[squid-users] Https_port with "official" certificate

Diogenes S. Jesus splash at gmail.com
Wed Aug 24 14:37:31 UTC 2016 

This configuration here covers the use case described by the OP:
https://gist.githubusercontent.com/splashx/758ff0c59ea291f32edafc516fdaad73/raw/8050fa054821657812961050332b38a56e7e3e68/

If everything works well, you'll notice you won't support HTTP proxy at
all, but users can reach  both HTTP and HTTPS target websites via your
HTTPS proxy.

# netstat -nltp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State
    PID/Program name

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
    32109/sshd

tcp6       0      0 :::80                   :::*                    LISTEN
    26627/apache2

tcp6       0      0 :::3443                 :::*                    LISTEN
    7303/(squid-1)

tcp6       0      0 :::22                   :::*                    LISTEN
    32109/sshd


The user connects to the proxy ONLY via HTTPS Proxy on port 3443

All traffic between the OP and the proxy is encrypted using TLS.
A) If the user enters http://target.example.com, between the proxy and the
target you'll see HTTP.
B) If the user enters https://target.example.com, between the proxy and the
target you'll see HTTPS.

If you sniff the traffic between the client and the proxy, you'll see TLS.

Tested with:

$ /Applications/Firefox\ 2.app/Contents/MacOS/firefox -v

Mozilla Firefox 48.0

Firefox set up to use PAC: Preferences > Advanced > Network > Settings:
"Automatic Proxy Configuration": http://squid.example.com/proxy.pac

The downside here of course is the limited amount of clients supporting
HTTPS Proxy settings.

Dio


On Wed, Aug 24, 2016 at 3:46 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> Just to rewind this conversation to the actual problem ...
>
> On 24/08/2016 11:42 p.m., Samuraiii wrote:
> > On 24.8.2016 13:18, Antony Stone wrote:
> >> Unfortunately it's not Squid that's the challenge - it's the browser.
> >>
> >> If you're using Firefox and/or Chrome, you should be okay.
> >>
> >> See "Encrypted browser-Squid connection" at the bottom of
> >> http://wiki.squid-cache.org/Features/HTTPS
> >>
> >>
> >> Antony.
> >>
> > I have seen that, it is the cause of my subscription to this list.
> > I haven't been able to find any usable hints.
> > My config attempt fails
> >
>
> <snip>
> >
> > https_port 8443 \
> >     cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> >     key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> >     cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> >     tls-dh=/etc/ssl/certs/dhparam.pem \
> >     sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> >     cipher=HIGH
>
>
> As Dio mentioned the cleintca= (or rather clientca=) is for
> authenticating clients ceritficates. Don't use that unless you are
> requiring client certs in TLS.
>
> The rest of your config looks reasonable to me. I suspect you have found
> a bug introduced during all the SSL-Bump code changes. Please make a
> bugzilla report and include your exact Squid version (found with the
> 'squid -v' command), the https_port line(s) and the exact error message
> produced on startup.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 

--------

Diogenes S. de Jesus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160824/bce4c338/attachment.html>

More information about the squid-users mailing list