[squid-users] About to upgrade from 3 to 4
James Lay
jlay at slave-tothe-box.net
Sun Jun 10 10:08:32 UTC 2018
On Sun, 2018-06-10 at 19:55 +1200, Amos Jeffries wrote:
> On 10/06/18 02:23, James Lay wrote:
> On Sat, 2018-06-09 at 07:17 -0600, James Lay wrote:
> On Sun, 2018-06-10 at 01:13 +1200, Amos Jeffries wrote:
> On 10/06/18 01:02, James Lay wrote:
> So in my config file I have:
> sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
> However I do not see this after compiling and installing. Has this
> goneaway in 4? Thank you.
> James
>
> It's now called security_file_certgen.
> <http://www.squid-cache.org/Versions/v4/squid-4.0.24-RELEASENOTES.htm
> l#ss2.4>
> Amos
>
> Thanks Amos...I'll read this before asking anymore questions ☺
>
>
> So ok...after making the changes to the config to account for
> newsecurity_file_certgen and tls_outgoing_options (thanks Amos!) I
> amgreeted with (hostname changed from real):
> FATAL: mimeLoadIcon: cannot parse internal URL:http://<hostname>:0/sq
> uid-internal-static/icons/silk/image.png
>
> There should be an error about no forward-proxy port as well.
> Squidrequires at least one port able to receive requests for those
> URLs fromclients. Port 3128 is normally that port, but you have
> repurposed it forinterception, which disqualifies it.
> The hostname in these URLs is taken from that port's IP
> addressreverse-DNS name, or the proxies public/visible hostname.
> Whichevermeets the requirement of being resolvable in DNS.
>
> Here's my config line:
> ./configure --prefix=/opt/squid --with-openssl=/opt/libressl
> --sysconfdir=/opt/squid/etc --enable-ssl --enable-ssl-crtd--enable-
> linux-netfilter --enable-follow-x-forwarded-for--with-large-files --
> enable-xternal-acl-helpers=none
> Missing 'e' on --enable-external-acl-helpers.
> ...
>
> sslproxy_cert_error allow alltls_outgoing_options
> capath=/etc/ssl/certs flags=DONT_VERIFY_PEER
> Please avoid DONT_VERIFY_PEER and "allow all" for cert errors. They
> areuseless for both production AND debugging since all they do is
> hidesecurity issues from *you*.
> It is best to watch for security issues and fix them. Not just
> ignoreeverything.
> Amos_______________________________________________squid-users
> mailing listsquid-users at lists.squid-cache.orghttp://lists.squid-cache
> .org/listinfo/squid-users
Thanks Amos...your insight always helps. You were right on point...I
did have the no forward proxy error. After adding an additional
http_port squid came right up...thanks again.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180610/9c2c7ee2/attachment.html>
More information about the squid-users
mailing list