[squid-users] SSL Bump, CA Cert

Yuri Voinov yvoinov at gmail.com
Fri Jan 30 11:17:06 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Christian,

for SSL Bump Squid expects only self-signed root CA. Not server signed -
it only appropriate on a reverse proxy.

WBR, Yuri

30.01.2015 6:43, Christian Kundela пишет:
> Dear all,
>
> I have problems setting up explicit proxy. (interrcept tcp 80 no problem)
>
> If i doaself signed Cert, and i install it in Firefox or IE, no problem.
>
> but if i use a CA-Cert i am using a signed cert from cacert.org, SSl
Site only TXT loaded and no pictures ... this i know, when something is
wrong with keyor else ?
> (Install also all certs from cacert.org (also Firefox addons))
>
> Key, CSR is generatedwith:
> openssl genrsa -out /etc/squid/squid.key 2048
> openssl req -new -key /etc/squid/squid.key -out /etc/squid/squid.csr
>
> Signed on the sitecacert.org.TXT put into /etc/squid/squid.crt
>
> My question: what CA Cert Squid expects ? wildcard * ? as common name
i choose www.mydomain.net (is an example, for csr i used my real domain
name).
>
> How can trace this Problem (debug)or is the Cert wrong ?i stuck here ...
>
>
> Best regards
>
> Many Thanks in advice
>
>
>
> Here is the squid.conf (changes done in config, added SquidGuard,
C-Icap and MS update (from squid-cache.org) works all perfect)
> IP of server is 192.168.1.1/24
>
> ## squid.conf begin
> #
> # Recommended minimum configuration:
> #
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> #acl localnet src 10.0.0.0/8            # RFC1918 possible internal
network
> #acl localnet src 172.16.0.0/12         # RFC1918 possible internal
network
> #acl localnet src 192.168.0.0/16        # RFC1918 possible internal
network
> acl localnet src fc00::/7               # RFC 4193 local private
network range
> acl localnet src fe80::/10              # RFC 4291 link-local
(directly plugged) machines
> acl localnet src 192.168.1.0/24
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
>
> # MS Update
> acl windowsupdate dstdomain windowsupdate.microsoft.com
> acl windowsupdate dstdomain .update.microsoft.com
> acl windowsupdate dstdomain download.windowsupdate.com
> acl windowsupdate dstdomain redir.metaservices.microsoft.com
> acl windowsupdate dstdomain images.metaservices.microsoft.com
> acl windowsupdate dstdomain c.microsoft.com
> acl windowsupdate dstdomain www.download.windowsupdate.com
> acl windowsupdate dstdomain wustat.windows.com
> acl windowsupdate dstdomain crl.microsoft.com
> acl windowsupdate dstdomain sls.microsoft.com
> acl windowsupdate dstdomain productactivation.one.microsoft.com
> acl windowsupdate dstdomain ntservicepack.microsoft.com
> acl windowsupdate dstdomain ctldl.windowsupdate.com
>
> acl CONNECT method CONNECT
>
> # MS Update
> acl wuCONNECT dstdomain www.update.microsoft.com
> acl wuCONNECT dstdomain sls.microsoft.com
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # MS Update
> http_access allow CONNECT wuCONNECT localnet
> http_access allow CONNECT wuCONNECT localhost
> http_access allow windowsupdate localnet
> http_access allow windowsupdate localhost
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # SSL Stuff
> always_direct allow all
> ssl_bump server-first all
> #sslproxy_cert_error allow all
> #sslproxy_flags DONT_VERIFY_PEER
>
> # Squid normally listens to port 3128
> http_port localhost:3128
> http_port 192.168.1.1:3130 ssl-bump cert=/etc/squid/server.crt
key=/etc/squid/server.key# TEST
> http_port localhost:3129 intercept
>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir ufs /var/squid/cache 40000 16 256
>
> # Added
> cache_mem 2 GB
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/squid/cache
>
> # MS Update
> refresh_pattern -i
microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
43200 reload-into-ims
> refresh_pattern -i
windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320
80% 43200 reload-into-ims
> refresh_pattern -i
windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
43200 reload-into-ims
>
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
>
> # Added
> max_filedescriptors 1024
>
> # MS Update
> range_offset_limit 200 MB windowsupdate
> maximum_object_size 200 MB
> quick_abort_min -1
>
> # Path to the redirector program
> url_rewrite_program   /usr/local/bin/squidGuard
>
> # Number of redirector processes to spawn
> url_rewrite_children  20
>
> # To prevent loops, don't send requests from localhost to the redirector
> url_rewrite_access    deny  localhost
>
> # SquidClamav C-Icap
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_encode off
> icap_client_username_header X-Authenticated-User
> icap_preview_enable on
> icap_preview_size 1024
> icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
> adaptation_access service_req allow all
> icap_service service_resp respmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
> adaptation_access service_resp allow all
> ## squid.conf end
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUy2gxAAoJENNXIZxhPexGwZMIAKX1uyFzdKrjq0FJvMMsL/9d
22R06xyExxuRIdWwp4IHAhWDud1dLlnAkEckmwCYdeUQJLeue/ccf6QIwblqT8ld
PruboM2+a3vE9KNKwXVUbv9UDhE933cq34/vX+kiBFIKc4/5TMFEjO9t/yeuamKl
3vYiRM9P7763AeCYRexB2tMHw9ghItstubav6ZzY2rmkdbqP+KlsaUL5jZOULTS7
FD8y8y3MW2jWFACYjqLZQ+0qjDJU2rcjEZR/w9jGGjGT7EEFxIPzvS9lAt5jVxIh
E8FzSnBKMw0FYQVEQW6mW6gfwNOhjTxTJKFlGigkITIp3R9vQaYhBwe8lYypTcQ=
=wjv1
-----END PGP SIGNATURE-----



More information about the squid-users mailing list