主页 / unix / 问题

问题[proxy](unix)

Martin Hope
张龙飞
Asked: 2024-01-24 20:06:25 +0800 CST
  • 5

我想让开发人员只使用 github copilot 并拒绝其他请求。

根据github信息: https://docs.github.com/en/copilot/troubleshooting-github-copilot/troubleshooting-firewall-settings-for-github-copilot

我将网址添加到白名单中,以下是白名单信息:

[root@web-ide-squid-cache squid]# cat whitelist.txt
.baidu.com
.github.com/login/*
.api.github.com/user
.api.github.com/copilot_internal/*
.copilot-telemetry.githubusercontent.com/telemetry
.default.exp-tas.com/
.copilot-proxy.githubusercontent.com/
.origin-tracker.githubusercontent.com
*.githubcopilot.com

这是conf文件:

[root@web-ide-squid-cache squid]# cat squid.conf
#
# Recommended minimum configuration:
#
debug_options ALL,1 33,2 28,9
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl whitelist dstdomain "/etc/squid/whitelist.txt"
http_access allow whitelist
http_access deny all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 8080
http_port 3128 transparent
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl_cert/myCA.pem
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
ssl_bump splice all
sslproxy_cert_error allow  all
tls_outgoing_options cipher=ALL

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

卷曲没有 https 成功:

coder@cloudide:~$ curl  -v www.baidu.com
*   Trying 182.61.200.7:80...
* Connected to www.baidu.com (182.61.200.7) port 80 (#0)
> GET / HTTP/1.1
> Host: www.baidu.com
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Content-Length: 2381
< Content-Type: text/html
< Date: Thu, 25 Jan 2024 01:57:51 GMT
< ETag: "588604c1-94d"
< Last-Modified: Mon, 23 Jan 2017 13:27:29 GMT
< Pragma: no-cache
< Server: bfe/1.0.8.18
< Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
< X-Cache: MISS from web-ide-squid-cache.novalocal
< X-Cache-Lookup: MISS from web-ide-squid-cache.novalocal:8080
< Via: 1.1 web-ide-squid-cache.novalocal (squid/4.9)
< Connection: keep-alive
< 
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登录</a>');</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>&copy;2017&nbsp;Baidu&nbsp;<a href=http://www.baidu.com/duty/>使用百度前必读</a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a>&nbsp;京ICP证030173号&nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>
* Connection #0 to host www.baidu.com left intact

使用 https 卷曲同一站点失败:

curl  -v https://www.baidu.com
*   Trying 182.61.200.6:443...
* Connected to www.baidu.com (182.61.200.6) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=www.baidu.com
*  start date: Jan 11 12:21:14 2024 GMT
*  expire date: Jan  9 12:21:14 2029 GMT
*  subjectAltName: host "www.baidu.com" matched cert's "www.baidu.com"
*  issuer: C=CN; ST=Beijing; L=Beijing; O=ES; OU=IT Department; CN=easystack.cn; [email protected]
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.baidu.com
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Server: squid/4.9
< Mime-Version: 1.0
< Date: Thu, 25 Jan 2024 01:56:08 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3455
< X-Squid-Error: ERR_ACCESS_DENIED 0
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from web-ide-squid-cache.novalocal
< X-Cache-Lookup: NONE from web-ide-squid-cache.novalocal:8080
< Via: 1.1 web-ide-squid-cache.novalocal (squid/4.9)
< Connection: close
< 
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2019 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<style type="text/css"><!--
 /*
 * Copyright (C) 1996-2019 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/*
 Stylesheet for Squid Error pages
 Adapted from design by Free CSS Templates
 http://www.freecsstemplates.org
 Released for free under a Creative Commons Attribution 2.5 License
*/

/* Page basics */
* {
        font-family: verdana, sans-serif;
}

html body {
        margin: 0;
        padding: 0;
        background: #efefef;
        font-size: 12px;
        color: #1e1e1e;
}

/* Page displayed title area */
#titles {
        margin-left: 15px;
        padding: 10px;
        padding-left: 100px;
        background: url('/squid-internal-static/icons/SN.png') no-repeat left;
}

/* initial title */
#titles h1 {
        color: #000000;
}
#titles h2 {
        color: #000000;
}

/* special event: FTP success page titles */
#titles ftpsuccess {
        background-color:#00ff00;
        width:100%;
}

/* Page displayed body content area */
#content {
        padding: 10px;
        background: #ffffff;
}

/* General text */
p {
}

/* error brief description */
#error p {
}

/* some data which may have caused the problem */
#data {
}

/* the error message received from the system or other software */
#sysmsg {
}

pre {
}

/* special event: FTP / Gopher directory listing */
#dirmsg {
    font-family: courier, monospace;
    color: black;
    font-size: 10pt;
}
#dirlisting {
    margin-left: 2%;
    margin-right: 2%;
}
#dirlisting tr.entry td.icon,td.filename,td.size,td.date {
    border-bottom: groove;
}
#dirlisting td.size {
    width: 50px;
    text-align: right;
    padding-right: 5px;
}

/* horizontal lines */
hr {
        margin: 0;
}

/* page displayed footer area */
#footer {
        font-size: 9px;
        padding-left: 10px;
}


body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
 --></style>
</head><body id=ERR_ACCESS_DENIED>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>

<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="https://182.61.200.6/*">https://182.61.200.6/*</a></p>

<blockquote id="error">
<p><b>Access Denied.</b></p>
</blockquote>

<p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p>

<p>Your cache administrator is <a href="mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_ACCESS_DENIED&amp;body=CacheHost%3A%20web-ide-squid-cache.novalocal%0D%0AErrPage%3A%20ERR_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Thu,%2025%20Jan%202024%2001%3A56%3A08%20GMT%0D%0A%0D%0AClientIP%3A%2010.0.3.223%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AHost%3A%20182.61.200.6%0D%0A%0D%0A%0D%0A">webmaster</a>.</p>
<br>
</div>

<hr>
<div id="footer">
<p>Generated Thu, 25 Jan 2024 01:56:08 GMT by web-ide-squid-cache.novalocal (squid/4.9)</p>
<!-- ERR_ACCESS_DENIED -->
</div>
</body></html>
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):

以下是失败的缓存日志:

2024/01/24 19:52:38.494 kid1| 28,4| Eui48.cc(179) lookup: id=0x31f5fe4 query ARP table
2024/01/24 19:52:38.495 kid1| 28,4| Eui48.cc(224) lookup: id=0x31f5fe4 query ARP on each interface (120 found)
2024/01/24 19:52:38.495 kid1| 28,4| Eui48.cc(230) lookup: id=0x31f5fe4 found interface lo
2024/01/24 19:52:38.495 kid1| 28,4| Eui48.cc(230) lookup: id=0x31f5fe4 found interface eth0
2024/01/24 19:52:38.495 kid1| 28,4| Eui48.cc(239) lookup: id=0x31f5fe4 looking up ARP address for 10.0.3.223 on eth0
2024/01/24 19:52:38.495 kid1| 28,4| Eui48.cc(275) lookup: id=0x31f5fe4 got address fa:16:3e:09:f3:23 on eth0
2024/01/24 19:52:38.495 kid1| 28,3| Checklist.cc(70) preCheck: 0x3189708 checking slow rules
2024/01/24 19:52:38.495 kid1| 28,5| Acl.cc(124) matches: checking (ssl_bump rules)
2024/01/24 19:52:38.495 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'ALLOWED/3' is not banned
2024/01/24 19:52:38.495 kid1| 28,5| Acl.cc(124) matches: checking (ssl_bump rule)
2024/01/24 19:52:38.495 kid1| 28,5| Acl.cc(124) matches: checking step1
2024/01/24 19:52:38.495 kid1| 28,3| Acl.cc(151) matches: checked: step1 = 1
2024/01/24 19:52:38.495 kid1| 28,3| Acl.cc(151) matches: checked: (ssl_bump rule) = 1
2024/01/24 19:52:38.495 kid1| 28,3| Acl.cc(151) matches: checked: (ssl_bump rules) = 1
2024/01/24 19:52:38.495 kid1| 28,3| Checklist.cc(63) markFinished: 0x3189708 answer ALLOWED for match
2024/01/24 19:52:38.495 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x3189708 answer=ALLOWED
2024/01/24 19:52:38.495 kid1| 33,2| client_side.cc(2748) httpsSslBumpAccessCheckDone: sslBump action peekneeded for local=182.61.200.6:443 remote=10.0.3.223:4002 FD 12 flags=33
2024/01/24 19:52:38.495 kid1| 33,2| client_side.cc(3424) fakeAConnectRequest: fake a CONNECT request to force connState to tunnel for ssl-bump
2024/01/24 19:52:38.496 kid1| 28,3| Checklist.cc(70) preCheck: 0x31a4428 checking slow rules
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access
2024/01/24 19:52:38.496 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'DENIED/0' is not banned
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access#1
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking !Safe_ports
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking Safe_ports
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: Safe_ports = 1
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: !Safe_ports = 0
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access#1 = 0
2024/01/24 19:52:38.496 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'DENIED/0' is not banned
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access#2
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking CONNECT
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: CONNECT = 1
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking !SSL_ports
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking SSL_ports
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: SSL_ports = 1
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: !SSL_ports = 0
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access#2 = 0
2024/01/24 19:52:38.496 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'ALLOWED/0' is not banned
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access#3
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking localhost
2024/01/24 19:52:38.496 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.0.3.223:4002/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (10.0.3.223:4002)  vs [::1]-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
2024/01/24 19:52:38.496 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.0.3.223:4002/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (10.0.3.223:4002)  vs 127.0.0.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
2024/01/24 19:52:38.496 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.0.3.223:4002/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (10.0.3.223:4002)  vs 127.0.0.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
2024/01/24 19:52:38.496 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.0.3.223:4002' NOT found
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: localhost = 0
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access#3 = 0
2024/01/24 19:52:38.496 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'DENIED/0' is not banned
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access#4
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking manager
2024/01/24 19:52:38.496 kid1| 28,3| RegexData.cc(43) match: checking '182.61.200.6:443'
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: manager = 0
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access#4 = 0
2024/01/24 19:52:38.496 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'ALLOWED/0' is not banned
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access#5
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking whitelist
2024/01/24 19:52:38.496 kid1| 28,3| DomainData.cc(110) match: aclMatchDomainList: checking '182.61.200.6'
2024/01/24 19:52:38.496 kid1| 28,3| DomainData.cc(115) match: aclMatchDomainList: '182.61.200.6' NOT found
2024/01/24 19:52:38.496 kid1| 28,3| DestinationDomain.cc(96) match: Can't yet compare 'whitelist' ACL for 182.61.200.6
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: whitelist = -1 async
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access#5 = -1 async
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access = -1 async
2024/01/24 19:52:38.496 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x3189708
2024/01/24 19:52:38.496 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x3189708
2024/01/24 19:52:38.500 kid1| 28,5| InnerNode.cc(94) resumeMatchingAt: checking http_access at 4
2024/01/24 19:52:38.500 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'ALLOWED/0' is not banned
2024/01/24 19:52:38.500 kid1| 28,5| InnerNode.cc(94) resumeMatchingAt: checking http_access#5 at 0
2024/01/24 19:52:38.500 kid1| 28,5| Acl.cc(124) matches: checking whitelist
2024/01/24 19:52:38.500 kid1| 28,3| DomainData.cc(110) match: aclMatchDomainList: checking '182.61.200.6'
2024/01/24 19:52:38.500 kid1| 28,3| DomainData.cc(115) match: aclMatchDomainList: '182.61.200.6' NOT found
2024/01/24 19:52:38.500 kid1| 28,3| DomainData.cc(110) match: aclMatchDomainList: checking 'none'
2024/01/24 19:52:38.500 kid1| 28,3| DomainData.cc(115) match: aclMatchDomainList: 'none' NOT found
2024/01/24 19:52:38.500 kid1| 28,3| Acl.cc(151) matches: checked: whitelist = 0
2024/01/24 19:52:38.500 kid1| 28,3| InnerNode.cc(97) resumeMatchingAt: checked: http_access#5 = 0
2024/01/24 19:52:38.500 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'DENIED/0' is not banned
2024/01/24 19:52:38.500 kid1| 28,5| Acl.cc(124) matches: checking http_access#6
2024/01/24 19:52:38.500 kid1| 28,5| Acl.cc(124) matches: checking all
2024/01/24 19:52:38.500 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.0.3.223:4002/[::] ([::]:4002)  vs [::]-[::]/[::]
2024/01/24 19:52:38.500 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.0.3.223:4002' found
2024/01/24 19:52:38.500 kid1| 28,3| Acl.cc(151) matches: checked: all = 1
2024/01/24 19:52:38.500 kid1| 28,3| Acl.cc(151) matches: checked: http_access#6 = 1
2024/01/24 19:52:38.500 kid1| 28,3| InnerNode.cc(97) resumeMatchingAt: checked: http_access = 1
2024/01/24 19:52:38.500 kid1| 28,3| Checklist.cc(63) markFinished: 0x31a4428 answer DENIED for match
2024/01/24 19:52:38.500 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x31a4428 answer=DENIED
2024/01/24 19:52:38.500 kid1| 28,5| Gadgets.cc(81) aclIsProxyAuth: aclIsProxyAuth: called for all
2024/01/24 19:52:38.500 kid1| 28,9| Acl.cc(96) FindByName: ACL::FindByName 'all'
2024/01/24 19:52:38.500 kid1| 28,5| Gadgets.cc(86) aclIsProxyAuth: aclIsProxyAuth: returning 0
2024/01/24 19:52:38.500 kid1| 28,8| Gadgets.cc(49) aclGetDenyInfoPage: got called for all
2024/01/24 19:52:38.500 kid1| 28,8| Gadgets.cc(68) aclGetDenyInfoPage: aclGetDenyInfoPage: no match
2024/01/24 19:52:38.500 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffe2f431e20
2024/01/24 19:52:38.500 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffe2f431e20
2024/01/24 19:52:38.500 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffe2f431e20
2024/01/24 19:52:38.500 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffe2f431e20
2024/01/24 19:52:38.500 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x31a4428
2024/01/24 19:52:38.500 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x31a4428
2024/01/24 19:52:38.504 kid1| 28,3| Checklist.cc(70) preCheck: 0x7ffe2f431ba0 checking fast ACLs
2024/01/24 19:52:38.504 kid1| 28,5| Acl.cc(124) matches: checking access_log daemon:/var/log/squid/access.log
2024/01/24 19:52:38.504 kid1| 28,5| Acl.cc(124) matches: checking (access_log daemon:/var/log/squid/access.log line)
2024/01/24 19:52:38.504 kid1| 28,3| Acl.cc(151) matches: checked: (access_log daemon:/var/log/squid/access.log line) = 1
2024/01/24 19:52:38.504 kid1| 28,3| Acl.cc(151) matches: checked: access_log daemon:/var/log/squid/access.log = 1
2024/01/24 19:52:38.504 kid1| 28,3| Checklist.cc(63) markFinished: 0x7ffe2f431ba0 answer ALLOWED for match
2024/01/24 19:52:38.504 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffe2f431ba0
2024/01/24 19:52:38.504 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffe2f431ba0
2024/01/24 19:52:38.508 kid1| 33,2| client_side.cc(891) kick: local=182.61.200.6:443 remote=10.0.3.223:4002 flags=33 Connection was closed
2024/01/24 19:52:38.508 kid1| 28,3| Checklist.cc(70) preCheck: 0x7ffe2f431f10 checking fast ACLs
2024/01/24 19:52:38.508 kid1| 28,5| Acl.cc(124) matches: checking access_log daemon:/var/log/squid/access.log
2024/01/24 19:52:38.508 kid1| 28,5| Acl.cc(124) matches: checking (access_log daemon:/var/log/squid/access.log line)
2024/01/24 19:52:38.508 kid1| 28,3| Acl.cc(151) matches: checked: (access_log daemon:/var/log/squid/access.log line) = 1
2024/01/24 19:52:38.508 kid1| 28,3| Acl.cc(151) matches: checked: access_log daemon:/var/log/squid/access.log = 1
2024/01/24 19:52:38.508 kid1| 28,3| Checklist.cc(63) markFinished: 0x7ffe2f431f10 answer ALLOWED for match
2024/01/24 19:52:38.508 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffe2f431f10
2024/01/24 19:52:38.508 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffe2f431f10
2024/01/24 19:52:38.508 kid1| 33,2| client_side.cc(582) swanSong: local=182.61.200.6:443 remote=10.0.3.223:4002 flags=33

鱿鱼版本:

[root@web-ide-squid-cache squid]# squid -v
Squid Cache: Version 4.9
proxy
Martin Hope
Jordan
Asked: 2022-05-21 13:18:20 +0800 CST
  • 0

我正在寻找一个可以在 Amazon Linux 2 上安装和运行的简单 TCP 代理。我一直在 Ubuntu 上使用simpleproxy,它完全符合我的需要,但我似乎找不到 Amazon Linux 的等价物(或 Red Hat,或 CentOS,或任何其他使用yum)。

关于最干净、最简单的代理方法的任何建议,其中本地计算机上的给定端口(任何 TCP 端口,不限于 HTTP/HTTPS)被代理到远程计算机上的给定端口?

yum proxy
Martin Hope
Py-ser
Asked: 2022-04-18 14:13:18 +0800 CST
  • 2

我的/etc/apt/sources.list包含:

deb http://ubuntu.mirror.garr.it/ubuntu/ focal main
deb-src http://ubuntu.mirror.garr.it/ubuntu/ focal main

deb-src http://ubuntu.mirror.garr.it/ubuntu/ focal restricted universe multiverse

deb http://ubuntu.mirror.garr.it/ubuntu/ focal-updates main restricted universe multiverse
deb-src http://ubuntu.mirror.garr.it/ubuntu/ focal-updates main restricted universe multiverse

deb http://ubuntu.mirror.garr.it/ubuntu/ focal-security main restricted universe multiverse
deb-src http://ubuntu.mirror.garr.it/ubuntu/ focal-security main restricted universe multiverse

deb http://ubuntu.mirror.garr.it/ubuntu/ focal-backports main restricted universe multiverse
deb-src http://ubuntu.mirror.garr.it/ubuntu/ focal-backports main restricted universe multiverse

deb http://archive.canonical.com/ubuntu focal partner
deb-src http://archive.canonical.com/ubuntu focal partner

但是当我尝试与软件更新相关的任何事情时,例如, sudo apt update --fix-missing && sudo apt upgrade我在终端上得到以下输出:

    sudo apt update --fix-missing && sudo apt upgrade
Err:1 http://archive.canonical.com/ubuntu focal InRelease
  Temporary failure resolving 'proxy_server'
Err:2 http://ubuntu.mirror.garr.it/ubuntu focal InRelease
  Temporary failure resolving 'proxy_server'
Err:3 http://ubuntu.mirror.garr.it/ubuntu focal-updates InRelease
  Temporary failure resolving 'proxy_server'
Err:4 http://ubuntu.mirror.garr.it/ubuntu focal-security InRelease
  Temporary failure resolving 'proxy_server'
Err:5 http://ubuntu.mirror.garr.it/ubuntu focal-backports InRelease
  Temporary failure resolving 'proxy_server'
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
W: Failed to fetch http://ubuntu.mirror.garr.it/ubuntu/dists/focal/InRelease  Temporary failure resolving 'proxy_server'
W: Failed to fetch http://ubuntu.mirror.garr.it/ubuntu/dists/focal-updates/InRelease  Temporary failure resolving 'proxy_server'
W: Failed to fetch http://ubuntu.mirror.garr.it/ubuntu/dists/focal-security/InRelease  Temporary failure resolving 'proxy_server'
W: Failed to fetch http://ubuntu.mirror.garr.it/ubuntu/dists/focal-backports/InRelease  Temporary failure resolving 'proxy_server'
W: Failed to fetch http://archive.canonical.com/ubuntu/dists/focal/InRelease  Temporary failure resolving 'proxy_server'
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

我尝试安装的任何东西都会出现类似的问题:

$ sudo apt-get install indicator-cpufreq
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Unable to locate package indicator-cpufreq

尝试从Software update应用程序更改服务器卡在缓存刷新中,或最终返回类似于Failed to fetch one(窗口不允许我复制和粘贴输出错误)的错误。

有关我的系统的更多信息:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal

什么应该进入services.listand proxy,问题可能是什么?

编辑#1:我认为我/etc/apt/apt.conf错了,我希望能在该文件中提供一些帮助。echo "$http_proxy"不返回任何东西,也不返回任何东西env | grep -i proxy。设置 --> 代理网络设置为禁用,但如果我检查Manual我进入proxy-server-ip“代理 HTTP”字段并且8080是端口。

编辑#2:我的/etc/apt/apt.conf.d/proxy.conf包含两行:

Acquire::http::Proxy "http://proxy_server:port/";
Acquire::https::Proxy "http://proxy_server:port/";
apt proxy
Martin Hope
user89978
Asked: 2022-04-10 02:05:42 +0800 CST
  • 0

我正在尝试在我的 SUSE VM 上设置代理。按照这个官方指南,我已经在/etc/sysconfig/proxy文件中设置了代理值。

现在在同一篇文章中说要使用代理凭据,我必须.curlrc在用户$HOME目录下创建文件。但是,我想在系统范围内为所有用户使用代理凭据。如果是这样,我在哪里可以创建这个文件?

proxy suse
Martin Hope
rubo77
Asked: 2022-03-27 05:12:54 +0800 CST
  • 0

我有一个带有多个虚拟机的服务器,其中一个是我的代理,它将正确的域引导到正确端口上的正确 VM。

  1. 我使用标准的 docker-compose 文件来创建 gitlab-ce 和 gitlab-runner
  2. 我按代理中的域重定向到我的 docker VM 中的端口 8080

这一切都很好,我可以使用https://gitlab.mydomain.de登录我的浏览器。

现在的问题是:所有指向跑步者的链接和指向克隆存储库的链接都以http://localhost而不是https://gitlab.mydomain.de.

docker-compose 文件中的选项 GITLAB_OMNIBUS_CONFIG->external_url包含 http://localhost,所以我将其更改为https://gitlab.mydomain.de,停止并重新启动 docker 容器

docker-compose down; docker-compose up

但是这次我只在浏览器中收到502 Bad Gateway 错误。

这是我的代理配置:

server {
  listen 10.77.77.254:443 ssl;
  listen [2a01:4f8:241:1d02:0:77:77:254]:443 ssl;
  server_name gitlab.mydomain.de;
  include snippets.d/ssl_generic;
  ssl_certificate     /etc/letsencrypt/live/gitlab.mydomain.de/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/gitlab.mydomain.de/privkey.pem;
  include snippets.d/standard;
  location / {
      include                     snippets.d/proxy_generic;
      proxy_pass                  http://10.77.77.107:8080;
  }
}

这是我的docker-compose.yml

version: '3.7'
services:
  web:
    image: 'gitlab/gitlab-ce:latest'
    restart: always
    hostname: 'localhost'
    container_name: gitlab-ce
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://gitlab.mydomin.de'
    ports:
      - '8080:80'
      - '8443:443'
    volumes:
      - '/var/docker/gitlab/config:/etc/gitlab'
      - '/var/docker/gitlab/logs:/var/log/gitlab'
      - '/var/docker/gitlab/data:/var/opt/gitlab'
    networks:
      - gitlab
  gitlab-runner:
    image: gitlab/gitlab-runner:alpine
    container_name: gitlab-runner    
    restart: always
    depends_on:
      - web
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - '/var/docker/gitlab/gitlab-runner:/etc/gitlab-runner'
    networks:
      - gitlab

networks:
  gitlab:
    name: gitlab-network

如果我改变

external_url 'https://gitlab.mydomain.de'

返回 http

external_url 'http://gitlab.mydomain.de'

然后设置再次工作(但现在网络界面上的错误 URL 仅以“http://”开头)。

问题似乎出https在 external_url 中。

如果我将 proxy_pass 更改为http://10.77.77.107:8433docker-compose 文件中将 ssl 端口呈现给主机的位置,则会收到400 Bad Request 错误:

400 Bad Request The plain HTTP request was sent to HTTPS port

更新: 他们在这里说:

默认情况下,当您指定 external_url 时,Omnibus GitLab 将设置一些 NGINX 代理标头,这些标头在大多数环境中被认为是正常的。

例如,Omnibus GitLab 将设置:

"X-Forwarded-Proto" => "https",
"X-Forwarded-Ssl" => "on"

如果您在 external_url 中指定了 https 架构。

但是,如果您的 GitLab 处于更复杂的设置中,例如在反向代理后面,则需要调整代理标头以避免错误,例如您想要的更改被拒绝或无法验证 CSRF 令牌真实性已完成 422 无法处理。

我尝试覆盖默认标题。在综合部分的 docker-compose 文件中,我添加了 X-Forwarded-Proto: http:

environment:
  GITLAB_OMNIBUS_CONFIG: |
    external_url 'https://gitlab.mydomain.de'
    letsencrypt['enabled'] = false
    nginx['listen_port'] = 80
    nginx['proxy_set_headers'] = { "X-Forwarded-Proto" => "http", 'X-Forwarded-Ssl' => 'off' }

但这也无济于事

我该如何解决这个问题?

nginx proxy
Martin Hope
Alex D.
Asked: 2022-03-26 06:43:02 +0800 CST
  • 0

我需要一些关于基于 SSH 的 SOCKS 代理服务器的帮助。

我正在使用以下命令运行 SSH SOCKS 代理:

ssh -N -D 0.0.0.0:1080 localhost

我可以默认启用它吗?无论如何,默认情况下 ssh 守护程序是打开的,因此必须有一种方法来配置它。

另外,我使用 0.0.0.0 来允许所有传入的 IP 地址。我可以将其限制在子网中吗?例如 192.168.1.0/24。或者至少是一个接口名称。

ssh proxy
Martin Hope
Logan Lee
Asked: 2021-11-19 01:14:59 +0800 CST
  • 0

我在 vps 中运行节点 js 应用程序。

这是我的 nginx 配置:

server {
    listen       80;
    server_name  xxx.xxx.xxx.xxx;
    #access_log   logs/ecommerce.access.log  main;
    
    location /ecommerce/api/ {
        proxy_pass      http://127.0.0.1:8000/api/;
    }
    
    location /ecapp/ {
        proxy_pass      http://127.0.0.1:3000/;
    }
}

localhost:8000/api是使用mongodb atlas的后端服务器。我已经通过使用邮递员和发送请求确认了这项工作。

localhost:3000是前端应用程序。

前端应用程序仅在以下情况下通过我的 vps 的公共 ip 工作:

server {
    listen       80;
    server_name  xxx.xxx.xxx.xxx;
    #access_log   logs/ecommerce.access.log  main;
    
    location /ecommerce/api/ {
        proxy_pass      http://127.0.0.1:8000/api/;
    }
    
    location / {
        proxy_pass      http://127.0.0.1:3000/;
    }
}

除了/like之外的位置/ecapp/不起作用。只有位置/作品。

http://my_vps_ip/我想通过like以外的方式访问前端应用程序http://my_vps_ip/ecapp

任何帮助表示赞赏。

nginx proxy
Martin Hope
Rizwan Saleem
Asked: 2021-10-13 05:43:33 +0800 CST
  • 0

我在 Centos 8 上运行了 squid 代理服务器,它无法阻止任何 https 站点。

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
#acl localnet src 10.0.0.0/8        # RFC 1918 local private network (LAN)
#acl localnet src 100.64.0.0/10     # RFC 6598 shared address space (CGN)
#acl localnet src 169.254.0.0/16    # RFC 3927 link-local (directly plugged) machines
#acl localnet src 172.16.0.0/12     # RFC 1918 local private network (LAN)
#acl localnet src 192.168.0.0/16        # RFC 1918 local private network (LAN)
#acl localnet src fc00::/7          # RFC 4193 local private network range
#acl localnet src fe80::/10         # RFC 4291 link-local (directly plugged) machines

acl localnet src 200.200.200.0/24
http_access allow localnet

acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#badsite block
#acl badsite url_regex "/etc/squid/block"
#http_access deny badsite 
acl badsite dstdomain .facebook.com
http_access deny badsite

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .       0   20% 4320
centos proxy