[squid-users] cant download microsoft cert file

Amos Jeffries squid3 at treenet.co.nz
Sat Dec 14 22:35:18 UTC 2019

On 15/12/19 4:21 am, robert k Wild wrote:
> so this is my config file -
> #
> # Recommended minimum configuration:
> #
> #SSL
> http_port 3128 ssl-bump \
> cert=/usr/local/squid/etc/ssl_cert/myCA.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB

> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all

(elided default localnet and port ACL definitions)

> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
> #
> #

  ^^^ HINT.

> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> # Squid normally listens to port 3128
> http_port 3128

This is the second port 3128 config, and it does not match the earlier one.

> as you can see i have removed the whitelist/mime config lines
> but when i come into activating office it just cant get online to do it
> via the client app installed on my pc

If that is still happening with this default config I would be starting
to suspect things outside of Squid. Like firewall or routing rules, the
client app not supporting proxies properly - stuff like that.

Though 403 in the proxy log does indicate an explicitly forbidden
action. The way you truncated the log line cut away most of the useful
info that points at where to focus the troubleshooting efforts.

> but internet isnt blocked as i can go to any website

Do you want it to work with the whitelisting ACL you mentioned?

If yes, then you do need to show at least the http_access directives
using it and the exact entry you added for the microsoft.com domain(s).

Same for the "mime" config lines you mention, but for those any part of
it could be relevant so we will need to see the whole of that stuff.

You have omitted the default "http_access deny all" which should be the
last http_access line in your config. Not a problem in the config as
shown, but if you have other rules they can change the implicit default
into a bad situation very easily.


More information about the squid-users mailing list