[squid-users] compile squid with tumbleweed

Eliezer Croitoru ngtech1ltd at gmail.com
Fri Apr 2 00:24:08 UTC 2021 

Hey,

First try to use the next example:
https://github.com/elico/yt-classification-service-example/blob/master/redwood/init-local-rootca.sh

To create a rootCA key and certificate, which doesn't require you to use a password.
And I have also seen this article you have used and it has two ways to create the rootca.
One with the CA.pl script and the other one is  with the openssl tool.
As long as you don't need the CA.pl specifically I would recommend using openssl.
It's plain simple to just create a rootCA certificate.

All The Bests,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Zoom: Coming soon


-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Majed Zouhairy
Sent: Thursday, April 1, 2021 1:42 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] compile squid with tumbleweed

 >Peace,
as part of self developing, we decided that turning on sslbump + splice 
is a good idea, so how to install squid with ssl support on tumbleweed?

answer: it is already compiled with ssl support

but now i followed:

https://medium.com/@steensply/installing-and-configuring-squid-proxy-for-ssl-bumping-or-peek-n-splice-34afd3f69522

to enable ssl bumping.

specifically those commands:

/usr/share/ssl/misc/CA.pl -newca
/usr/share/ssl/misc/CA.pl -newreq
/usr/share/ssl/misc/CA.pl -sign
openssl x509 -in newcert.pem -outform DER -out squidTrusted.der
copied the 3 files to /etc/squid/certs
sudo chown squid:squid -R /etc/squid/certs
sudo /usr/libexec/squid/security_file_certgen -c -s 
/var/lib/squid/ssl_db -M 4MB
sudo chown squid:squid -R /var/lib/squid
sudo chmod 700 /etc/squid/certs/... (newcrt.pem newkey.pem squidTrusted.der)

sudo squid -z

asks for certificate password
then


2021/04/01 13:16:57| WARNING: BCP 177 violation. Detected non-functional 
IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03| Created PID file (/run/squid.pid)
zouhairy at proxy:~> 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. 
Detected non-functional IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured 
for HTTP_port 0.0.0.0:8080
2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.047 seconds = 0.031 user + 0.016 sys
Maximum Resident Size: 62352 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected 
non-functional IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured 
for HTTP_port 0.0.0.0:8080
2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.040 seconds = 0.032 user + 0.008 sys
Maximum Resident Size: 62272 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected 
non-functional IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured 
for HTTP_port 0.0.0.0:8080
2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.042 seconds = 0.008 user + 0.034 sys
Maximum Resident Size: 63360 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected 
non-functional IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured 
for HTTP_port 0.0.0.0:8080
2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.047 seconds = 0.032 user + 0.016 sys
Maximum Resident Size: 62992 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected 
non-functional IPv6 loopback.
Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured 
for HTTP_port 0.0.0.0:8080
2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.045 seconds = 0.030 user + 0.015 sys
Maximum Resident Size: 62640 KB
Page faults with physical i/o: 0
2021/04/01 13:17:03| Removing PID file (/run/squid.pid)


squid conf:

acl localnet (network/24)

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 8080	# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
acl blockfiles urlpath_regex -i "/etc/squid/blocks.files.acl"

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
visible_hostname proxy.example.vx

dns_v4_first on

http_access allow localnet
http_access allow localhost



# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
#http_port 8080

#sslproxy_capath /home/zouhairy/demoCA

http_port 8080 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem 
key=/etc/squid/certs/newkey.pem capath=/home/zouhairy/demoCA




#acl step1 at_step SslBump1
#ssl_bump peek step1
#ssl_bump bump all

#sslcrtd_program /usr/libexec/squid/security_file_certgen -s 
/var/lib/squid/ssl_db -M 4MB
#sslcrtd_children 5

ssl_bump peek all
ssl_bump splice all

#ssl_bump server-first all

sslproxy_cert_error allow all


tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE 
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS



range_offset_limit 200 MB
maximum_object_size 200 MB
quick_abort_min -1


cache_dir ufs /var/cache/squid 3000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

cache_mem 1024 MB

netdb_filename none

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:				1440	20%	10080
refresh_pattern ^gopher:			1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 	0		0%	0
refresh_pattern .					0		20%	4320

url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode 
sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l 
/var/log/squid/
url_rewrite_children 16 startup=8 idle=2 concurrency=4
#debug_options ALL,1 33,2 28,9

what to change?
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list