[squid-users] SSL Bump for regex URL comparison

Joe Foster joe.e.foster at googlemail.com
Thu Nov 16 08:21:42 UTC 2017 

Hello Amos,

The problem is the connections are not getting through. It just acts like
there is no WiFi connection.

Adding the cert db every start up isn’t an issue.

I was thinking of having a small cert cache locally instead thinking about
it since.

The connections just aren’t being made. No ssl warning.

Thank you

Joe


On Thu, 16 Nov 2017 at 08:15, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 16/11/17 02:32, Joe Foster wrote:
> > Good afternoon,
> >
> > I have a small router onto which I have installed Squid.
> >
> > I am trying to filter HTTPS urls for bad words on a blocked list.
> >
> > It will require the client on the safe side of the router to install the
> > certificate, this isn't an issue as it's an open process and not an
> > illigal MITM attack.
> >
> > Below is my squid.conf
> >
> > As you will see I have been playing around with where to put the code
> > and what code to put in.
> >
> > I only have a small amount of flash drive so I have put the auto-gen
> > cert directory in /tmp/. I am aware this is volatile memory but until I
> > have a better solution I will be doing this.
>
> Since /tmp is subject to random deletion of content you will need to
> make sure you always shutdown Squid and re-run the ssl_crtd (etc.)
> create command to re-generate the cert DB structures whenever the device
> erases its /tmp content. Otherwise your proxy will crash and/or client
> connections will start being terminated with strange looking errors.
>
>
> IMO you would probably be better off setting the cert DB to a very small
> size suitable for your limited space - or disabling it entirely [more on
> that below].
>
> >
> > I have put a firewall rule in to forward 443 to 3128.
> >
> > https://wiki.squid-cache.org/Features/SslBump
> > https://wiki.squid-cache.org/SquidFaq/SquidAcl
> >
> > I also don't want to cache due to flash drive issues. Is this possible?
> >
>
>  From the documentation of the SSL-Bump settings:
>   <http://www.squid-cache.org/Doc/config/http_port/>
> "
>    dynamic_cert_mem_cache_size=SIZE
>      Approximate total RAM size spent on cached generated
>      certificates. If set to zero, caching is disabled. The
>      default value is 4MB.
> "
>
> > Its the same cert in /root/ and /certs/ before anyone points it out.
> >
> > Nothing has been appearing in the log files either but this is no
> > surprise.
> >
> > Been up till 1am last few nights on this so you assistance is very
> > appreciated.
>
> That sounds like you are having a problem. But I don't see any mention
> of what that is exactly.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171116/87b8a33c/attachment.html>

More information about the squid-users mailing list