[squid-users] Squid Version 3.5.20

Eliezer Croitoru eliezer at ngtech.co.il
Wed Jul 19 17:40:01 UTC 2017 

Hey,

I have not published the RHEL packages on the squid-cache wiki at:
http://wiki.squid-cache.org/KnowledgeBase/RedHat

And will try to add the details there in the next days.
You can try to use the RHEL which is similar to the centos and on the same
server which is mentioned in this page:
http://wiki.squid-cache.org/KnowledgeBase/CentOS#Squid-3.5

But replace the centos with rhel ie:
baseurl=http://www1.ngtech.co.il/repo/rhel/$releasever/$basearch/

There is an up-to-date 3.5.26 package which you should try to use in any
case.
I don’t know why you encounter this issue but it is a good time to know that
there is an up-to-date squid rpm for RHEL 7.

All The Bests,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
Behalf Of Cherukuri, Naresh
Sent: Wednesday, July 19, 2017 16:46
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid Version 3.5.20

Hi All,

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA
certificates,  My users are complaining about certificate errors. When I
looked at cache.log I see so many error messages like below. Below is my
squid.conf file. Any ideas how to address below errors.

Squid.conf:

max_filedesc 4096
visible_hostname pctysqd2prod
logfile_rotate 10

access_log stdio:/var/log/squid/access.log squid

acl localnet src 172.16.0.0/16
acl backoffice_users src 10.136.0.0/13
acl hcity_backoffice_users src 10.142.0.0/15
acl register_users src 10.128.0.0/13
acl hcity_register_users src 10.134.0.0/15
acl partycity url_regex partycity

acl SSL_ports port 443
acl Safe_ports port 80          # http
#acl Safe_ports port 21         # ftp
acl Safe_ports port 443         # https
#acl Safe_ports port 70         # gopher
#acl Safe_ports port 210                # wais
#acl Safe_ports port 1025-65535 # unregistered ports
#acl Safe_ports port 280                # http-mgmt
#acl Safe_ports port 488                # gss-http
#acl Safe_ports port 591                # filemaker
#acl Safe_ports port 777                # multiling http
acl CONNECT method CONNECT
#acl allowed_sites {dst|dstdomain|dstdom_regex|url_regex) "/path/to/file"
acl backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"
acl hcity_backoffice_allowed_sites url_regex
"/etc/squid/backoffice_allowed_sites"
acl backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"
acl hcity_backoffice_blocked_sites url_regex
"/etc/squid/backoffice_blocklist"
acl register_allowed_sites url_regex "/etc/squid/register_allowed_sites"
acl hcity_register_allowed_sites url_regex
"/etc/squid/hcity_register_allowed_sites"

http_access allow localnet register_allowed_sites
http_access deny backoffice_users backoffice_blocked_sites
http_access deny hcity_backoffice_users backoffice_blocked_sites
http_access allow backoffice_users backoffice_allowed_sites
http_access allow hcity_backoffice_users backoffice_allowed_sites
http_access allow register_users register_allowed_sites
http_access allow hcity_register_users hcity_register_allowed_sites
no_cache deny partycity
http_access deny all

#http_access allow manager localhost
#http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
http_access  allow CONNECT SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost


# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 ssl-bump \
key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \
cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

sslproxy_cert_error allow all
always_direct allow all
sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /cache/squid 10000 16 256

# Leave coredumps in the first cache dir
#rdescoredump_dir /var/spool/squid
coredump_dir /var/log/squid/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

#url_rewrite_access allow all
#url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf

Cache.log

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)

More information about the squid-users mailing list