[squid-users] Help with transparent whitelisting proxy on Squid 4.4
Amos Jeffries
squid3 at treenet.co.nz
Tue Jun 25 09:04:32 UTC 2019
On 25/06/19 1:24 pm, Jared Fox wrote:
> Hi Squid-Users
>
> I need your help!
>
> So i have had been using Squid 3.5.20 (installed on Amazon Linux 2)
> and its acting as a transparent ssl proxy with whitelist of allowed
> addresses. I want to avoid running a mitm proxy and having to add CA
> certs to all services/containers etc. Traffic is routed to the squid
> instance via a route-table to Interface.
>
> " Issue 1 - upgrade from 3.5.20 to 4.4.4 (squid-4.4-4.amzn2.0.4.x86_64) "
>
> - So my working config below does not work with 4.x but it kind of
> does for 3.5.x and its appears that i require the squid-helper package
> which doesn't exist for Amazon linux.
You will have to contact whoever created the package for that.
You should be able to run the v3.5 helpers with a later Squid - but will
of course not gain any improvements that have been made in the later
version helpers.
> - When starting squid it tries to create an ssl database via
> security_file_certgen, but this shouldnt be needed as i'm providing a
> self-signed certs that doesnt get used in transparent mode but is a
> hard dependency in 3.5.
That is a bug, side effect of the helper being started even when not
needed. As a workaround it should be sufficient to create the DB for the
helper and leave it not being used.
>
> " Errors produced: "
>
> (security_file_certgen)2019/06/25 00:37:57 kid1| ERROR: No
> forward-proxy ports configured.
> 2019/06/25 00:37:57 kid1| ERROR: No forward-proxy ports configured.
That is correct. You only have one port (9091) - which is an intercept port.
At least one forward-proxy port is needed for a fully functional proxy.
3128 is the official one for that.
> 2019/06/25 00:37:57 kid1| storeDirWriteCleanLogs: Starting...
> : Uninitialized SSL certificate database directory:
> /var/spool/squid/ssl_db. To initialize, run "security_file_certgen -c
> -s /var/spool/squid/ssl_db".
> 2019/06/25 00:37:57 kid1| Finished. Wrote 0 entries.
> 2019/06/25 00:37:57 kid1| Took 0.00 seconds ( 0.00 entries/sec).
> 2019/06/25 00:37:57 kid1| FATAL: mimeLoadIcon: cannot parse internal
> URL: http://ip-10-0-60-70.ec2.internal:0/squid-internal-static/icons/silk/image.png
Side effect of not having a forward-proxy port is that all URLs for
things clients require fetching from Squid are invalid.
Amos
More information about the squid-users
mailing list