我想将系统配置如下:
所以我尝试将iptables从80 / tcp和443 / tcp用于DNAT到所有Web服务器上的squid代理,并将squid配置为拦截代理。 但是我通过重定向循环错误失败了。 我调查了strace正在做什么鱿鱼,并发现它在收到请求后尝试连接到10.0.0.252:80,因此检测到转发循环。
我认为这是因为配置错误但我不知道应该修复哪些,或者我可能完全误解了我应该做什么。 (我用Google搜索但无法在每台服务器上找到NAT示例。)
希望有人可以帮助解决问题,或建议另一种更好的方式(不限于使用squid代理)
所有服务器都在Amazon EC2上,因此可以选择将vyos用于路由器......
在squid代理上输入结果
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 0a:1c:ba:c3:9c:1d brd ff:ff:ff:ff:ff:ff
inet 10.0.0.211/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::81c:baff:fec3:9c1d/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 0a:a9:2c:5e:eb:d7 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.252/24 brd 10.0.0.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::8a9:2cff:fe5e:ebd7/64 scope link
valid_lft forever preferred_lft forever
squid代理上的iptables
iptables -t nat -A PREROUTING -s 10.0.0.252 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.252:3129
网络服务器上的iptables
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 10.0.0.252:80
cache.log里
2016/06/22 06:15:22 kid1| WARNING: Forwarding loop detected for:
GET / HTTP/1.1
User-Agent: squidclient/3.5.19
Accept: */*
Via: 1.0 unknown (squid/3.5.19)
X-Forwarded-For: 10.0.0.211
Cache-Control: max-age=259200
Connection: keep-alive
Host: ifconfig.moe
完整的squid.conf
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
#http_access deny to_localhost
http_access allow localnet
http_access allow localhost
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
visible_hostname unknown
# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
http_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
always_direct allow all
ssl_bump none localhost
ssl_bump server-first all
# temporary: just test
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
http_access deny all
答案 0 :(得分:1)
如果您DNAT到代理,您将目标更改为代理的IP。在这种情况下,代理将丢失有关原始目标的信息。
对于http,这是可以的,因为主机头可用于解析目标,但对于https,代理需要依赖TLS ClientHello数据包中的SNI来学习目标并连接到它,引导TLS层从那里开始。