1508823]: HTCP Disabled.
Mar 29 08:05:51 ubuntu-server squid[1508823]: Pinger socket opened on FD 26
Mar 29 08:05:51 ubuntu-server squid[1508823]: Squid plugin modules loaded: 0
Mar 29 08:05:51 ubuntu-server squid[1508823]: Adaptation support is off.
Mar 29 08:05:51 ubuntu-server squid[1508823]: Accepting NAT intercepted SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 23 flags=41
Mar 29 08:05:51 ubuntu-server systemd[1]: Started Squid Web Proxy Server.
-- Subject: A start job for unit squid.service has finished successfully

Ещё иногда в логах появляется вот это:

ERROR: listen( FD 24, [::] [ job2], 256): (98) Address already in use

intercept ssl-bump зачем? Если нужен просто https прокси, то достаточно указать сертификат и приватный ключ. можно даже самоподписанный. Вот из убунты 20.04 дефолтный сквид.

https_port 7596 tls-cert=/etc/ssl/certs/ssl-cert-snakeoil.pem tls-key=/etc/ssl/private/ssl-cert-snakeoil.key

Ну можно и валидный чтоб браузер не ругался.

да, если curl-ом ходить на HTTPS сайт через HTTPS прокси, то оно виснет в 50% случаев. Для тестирования curl’ом полно http сайтов. А вот как ни странно, Хром нормально работает через Https прокси. Например с расширением SwitchyOmega.

Bers666 ★★★★★
()
Последнее исправление: Bers666 (всего исправлений: 1)
Ответ на: комментарий от Bers666

Добавил эту строку вместо старой, curl работает если добавить --proxy-insecure, спасибо. А вот браузеры не хотят, даже на сертификат не ругаются и логин/пароль не спрашивают, сразу отваливаются с ошибкой PR_CONNECT_RESET_ERROR/ERR_CONNECTION_RESET.

neversleep ★★★
() автор топика
Ответ на: комментарий от neversleep

засунь сей сертификат в хранилище сертификатов в браузер или системы - будет валидным.

pfg ★★★★★
()
Ответ на: комментарий от Bers666

Сгенерировал бесплатный сертификат на zerossl.com (просто по ip сервака), curl теперь без --proxy-insecure работает, а браузеры ни в какую (сертификат пробовал импортировать), в логах squid ошибка Error negotiating SSL connection on FD 12: (104) Connection reset by peer.

Лог curl:

*   Trying xxx:7596...
* Connected to xxx (xxx) port 7596 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Proxy certificate:
*  subject: CN=xxx
*  start date: Mar 29 00:00:00 2022 GMT
*  expire date: Jun 27 23:59:59 2022 GMT
*  subjectAltName: host "xxx" matched cert's IP address!
*  issuer: C=AT; O=ZeroSSL; CN=ZeroSSL RSA Domain Secure Site CA
*  SSL certificate verify ok.
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.google.com:443
* Proxy auth using Basic with user 'user'
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> Proxy-Authorization: Basic ***
> User-Agent: curl/7.79.1
> Proxy-Connection: Keep-Alive

Конфиг squid сейчас выглядит так:

2022/03/30 04:05:18| Startup: Initializing Authentication Schemes ...
2022/03/30 04:05:18| Startup: Initialized Authentication Scheme 'basic'
2022/03/30 04:05:18| Startup: Initialized Authentication Scheme 'digest'
2022/03/30 04:05:18| Startup: Initialized Authentication Scheme 'negotiate'
2022/03/30 04:05:18| Startup: Initialized Authentication Scheme 'ntlm'
2022/03/30 04:05:18| Startup: Initialized Authentication.
2022/03/30 04:05:18| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2022/03/30 04:05:18| Processing: acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
2022/03/30 04:05:18| Processing: acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
2022/03/30 04:05:18| Processing: acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
2022/03/30 04:05:18| Processing: acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
2022/03/30 04:05:18| Processing: acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
2022/03/30 04:05:18| Processing: acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
2022/03/30 04:05:18| Processing: acl localnet src fc00::/7       	# RFC 4193 local private network range
2022/03/30 04:05:18| Processing: acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines
2022/03/30 04:05:18| Processing: acl SSL_ports port 443
2022/03/30 04:05:18| Processing: acl Safe_ports port 80		# http
2022/03/30 04:05:18| Processing: acl Safe_ports port 21		# ftp
2022/03/30 04:05:18| Processing: acl Safe_ports port 443		# https
2022/03/30 04:05:18| Processing: acl Safe_ports port 70		# gopher
2022/03/30 04:05:18| Processing: acl Safe_ports port 210		# wais
2022/03/30 04:05:18| Processing: acl Safe_ports port 1025-65535	# unregistered ports
2022/03/30 04:05:18| Processing: acl Safe_ports port 280		# http-mgmt
2022/03/30 04:05:18| Processing: acl Safe_ports port 488		# gss-http
2022/03/30 04:05:18| Processing: acl Safe_ports port 591		# filemaker
2022/03/30 04:05:18| Processing: acl Safe_ports port 777		# multiling http
2022/03/30 04:05:18| Processing: acl CONNECT method CONNECT
2022/03/30 04:05:18| Processing: http_access deny !Safe_ports
2022/03/30 04:05:18| Processing: http_access deny CONNECT !SSL_ports
2022/03/30 04:05:18| Processing: http_access allow localhost manager
2022/03/30 04:05:18| Processing: http_access deny manager
2022/03/30 04:05:18| Processing: include /etc/squid/conf.d/*
2022/03/30 04:05:18| Processing Configuration File: /etc/squid/conf.d/debian.conf (depth 1)
2022/03/30 04:05:18| Processing: logfile_rotate 0
2022/03/30 04:05:18| Processing: auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/passwords
2022/03/30 04:05:18| Processing: auth_param basic realm proxy
2022/03/30 04:05:18| Processing: acl authenticated proxy_auth REQUIRED
2022/03/30 04:05:18| Processing: acl all src all
2022/03/30 04:05:18| WARNING: (B) '::/0' is a subnetwork of (A) '::/0'
2022/03/30 04:05:18| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
2022/03/30 04:05:18| WARNING: You should probably remove '::/0' from the ACL named 'all'
2022/03/30 04:05:18| Processing: http_access allow localhost
2022/03/30 04:05:18| Processing: http_access allow authenticated
2022/03/30 04:05:18| Processing: http_access allow all
2022/03/30 04:05:18| Processing: http_access deny all
2022/03/30 04:05:18| Processing: http_port 3128
2022/03/30 04:05:18| Processing: https_port 7596 tls-cert=/etc/squid/zero_certs/certificate_bundle.crt tls-key=/etc/squid/zero_certs/private.key
2022/03/30 04:05:18| Processing: sslproxy_cert_error allow all
2022/03/30 04:05:18| Processing: http_port 3128
2022/03/30 04:05:18| Processing: coredump_dir /var/spool/squid
2022/03/30 04:05:18| Processing: refresh_pattern ^ftp:		1440	20%	10080
2022/03/30 04:05:18| Processing: refresh_pattern ^gopher:	1440	0%	1440
2022/03/30 04:05:18| Processing: refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
2022/03/30 04:05:18| Processing: refresh_pattern .		0	20%	4320
2022/03/30 04:05:18| Initializing https:// proxy context
2022/03/30 04:05:18| Initializing https_port [::]:7596 TLS contexts
2022/03/30 04:05:18| Using certificate in /etc/squid/zero_certs/certificate_bundle.crt
2022/03/30 04:05:18| Using certificate chain in /etc/squid/zero_certs/certificate_bundle.crt
2022/03/30 04:05:18| /etc/squid/zero_certs/certificate_bundle.crt: Ignoring non-issuer CA /CN=xxx.xxx.xxx.xxx: subject issuer mismatch (29)
2022/03/30 04:05:18| Adding issuer CA: /C=AT/O=ZeroSSL/CN=ZeroSSL RSA Domain Secure Site CA
2022/03/30 04:05:18| Using key in /etc/squid/zero_certs/private.key
neversleep ★★★
() автор топика
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.