[squid-users] Help troubleshooting proxy<-->client https
Masha Lifshin
mlifshin at phantomdesign.com
Wed May 31 20:42:53 UTC 2017
Dear Alex,
Thank you very much for your helpful reply.
I have a follow up question. What I am trying to achieve is an https
connection between the client and squid proxy, as well as listen on port 80
for http traffic, on port 443 for ssl traffic, and apply ssl-bump to the
ssl traffic. I am having trouble expressing this in my config. Would the
http_port and https_port directives need to look like this?
http_port <ip_address>: <http://172.30.0.67:443/>80 ssl-bump
cert=/path/to/some.cert.pem generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB tls-dh=/usr/local/squid/etc/dhparam.pem
https_port <ip_address>:443 <http://172.30.0.67:443/>
cert=/path/to/other.cert.pem
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+
SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+
SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!
LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
Also wondering what, if any, are the security issues with using port 80 for
the http traffic?
Thank you,
-Masha
On Fri, May 26, 2017 at 7:19 AM, Alex Rousskov <
rousskov at measurement-factory.com> wrote:
> On 05/26/2017 12:00 AM, Masha Lifshin wrote:
> > I have added an https_port directive
> > to squid.conf, but it must be misconfigured.
>
> > http_port 172.30.0.67:443 ...
> > https_port 172.30.0.67:443 ...
>
> You are right -- your Squid is misconfigured. You cannot use the same
> address for two ports. Unfortunately, Squid thinks that port binding
> errors are a minor inconvenience and continues running after logging an
> error message (that looks like many other benign error messages).
>
> Changing one of the ports will solve the "same address" problem
> described above.
>
> Do not use port 443 for http_port. It makes triage extremely confusing
> because port 443 usually implies SSL. Consider using port 3128 instead.
>
>
> HTH,
>
> Alex.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170531/7a3b3f2e/attachment.html>
More information about the squid-users
mailing list