2014-02-25 74 views
0

在我們的辦公室,我們使用squid限制用戶只連接特定的網站和URL。如果用戶通過https連接網頁,則url_regex acl將不起作用。在https請求中,我們只能控制域。但是我們需要限制網址級別。所以,我們使用ssl bump攔截https請求。它的工作正常,但我們在瀏覽器中得到了一些ssl警告。使用SSL凹凸不能連接到真實網站ssl errror

enter image description here

這是可能的攔截,沒有任何瀏覽器警告在凸起的SSL連接?

魷魚配置文件

# 
# Recommended minimum configuration: 
# 
#debug_options ALL,3 
acl manager proto cache_object 
acl localhost src 127.0.0.1/32 ::1 
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 

#allowing .zopert.com domains 
acl trustedDomains dstdomain -i "/etc/squid/trusted_domains.txt" 

#excluded domains 
acl excludedDomains dstdomain -i "/etc/squid/excluded_domains.txt" 

#allowing grid console. 
acl adminConsole urlpath_regex \/admin\/ 

#allowed urls 
acl trustedUrls url_regex -i "/etc/squid/allowed_urls.txt" 


# Example rule allowing access from your local networks. 
http_port 3129 ssl-bump cert=/etc/squid/test.crt key=/etc/squid/test.key 

# Adapt to list your (internal) IP networks from where browsing 
# should be allowed 
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network 
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network 
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network 
#acl localnet src fc00::/7  # RFC 4193 local private network range 
#acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) machines 

acl SSL_ports port 443 
acl Safe_ports port 80  # http 
acl Safe_ports port 21  # ftp 
acl Safe_ports port 443  # https 
acl Safe_ports port 70  # gopher 
acl Safe_ports port 210  # wais 
acl Safe_ports port 1025-65535 # unregistered ports 
acl Safe_ports port 280  # http-mgmt 
acl Safe_ports port 488  # gss-http 
acl Safe_ports port 591  # filemaker 
acl Safe_ports port 777  # multiling http 
acl CONNECT method CONNECT 
acl HTTPS proto HTTPS 
# 

# Recommended minimum Access Permission configuration: 
# Only allow cachemgr access from localhost 
#http_access allow manager localhost 
http_access deny manager 
#http_access allow allowurls 
# Deny requests to certain unsafe ports 
http_access deny !Safe_ports 
# Deny CONNECT to other than secure SSL ports 
#http_access deny CONNECT !SSL_ports 
# We strongly recommend the following be uncommented to protect innocent 
# web applications running on the proxy server who think the only 
# one who can access services on "localhost" is a local user 

# 
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS 
# 

# Example rule allowing access from your local networks. 
# Adapt localnet in the ACL section to list your (internal) IP networks 
# from where browsing should be allowed 

#allowing trusted domains(.zopert.com) only. 

http_access allow trustedDomains adminConsole 
http_access allow trustedDomains trustedUrls 

#allowing static domains 

http_access allow excludedDomains 


#ssl_bump deny trustedDomains 
http_access allow CONNECT trustedDomains 

#http_access allow CONNECT 
always_direct allow HTTPS 

#ssl_bump allow adminConsole 
ssl_bump allow trustedDomains 

#we don't need to intercept other ssl sites. 
ssl_bump deny all 

# And finally deny all other access to this proxy 
#sslproxy_cert_error allow all 
#http_access allow localnet 
http_access deny all 
http_access deny CONNECT 

#We recommend you to use at least the following line. 
#hierarchy_stoplist cgi-bin ? 
# Uncomment and adjust the following to add a disk cache directory. 
#cache_dir ufs /var/spool/squid 100 16 256 
# Leave coredumps in the first cache dir 
coredump_dir /var/spool/squid 
# Add any of your own refresh_pattern entries above these. 
refresh_pattern ^ftp:  1440 20% 10080 
refresh_pattern ^gopher: 1440 0% 1440 
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 
refresh_pattern .  0 20% 4320 


logformat squid %ts.%03tu %6tr %>a %>A %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt 
cache_log /var/log/squid/cache.log 
access_log /var/log/squid/access.log 

回答

0

SSL凸點做了中間人攻擊和瀏覽器抱怨這個,這是預期的行爲。如果你不想要這個,你需要在所有瀏覽器中導入CA(test.crt)爲可信的。