Squid 3.5.20未应用ssl代理选项
我试图只允许在Squid 3.5.20上访问tls 1.2及以上版本 出于测试目的,我在squid配置中设置了如下选项Squid 3.5.20未应用ssl代理选项,ssl,proxy,configuration,squid,Ssl,Proxy,Configuration,Squid,我试图只允许在Squid 3.5.20上访问tls 1.2及以上版本 出于测试目的,我在squid配置中设置了如下选项 https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2 sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2 acl step1 at_step SslB
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all
curl -v https://api.github.com/users/xyz
* Trying 13.236.14.80...
* TCP_NODELAY set
* Connected to api.github.com (13.236.14.80) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
* start date: Jun 22 00:00:00 2020 GMT
* expire date: Aug 17 12:00:00 2022 GMT
* subjectAltName: host "api.github.com" matched cert's "*.github.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
* SSL certificate verify ok.
> GET /users/xyz HTTP/1.1
> Host: api.github.com
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< date: Mon, 05 Oct 2020 22:57:40 GMT
< content-type: application/json; charset=utf-8
< server: GitHub.com
< status: 200 OK
< cache-control: public, max-age=60, s-maxage=60
< vary: Accept, Accept-Encoding, Accept, X-Requested-With, Accept-Encoding
< etag: W/"3d107946387d86803650c009a9371dc5efd5ba2d670e838c30af583505243e83"
< last-modified: Wed, 23 May 2018 19:43:26 GMT
< x-github-media-type: github.v3; format=json
< access-control-expose-headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset
< access-control-allow-origin: *
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
< content-security-policy: default-src 'none'
< X-Ratelimit-Limit: 60
< X-Ratelimit-Remaining: 59
< X-Ratelimit-Reset: 1601942260
< X-Ratelimit-Used: 1
< Accept-Ranges: bytes
< Content-Length: 1220
< X-GitHub-Request-Id: A62E:3674:BB684:D9799:5F7BA4E4
<
{
"login": "xyz",
"id": 14513,
"node_id": "MDQ6VXNlcjE0NTEz",
"avatar_url": "https://avatars1.githubusercontent.com/u/14513?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/xyz",
"html_url": "https://github.com/xyz",
"followers_url": "https://api.github.com/users/xyz/followers",
"following_url": "https://api.github.com/users/xyz/following{/other_user}",
"gists_url": "https://api.github.com/users/xyz/gists{/gist_id}",
"starred_url": "https://api.github.com/users/xyz/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/xyz/subscriptions",
"organizations_url": "https://api.github.com/users/xyz/orgs",
"repos_url": "https://api.github.com/users/xyz/repos",
"events_url": "https://api.github.com/users/xyz/events{/privacy}",
"received_events_url": "https://api.github.com/users/xyz/received_events",
"type": "User",
"site_admin": false,
"name": "xyz",
"company": null,
"blog": "",
"location": null,
"email": null,
"hireable": null,
"bio": null,
"twitter_username": null,
"public_repos": 1,
"public_gists": 0,
"followers": 8,
"following": 1,
"created_at": "2008-06-21T11:58:01Z",
"updated_at": "2018-05-23T19:43:26Z"
}
* Connection #0 to host api.github.com left intact
*正在尝试13.236.14.80。。。
*TCP_节点集
*连接到api.github.com(13.236.14.80)端口443(#0)
*阿尔卑斯山,提供h2
*ALPN,提供http/1.1
*密码选择:全部:!出口:!出口40:!出口56:!阿努尔:!低:!RC4:@强度
*已成功设置证书验证位置:
*CAfile:/etc/pki/tls/certs/ca-bundle.crt
卡帕斯:没有
*TLSv1.2(OUT)、TLS标头、证书状态(22):
*TLSv1.2(输出),TLS握手,客户端问候(1):
*TLSv1.2(IN)、TLS握手、服务器hello(2):
*TLSv1.2(IN),TLS握手,证书(11):
*TLSv1.2(IN)、TLS握手、服务器密钥交换(12):
*TLSv1.2(IN),TLS握手,服务器完成(14):
*TLSv1.2(输出)、TLS握手、客户端密钥交换(16):
*TLSv1.2(OUT),TLS更改密码,更改密码规范(1):
*TLSv1.2(输出),TLS握手,完成(20):
*TLSv1.2(IN),TLS更改密码,更改密码规范(1):
*TLSv1.2(IN),TLS握手,完成(20):
*使用TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256的SSL连接
*ALPN,接受使用http/1.1的服务器
*服务器证书:
*主题:C=美国;ST=加利福尼亚州;L=旧金山;O=GitHub,Inc。;CN=*.github.com
*开始日期:6月22日00:00:00格林威治标准时间2020
*过期日期:8月17日12:00:00 2022 GMT
*subjectAltName:主机“api.github.com”匹配证书“*.github.com”
*发行人:C=美国;O=DigiCert公司;OU=www.digicert.com;CN=DigiCert SHA2高保证服务器CA
*SSL证书验证正常。
>GET/users/xyz HTTP/1.1
>主持人:api.github.com
>用户代理:curl/7.61.1
>接受:*/*
>
非常感谢任何帮助。它甚至使用代理吗?从您包含的输出中看不到这一点。请提供curl-v的完整详细输出。@SteffenUllrich代理是透明的。Squid日志显示成功连接到api.github.com“…颁发者:C=US;O=DigiCert Inc;OU=www.DigiCert.com;CN=DigiCert SHA2 High Assurance Server CA…”-证书详细信息表明未进行SSL拦截,即这是github颁发的原始证书,而不是Squid颁发的证书。如果一开始没有进行SSL拦截,那么与拦截相关的TLS选项都不会产生任何效果。@SteffenUllrich你说得对。Squid在我的实现中充当白名单代理。它不会在https端口上拦截请求。它会进行窥视和拼接。所以我不希望连接使用squid颁发的证书。让我困惑的是,当我使用sslproxy_版本时,我能够限制到特定的tls版本。(用squid中的peek和拼接配置更新了问题)