Мы используем прозрачный прокси, Squid (Squid Cache: версия 3.5.28, имя службы: squid). Проблема кажется чем-то похожей на Squid SSL Bump TAG_NONE / HEIR_NONE но мой журнал доступа немного отличается.
Где у нас есть экземпляр EC2, на котором работает Java8, и приложение, которое общается с GCP через Интернет. Это приложение, похоже, может успешно использовать данные из других источников, но не может публиковать в учетной записи Google PubSub. Публикация через curl вроде нормально.
Вот что мы видим в журнале доступа,
{"event": "2019-08-28 10:14:53 +1000.140 106 10.xxx TAG_NONE / 200 0 CONNECT 172.217.167.106:443 - ORIGINAL_DST / 172.217.167.106 - peek pubsub.googleapis.com", "source_name" : "/ var / log / squid / access.log"}
Обратите внимание, что другое приложение на основе Java публикуется в GCP без каких-либо проблем с использованием того же прокси-узла, и в этом случае я вижу TCP_TUNNEL / 200.
Есть идеи, что на самом деле означает приведенный выше журнал доступа?
Конфигурация Squid ниже,
#
# FILE MANAGED BY PUPPET - Module squid
# Adapted from the RedHat recommended minimum configuration.
#
visible_hostname devproxy-hostname.local
acl to_linklocal dst 169.254.0.0/16 fe80::/10
# Source networks that are allowed to use this proxy
acl localnet src 10.x.x.x/16
# Destination ports that are allowed to be proxied (not CONNECT method)
acl allow_proxy_port port 22
acl allow_proxy_port port 25
acl allow_proxy_port port 443
acl allow_proxy_port port 465
acl allow_proxy_port port 80
# Destination ports that are allowed to be proxied via the CONNECT method
acl allow_connect_port port 22
acl allow_connect_port port 25
acl allow_connect_port port 443
acl allow_connect_port port 465
acl CONNECT method CONNECT
# DON'T SEND AN ERROR MESSAGE BACK FROM SQUID WHEN THE SSL CERTIFICATE
# IS NOT VALID
sslproxy_flags DONT_VERIFY_PEER
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access allow manager
# Deny requests to certain unsafe ports
http_access deny !allow_proxy_port
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !allow_connect_port
# Deny access to localhost & link-local addresses
http_access deny to_localhost
http_access deny to_linklocal
acl explicit_http myportname 3128
acl transparent_http myportname 3129
acl transparent_https myportname 3130
# Allow access from clients within the IP ranges defined in localnet
# and the localhost itself for the explicit proxy
http_access allow localnet explicit_http
http_access allow localhost explicit_http
# Allow access from clients within the IP ranges defined in localnet
# and the localhost itself for the transparent proxy
http_access allow localnet transparent_http
http_access allow localhost transparent_http
# No whitelist here as its taken care during the peak and splice below
http_access allow localnet transparent_https
http_access allow localhost transparent_https
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
https_port 3130 ssl-bump intercept cert=/etc/squid/squid.crt key=/etc/squid/squid.key generate-host-certificates=on
# Disable any caching
cache deny all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
# Double peek required to get around an issue with https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
# as the DNS is looked up again and has a possibility that the IP has changed
ssl_bump peek step1 all
ssl_bump peek step2 all
ssl_bump splice step3 all
# Disable via and x-forwarded-for headers
via off
forwarded_for delete
max_filedescriptors 2048
workers 1
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Change epoch time to human readable time format - Squid 3.5
# Example: 1447998880.602 to 2015-11-20 16:57:40 +1100.107
logformat squid %{%Y-%m-%d %H:%M:%S %z}tl.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %ssl::bump_mode %ssl::>sni
access_log /var/log/squid/access.log squid
logfile_rotate 0```
Thanks