[squid-users] About to upgrade from 3 to 4

Amos Jeffries squid3 at treenet.co.nz
Sun Jun 10 07:55:41 UTC 2018


On 10/06/18 02:23, James Lay wrote:
> On Sat, 2018-06-09 at 07:17 -0600, James Lay wrote:
>> On Sun, 2018-06-10 at 01:13 +1200, Amos Jeffries wrote:
>>> On 10/06/18 01:02, James Lay wrote:
>>>
>>> So in my config file I have:
>>>
>>> sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
>>>
>>> However I do not see this after compiling and installing. Has this gone
>>> away in 4? Thank you.
>>>
>>> James
>>>
>>>
>>> It's now called security_file_certgen.
>>>
>>> <http://www.squid-cache.org/Versions/v4/squid-4.0.24-RELEASENOTES.html#ss2.4>
>>>
>>> Amos
>>>
>>
>> Thanks Amos...I'll read this before asking anymore questions ☺
>>
>>
> 
> So ok...after making the changes to the config to account for new
> security_file_certgen and tls_outgoing_options (thanks Amos!) I am
> greeted with (hostname changed from real):
> 
> FATAL: mimeLoadIcon: cannot parse internal URL:
> http://<hostname>:0/squid-internal-static/icons/silk/image.png
> 

There should be an error about no forward-proxy port as well. Squid
requires at least one port able to receive requests for those URLs from
clients. Port 3128 is normally that port, but you have repurposed it for
interception, which disqualifies it.

The hostname in these URLs is taken from that port's IP address
reverse-DNS name, or the proxies public/visible hostname. Whichever
meets the requirement of being resolvable in DNS.


> Here's my config line:
> 
> ./configure --prefix=/opt/squid --with-openssl=/opt/libressl
> --sysconfdir=/opt/squid/etc --enable-ssl --enable-ssl-crtd
> --enable-linux-netfilter --enable-follow-x-forwarded-for
> --with-large-files --enable-xternal-acl-helpers=none

Missing 'e' on --enable-external-acl-helpers.

...
> 
> sslproxy_cert_error allow all
> tls_outgoing_options capath=/etc/ssl/certs flags=DONT_VERIFY_PEER

Please avoid DONT_VERIFY_PEER and "allow all" for cert errors. They are
useless for both production AND debugging since all they do is hide
security issues from *you*.

It is best to watch for security issues and fix them. Not just ignore
everything.

Amos


More information about the squid-users mailing list