0x01 问题 - SSH via Squid - 403 Forbidden
如何排查 403 Forbidden 问题
在此例,我欲ssh from my laptop to 13.228.168.169:22 (a EC2 server) via HTTP Proxy 35.174.208.142:3128 (Squid listening on port 3128)
问题来啦
0x02 - 排查
tail -f /var/log/squid/access.logline #10, #11
CONNECT 13.228.168.169:22 (TCP_DENIED).
[root@ip-172-31-55-111 ec2-user]# tail -f /var/log/squid/access.log
1599364932.853 171860 112.199.148.226 TCP_TUNNEL/200 22517 CONNECT www.google-analytics.com:443 - HIER_DIRECT/172.217.2.110 -
1599364933.864 207353 112.199.148.226 TCP_TUNNEL/200 398104 CONNECT www.google.com:443 - HIER_DIRECT/172.253.63.106 -
1599364933.864 171453 112.199.148.226 TCP_TUNNEL/200 3643 CONNECT stats.g.doubleclick.net:443 - HIER_DIRECT/172.217.197.155 -
1599364935.881 171964 112.199.148.226 TCP_TUNNEL/200 4101 CONNECT px.ads.linkedin.com:443 - HIER_DIRECT/108.174.10.14 -
1599364960.904 116222 112.199.148.226 TCP_TUNNEL/200 4748 CONNECT firefox.settings.services.mozilla.com:443 - HIER_DIRECT/52.85.144.53 -
1599364995.637 61537 112.199.148.226 TCP_TUNNEL/200 3792 CONNECT incoming.telemetry.mozilla.org:443 - HIER_DIRECT/34.210.106.102 -
1599364995.638 61538 112.199.148.226 TCP_TUNNEL/200 3792 CONNECT incoming.telemetry.mozilla.org:443 - HIER_DIRECT/34.210.106.102 -
1599365365.628 19 112.199.148.226 TCP_MISS/200 893 POST http://ocsp.pki.goog/gts1o1core - HIER_DIRECT/172.217.13.227 application/ocsp-response
1599365444.156 0 112.199.148.226 TCP_DENIED/403 3904 CONNECT 13.228.168.169:22 - HIER_NONE/- text/html
1599365547.623 0 112.199.148.226 TCP_DENIED/403 3904 CONNECT 13.228.168.169:22 - HIER_NONE/- text/html
sudo vi /etc/squid/squid.conf
发现 Port 22 并不在 SSL_Ports 默认值之内 (line #1 只有443)
last linehttp_access deny CONNECT !SSL_ports, 非443, 都被denied
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
0x03 更改配置
- 加入
acl SSL_Ports port 22
acl SSL_ports port 443
acl SSL_Ports port 22 # 加入此行
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
- restart squid
systemctl restart squid
0x04 从新用 Putty SSH
ssh 成功 !!!
Squid access.log 如下
[root@ip-172-31-55-111 ec2-user]# systemctl restart squid
[root@ip-172-31-55-111 ec2-user]# tail -f /var/log/squid/access.log
1599369354.379 101 112.199.148.226 TCP_MISS/200 551 GET http://detectportal.firefox.com/success.txt? - HIER_DIRECT/23.40.62.19 text/plain
1599369354.379 100 112.199.148.226 TCP_MISS/200 551 GET http://detectportal.firefox.com/success.txt? - HIER_DIRECT/23.40.62.19 text/plain
1599369354.615 2 112.199.148.226 TCP_MISS/200 551 GET http://detectportal.firefox.com/success.txt? - HIER_DIRECT/23.40.62.19 text/plain
1599369354.615 2 112.199.148.226 TCP_MISS/200 551 GET http://detectportal.firefox.com/success.txt? - HIER_DIRECT/23.40.62.19 text/plain
1599369359.708 86630 112.199.148.226 TCP_TUNNEL/200 3865 CONNECT push.services.mozilla.com:443 - HIER_DIRECT/34.218.33.223 -
1599369478.298 203775 112.199.148.226 TCP_TUNNEL/200 5476 CONNECT firefox.settings.services.mozilla.com:443 - HIER_DIRECT/52.85.144.53 -
1599370050.123 0 112.199.148.226 TCP_DENIED/403 3904 CONNECT 13.228.168.169:22 - HIER_NONE/- text/html
1599370176.808 94936 112.199.148.226 TCP_TUNNEL/200 3680 CONNECT 13.228.168.169:22 - HIER_DIRECT/13.228.168.169 -
1599370193.031 116848 112.199.148.226 TCP_TUNNEL/200 4748 CONNECT firefox.settings.services.mozilla.com:443 - HIER_DIRECT/52.85.144.53 -
1599370356.215 50 112.199.148.226 TCP_MISS/200 893 POST http://ocsp.pki.goog/gts1o1core - HIER_DIRECT/172.217.8.3 application/ocsp-response
0x04 - 用 Mobaxterm & cockscrew
- Install cockscrew
06/09/2020 13:51.14 /home/mobaxterm apt-get install corkscrew
DISCLAIMER:
This will download and install third-party software packages, distributed by
the Cygwin Project, from online Cygwin repositories.
These software packages are distributed under their own terms available here:
http://mirrors.kernel.org/sourceware/cygwin/x86/release
Third-party software packages are neither developed nor distributed by Mobatek.
In no event shall Mobatek be liable for any direct, indirect, incidental,
special, exemplary, or consequential damages (including, but not limited to,
procurement of substitute goods or services, loss of data or profits, computer
virus infection, or business interruption) however caused and on any theory of
liability, whether in contract, strict liability, or tort (including negligence
or otherwise) arising in any way out of the use of these third-party software
packages, even if advised of the possibility of such damage.
By typing "y", you agree to use these third-party programs at your own risks.
Type "y" to continue or any other key to exit: y
The following packages will be installed:
- corkscrew v2.0-1 (16 kB): Tunnel TCP connections through HTTP proxies
- cygwin v3.0.4-1 (1949 kB): The UNIX emulation engine
➤ Type "y" to download and install these packages (1.92 MB): y
- Downloading package rebase-4.4.4-1.tar.xz [OK]
- Installing package rebase-4.4.4-1.tar.xz [OK]
- Downloading package cygwin-3.0.4-1.tar.xz [OK]
- Installing package cygwin-3.0.4-1.tar.xz [OK]
- Downloading package corkscrew-2.0-1.tar.bz2 [OK]
- Installing package corkscrew-2.0-1.tar.bz2 [OK]
- Executing postinstall scripts [OK]
06/09/2020 13:52.11 /home/mobaxterm corkscrew
corkscrew 2.0 (agroman@agroman.net)
usage: corkscrew <proxyhost> <proxyport> <desthost> <destport> [authfile]
06/09/2020 13:52.16 /home/mobaxterm vi ~/.ssh/config
- 创建
~/.ssh/config如下 。
- ssh 成功 !!
6763
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
