Android:使用 SSL 碰撞连接到 Squid 代理不起作用
[英]Android: Connecting to Squid proxy with SSL bumping not working
问题描述
I have a Squid proxy installed with HTTPS/SSL.
我有一个安装了 HTTPS/SSL 的 Squid 代理。 When I install the generated certificate in Firefox and set the proxy, everything looks good -- that is, I can see all the HTTPS requests the Squid log files.当我在 Firefox 中安装生成的证书并设置代理时,一切看起来都很好——也就是说,我可以看到 Squid 日志文件中的所有 HTTPS 请求。
However, when I install the same certificate in my Android phone (and change the proxy setting), it seems to work only in the browser.但是,当我在 Android 手机中安装相同的证书(并更改代理设置)时,它似乎只能在浏览器中工作。 I first change the proxy setting and pages didn't load, then I installed the certificate and all was good.我首先更改代理设置并且页面没有加载,然后我安装了证书,一切都很好。
All other app I've tried yield in errors due to connection problems.由于连接问题,我尝试过的所有其他应用程序都出现错误。 I can see the CONNECT request in the Squid logs but no other requests (eg, GET, POST).我可以在 Squid 日志中看到 CONNECT 请求,但没有其他请求(例如,GET、POST)。 I know that some app completely ignore the system proxy settings, but many use them.我知道有些应用程序完全忽略了系统代理设置,但许多应用程序使用它们。
The odd thing is that everything was working on an old Android 6.0 phone.奇怪的是,一切都在旧的 Android 6.0 手机上运行。 Here the same apps where working perfectly fine using the proxy and relying on HTTPS requests.在这里,相同的应用程序使用代理并依赖 HTTPS 请求运行得非常好。 Now I have a newer Android 9.0 phone and all apps so far fail.现在我有一部更新的 Android 9.0 手机,到目前为止所有应用程序都失败了。 The apps obviously use the proxy (seeing the CONNECT entries in the logs) but do not use/acknowledge the installed certificate.应用程序显然使用代理(查看日志中的 CONNECT 条目)但不使用/确认已安装的证书。
I currently see the new phone or the new Android version as cause for the problem since it worked before with an older phone and Android version.我目前将新手机或新 Android 版本视为问题的原因,因为它以前适用于旧手机和 Android 版本。 How can I best track this issue down?我怎样才能最好地追踪这个问题?
2 个解决方案
解决方案1
0 2021-01-23 17:00:13
Android connects to specific domains to verify the connection. Android 连接到特定域以验证连接。 Add this bit to the the squid.conf :将此位添加到squid.conf :
# Mobile
acl google-servers dstdom_regex "/etc/squid/google.txt"
always_direct allow google-servers
next, create this file /etc/squid/google.txt with the following content:接下来,使用以下内容创建此文件 /etc/squid/google.txt:
(^|\.)android\.clients\.google\.com$
(^|\.)ggpht\.com$
(^|\.)google\.com$
(^|\.)www\.googleapis\.com$
(^|\.)gstatic\.com$
(^|\.)gvt1\.com$
(^|\.)1e100\.net$
(^|\.)google\.co\.uk$
to activate, run:要激活,请运行:
./squid -k reconfigure
解决方案2
0 2021-10-29 07:34:26
"Since Android 7, apps ignore user provided certificates, unless they are configured to use them. As most applications do not explicitly opt in to use user certificates [...] we need to place our CA certificate in the system certificate store" “从 Android 7 开始,应用程序会忽略用户提供的证书,除非它们被配置为使用它们。由于大多数应用程序没有明确选择使用用户证书 [...] 我们需要将我们的 CA 证书放在系统证书存储中”
https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android/ https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android/
However, this seems not to be easily done...然而,这似乎并不容易……
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.