[squid-users] Help with transparent whitelisting proxy on Squid 4.4

Jared Fox jared.fox at practiv.com
Tue Jun 25 20:55:07 UTC 2019


Thank you Amos

I will update the Squid config and give Squid-helpers 3.5 a go today
and let you know.

Do you have any idea why only some tls 1.2 connections would work with
the whitelisting.?

Thanks
Jared
DevOps Architect - Practiv

On Tue, Jun 25, 2019 at 9:04 PM Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
> On 25/06/19 1:24 pm, Jared Fox wrote:
> > Hi Squid-Users
> >
> > I need your help!
> >
> > So i have had been using Squid 3.5.20 (installed on Amazon Linux 2)
> > and its acting as a transparent ssl proxy with whitelist of allowed
> > addresses. I want to avoid running a mitm proxy and having to add CA
> > certs to all services/containers etc. Traffic is routed to the squid
> > instance via a route-table to Interface.
> >
> > " Issue 1 - upgrade from 3.5.20 to 4.4.4 (squid-4.4-4.amzn2.0.4.x86_64) "
> >
> > - So my working config below does not work with 4.x but it kind of
> > does for 3.5.x and its appears that i require the squid-helper package
> > which doesn't exist for Amazon linux.
>
> You will have to contact whoever created the package for that.
>
> You should be able to run the v3.5 helpers with a later Squid - but will
> of course not gain any improvements that have been made in the later
> version helpers.
>
>
> > - When starting squid it tries to create an ssl database via
> > security_file_certgen, but this shouldnt be needed as i'm providing a
> > self-signed certs that doesnt get used in transparent mode but is a
> > hard dependency in 3.5.
>
> That is a bug, side effect of the helper being started even when not
> needed. As a workaround it should be sufficient to create the DB for the
> helper and leave it not being used.
>
> >
> > " Errors produced: "
> >
> > (security_file_certgen)2019/06/25 00:37:57 kid1| ERROR: No
> > forward-proxy ports configured.
> > 2019/06/25 00:37:57 kid1| ERROR: No forward-proxy ports configured.
>
> That is correct. You only have one port (9091) - which is an intercept port.
>
> At least one forward-proxy port is needed for a fully functional proxy.
> 3128 is the official one for that.
>
>
> > 2019/06/25 00:37:57 kid1| storeDirWriteCleanLogs: Starting...
> > : Uninitialized SSL certificate database directory:
> > /var/spool/squid/ssl_db. To initialize, run "security_file_certgen -c
> > -s /var/spool/squid/ssl_db".
> > 2019/06/25 00:37:57 kid1|   Finished.  Wrote 0 entries.
> > 2019/06/25 00:37:57 kid1|   Took 0.00 seconds (  0.00 entries/sec).
> > 2019/06/25 00:37:57 kid1| FATAL: mimeLoadIcon: cannot parse internal
> > URL: http://ip-10-0-60-70.ec2.internal:0/squid-internal-static/icons/silk/image.png
>
> Side effect of not having a forward-proxy port is that all URLs for
> things clients require fetching from Squid are invalid.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list