Proxy

HTTPS stunnel 錯誤:1408F09B:SSL 常式:ssl3_get_record:https 代理請求

  • October 12, 2020

我正在使用 stunnel 和 squid 配置 HTTPS 代理。

但是,我收到了 Mozilla 錯誤頁面“安全連接失敗”,以防我通過埠 44444(stunnel)發出瀏覽器請求。

我錯過了什麼?

  1. 如果我向 ( https://192.168.0.101:44444 ) 發出直接瀏覽器請求,則 stunnel 接受 44444 埠上的連接並成功將流量轉發到 squid 代理埠 (55555),因此,squid 錯誤頁面已收到。
  2. 如果我通過 squid 埠(55555)發出請求,一切正常。

SSL 證書是自簽名的。由該命令生成:

sudo openssl req -nodes -new -days 365 -newkey rsa:1024 -x509 -keyout serverkey.pem -out servercert.pem

stunnel.log

2020.10.01 17:54:05 LOG7[main]: Found 1 ready file descriptor(s)
2020.10.01 17:54:05 LOG7[main]: FD=4 events=0x2001 revents=0x0
2020.10.01 17:54:05 LOG7[main]: FD=6 events=0x2001 revents=0x1
2020.10.01 17:54:05 LOG7[main]: Service [squid] accepted (FD=3) from 10.140.37.30:42284
2020.10.01 17:54:05 LOG7[33]: Service [squid] started
2020.10.01 17:54:05 LOG7[33]: Option TCP_NODELAY set on local socket
2020.10.01 17:54:05 LOG5[33]: Service [squid] accepted connection from 10.140.37.30:42284
2020.10.01 17:54:05 LOG6[33]: Peer certificate not required
2020.10.01 17:54:05 LOG7[33]: TLS state (accept): before SSL initialization
2020.10.01 17:54:05 LOG3[33]: SSL_accept: 1408F09B: error:1408F09B:SSL routines:ssl3_get_record:https proxy request

stunnel.conf

chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4

pid = /stunnel4.pid

debug = 7
output = /stunnel.log
syslog = no

cert = /etc/stunnel/servercert.pem
key = /etc/stunnel/serverkey.pem

verify = 1

CApath = /certs

CRLpath = /crls

client = no
[squid]
accept = 44444
connect = 55555

squid.conf

acl localnet src 192.168.0.0/16

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all

http_port 55555

coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$     0       20%     2880
refresh_pattern .               0       20%     4320

stunnel 端的配置一切正常。問題出在我的客戶端,由於配置錯誤,它沒有啟動 SSL\TLS 握手。

引用自:https://serverfault.com/questions/1035873

相關問答

Proxy

獲取 Squid 以傳遞 X-Requested-With 標頭

  • September 23, 2012
檢視問答
Proxy

Squid 403 將每個請求作為 HTTP 代理

  • October 18, 2011
檢視問答
Performance

Squid 代理執行速度極慢,有時根本不起作用

  • March 10, 2022
檢視問答
Proxy

如何為 Squid 代理啟用 SOCKS5?

  • February 24, 2022
檢視問答
Vpn

如何將流量從 squid 重定向到 vpn?

  • December 5, 2021
檢視問答
Proxy

CentOS 6 Squid 代理錯誤

  • May 5, 2021
檢視問答