[squid-users] Trusted CA Certificate with ssl_bump

Patrick Chemla patrick.chemla at performance-managers.com
Wed Nov 16 08:11:28 UTC 2016


I have same problem, and I need to use trusted CA certificates, so what 
is the solution?

I have a squid 3.5.20 used for multiple domains, multiple backends, 
using both HTTP and HTTPS.

Actually, the HTTP configuration is OK, the backends are OK with HTTPS, 
trusted certificates, verified with wget https://.....

acls rules are OK, sending each request according to the domain to the 
right backend.

I need to add trusted certificates for some domains. I found that I 
could do that using http_port XXX.XXX.XXX.XXX:443 where I have different 
IPs, each by certicate.

But I must say that I am really lost in all options,  I have googled for 
days, I tried a lot of settings ssl_bump, intercept, self-signed 
certificates, Trusted certificates,...., I saw differences between old 
versions and 3.5, and I can't make any working..

So questions:

1/ Should I set up the squid certificate with ONLY self-signed, or there 
is a way to use Trusted certificates? So if only self-signed, the user 
will be always forced to accept the self-signed certificate on first 
time? not really good for commercial sites.

2/ Should the backend cache_peer set as ssl on port 443, or could it be 
simple http 80 (backends are internal VMs onto the same server, no 
external network between squid and backends)?

3/ Will the acls rules work OK to affect each request to the right 
backend according to domain, even in HTTPS?

4/ Do you know some clear and easy howto, examples, for such settings, 
from where I could get how to do?

Thanks for help

Le 15/11/2016 à 18:30, Yuri Voinov a écrit :
> 15.11.2016 22:28, Alex Crow пишет:
>> On 15/11/16 16:22, Yuri Voinov wrote:
>>>> You can if you have control over the clients, ie install your CA into
>>>> the browser/OS.
>>> ... and this can be illegal ;)
>> YMMV (depending on where you live/work)!
> AFAIK Spying for users without they agreement illegal anywhere.
>> -- 
>> This message is intended only for the addressee and may contain
>> confidential information. Unless you are that person, you may not
>> disclose its contents or use it in any way and are requested to delete
>> the message along with any attachments and notify us immediately.
>> This email is not intended to, nor should it be taken to, constitute
>> advice.
>> The information provided is correct to our knowledge & belief and must
>> not
>> be used as a substitute for obtaining tax, regulatory, investment,
>> legal or
>> any other appropriate advice.
>> "Transact" is operated by Integrated Financial Arrangements Ltd.
>> 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020)
>> 7608 5300.
>> (Registered office: as above; Registered in England and Wales under
>> number: 3727592). Authorised and regulated by the Financial Conduct
>> Authority (entered on the Financial Services Register; no. 190856).
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161116/b27d83c2/attachment.html>

More information about the squid-users mailing list