Здравствуйте! Проблема такова: настроил прозрачный прокси сервер squid версии 3.1.23 на CentOS 6.3. Сама машина работает как шлюз к которой подключены два провайдера и две локальные сети.
Первая локальная сеть: 192.168.0.0(eth2) ходит через 192.168.7.200(eth0)
Вторая локальная сеть: 192.168.2.0(eth3) ходит через 192.168.1.28(eth1)
Сайты http открываются без проблем, а вот с https проблемы, особенно где при загрузке есть перенаправление на другие страницы( это как я понял).
++Вот лог при загрузке сайта yahoo.com:
1442777878.083 557 192.168.2.3 TCP_MISS/301 788 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777878.429 338 192.168.2.3 TCP_MISS/301 790 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777878.773 338 192.168.2.3 TCP_MISS/301 788 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777879.119 339 192.168.2.3 TCP_MISS/301 788 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777879.462 338 192.168.2.3 TCP_MISS/301 788 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777879.804 339 192.168.2.3 TCP_MISS/301 790 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777880.159 350 192.168.2.3 TCP_MISS/301 790 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777880.506 340 192.168.2.3 TCP_MISS/301 788 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777880.859 343 192.168.2.3 TCP_MISS/301 790 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777881.208 343 192.168.2.3 TCP_MISS/301 788 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777881.562 344 192.168.2.3 TCP_MISS/301 788 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777881.909 338 192.168.2.3 TCP_MISS/301 790 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777882.255 342 192.168.2.3 TCP_MISS/301 788 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777882.599 341 192.168.2.3 TCP_MISS/301 790 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777882.946 341 192.168.2.3 TCP_MISS/301 790 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777883.290 339 192.168.2.3 TCP_MISS/301 788 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777883.639 339 192.168.2.3 TCP_MISS/301 790 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777883.984 339 192.168.2.3 TCP_MISS/301 788 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777884.326 338 192.168.2.3 TCP_MISS/301 788 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777884.669 339 192.168.2.3 TCP_MISS/301 790 GET http://www.yahoo.com/ - DIRECT/46.228.47.115 text/html
1442777885.041 340 192.168.2.3 TCP_MISS/301 810 GET http://www.yahoo.com/favicon.ico - DIRECT/46.228.47.115 text/html++или mail.ru
1442777986.083 417 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777989.212 107 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777989.332 110 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777989.444 105 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777989.557 109 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777989.666 105 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777989.777 106 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777989.899 116 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777990.011 107 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777990.126 110 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777990.239 106 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777990.352 107 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777990.464 106 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777990.578 110 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777990.693 110 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777990.804 107 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777990.916 108 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777991.029 108 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777991.146 109 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777991.260 105 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777991.371 107 192.168.2.3 TCP_MISS/302 639 GET http://mail.ru/ - DIRECT/217.69.139.202 text/html
1442777991.483 107 192.168.2.3 TCP_MISS/302 592 GET http://mail.ru/favicon.ico - DIRECT/217.69.139.202 text/html
++вот мой файл squid.conf
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
acl localnet src 192.168.2.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 443
acl CONNECT method CONNECT
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl block url_regex "/etc/squid/blacklist.acl"
#
# Recommended minimum Access Permission configuration:
#
visible_hostname Proxy_Server
#redirector_access deny
ssl_bump splice serverIsBank
ssl_bump bump haveServerName
ssl_bump peek all
ssl_bump splice all
cache_effective_user squid
cache_effective_group squid
cache deny all
http_access deny block
http_access allow manager localhost
http_access deny manager
http_access allow SSL_ports
http_access allow localnet CONNECT SSL_ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all CONNECT Safe_ports
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid/ssl/squid.key cert=/etc/squid/ssl/squid.pem
forwarded_for off
ssl_bump allow all
redirect_rewrites_host_header on
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
++и конфиги iptables
# Generated by iptables-save v1.4.7 on Mon Sep 14 15:04:27 2015
*nat
:PREROUTING ACCEPT [150:14588]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -i eth2 -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -i eth2 -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A PREROUTING -p tcp -i eth3 -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -i eth3 -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -p tcp -s 192.168.0.0/24 -m tcp --dport 80 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -p tcp -s 192.168.2.0/24 -m tcp --dport 80 -j SNAT --to-source 192.168.2.1
-A POSTROUTING -p tcp -s 192.168.0.0/24 -m tcp --dport 443 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -p tcp -s 192.168.2.0/24 -m tcp --dport 443 -j SNAT --to-source 192.168.2.1
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Mon Sep 14 15:04:27 2015
# Generated by iptables-save v1.4.7 on Mon Sep 14 15:04:27 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [2:160]
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3129 -j ACCEPT
-A INPUT -p tcp -i eth0 -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -i eth0 -m tcp --dport 3129 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth2 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i eth3 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -i eth2 -p icmp -j ACCEPT
-A INPUT -i eth3 -p icmp -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i eth3 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i eth3 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -i eth3 -o eth1 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i eth2 -o eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 3128 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 3129 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 3128 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 3129 -j ACCEPT
-A OUTPUT -o eth2 -p icmp -j ACCEPT
-A OUTPUT -o eth3 -p icmp -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -o eth2 -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -o eth2 -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -s 192.168.2.0/24 -o eth3 -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -s 192.168.2.0/24 -o eth3 -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -o eth2 -p tcp -m tcp --sport 3128 -j ACCEPT
-A OUTPUT -s 192.168.2.0/24 -o eth3 -p tcp -m tcp --sport 3128 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT
COMMIT
Помогите пожалуйста, если кто сталкивался с данной проблемой. Заранее спасибо! P.S. я пока новичек в лине, пожалуйста особо не пинайте. Предлагали завернуть трафф https мимо сквида, просто в дальнейшем хочу настроить блокировку нежелательных ресурсов и рекламы через сквид, да и поближе с ним познакомиться, поэтому вариант пускать мимо сквида не подходит. Спасибо заранее за помощь!