狀況:
Outlook 2010 連到 Office 365 等很久 (狀態顯示:嘗試連線),最後會連線成功。
原因:
Squid proxy 預設安裝只有 http proxy,對於其他 port 是建立 tunnel。
解法:
啟用Squid SSL bump,將 Office 365 的網域加入 ssl_exclude_domains.conf
步驟:
1. Create CA certificate and key for SSL bump
cd /etc/squid
mkdir ssl_cert
chown squid:squid ssl_cert
chmod 700 ssl_cert
cd ssl_cert
openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -keyout myCA.pem -out myCA.pem
2. Generate DH parameters in '/etc/squid' folder
openssl dhparam -outform PEM -out dhparam.pem 2048
3. extract certificate for importing in browsers
openssl x509 -in myCA.pem -outform DER -out myCA.der
4. Edit '/etc/squid/squid.conf' and use following before 'http_access deny all' rule
# Enable SSL bump
#acl step1 at_step SslBump1
#acl step2 at_step SslBump2
#acl step3 at_step SslBump3
acl ssl_exclude_domains ssl::server_name "/etc/squid/ssl_exclude_domains.conf"
acl ssl_exclude_ips dst "/etc/squid/ssl_exclude_ips.conf"
#ssl_bump splice localhost
#ssl_bump peek step1 all
ssl_bump splice ssl_exclude_domains
ssl_bump splice ssl_exclude_ips
#ssl_bump stare step2 all
#ssl_bump bump all
# And finally deny all other access to this proxy
http_access allow all
#http_access deny all
Reference:
Feature: SslBump Peek and Splice
Configure squid-3.3 in transparent mode on CentOS 7 with SSL bump
How to enable HTTPS decryption (SslBump) in Squid 3.5 for Windows?
PS. 我的環境如果勾 近端網址不使用Proxy伺服器,Outlook還是會等很久。
沒有留言:
張貼留言