[squid-users] squid 3.5.27 . https website

G~D~Lunatic 747620227 at qq.com
Fri Nov 17 02:32:54 UTC 2017


i use squid 3.5.27 as a transparent proxy. With the proxy , i access some https websites like www.hupu.com. But the webpage does not show correctly.  There are some websizes similar such as https://www.zhihu.com , https://www.jd.com/ . So i want to know where problem is or how to deal with it.

The webpage remind like"   s1.hdslb.com used an invalid security certificate. This  certificate is valid for the following domain names only: *  .zhaopin.com, * .zhaopin.cn, * .dpfile.com, * .cdn.myqcloud.com, *  .sogoucdn. SSL error code: SSL_ERROR_BAD_CERT_DOMAIN  "


how can i send a screenshot to explain?

Here is my configure
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access allow all

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
acl NCACHE method GET
no_cache deny NCACHE

# And finally deny all other access to this proxy
request_header_access Via deny all #hide squid header
request_header_access X-Forwarded-For deny all #hide squid header
#request_timeout 2 minutes #client request timeout

# Squid normally listens to port 3128
http_port 3120

http_port 3128 intercept

https_port 192.168.51.115:3129 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem key=/usr/local/squid/ssl_cert/myCA.pem
always_direct allow all
ssl_bump server-first all
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step1
ssl_bump splice all

sslproxy_version 0
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

#Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /usr/local/squid/var/cache/squid 4096 16 256
minimum_object_size 0 KB
maximum_object_size 4096 KB
ipcache_size 1024 MB
ipcache_low 70
ipcache_high 95
fqdncache_size 1024 MB
cache_mem 1024 MB
cache_swap_low 90
cache_swap_high 95


# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171117/7cc1d0b3/attachment.html>


More information about the squid-users mailing list