<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px"><div id="yui_3_16_0_ym19_1_1495658631655_4479" dir="ltr"><span id="yui_3_16_0_ym19_1_1495658631655_5100">Some more info: I tried this on Firefox 53 and got more feedback, but still doesn't work. Per the recommendation on bugzilla (bug 378637), I put <a href="https://myaddress:myport/" id="yui_3_16_0_ym19_1_1495658631655_5418">https://myaddress:myport</a> into firefox and it gives me a "Your connection is not secure". So I add the exception, and it then displays the squid message "</span>ERROR The requested URL could not be retrieved", as expected.</div><div id="yui_3_16_0_ym19_1_1495658631655_4479" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1495658631655_4479" dir="ltr">So I add the proxy to Firefox (in Advanced, Network, Settings) as the HTTP Proxy....doesn't work, "The proxy server is refusing connections". I then put https:// in front of the address, then it's "Server not found". I then add it as SSL Proxy. It appears to be working, but really it's simply not using the proxy at all because I stopped squid and it made no difference.</div><div id="yui_3_16_0_ym19_1_1495658631655_4479" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1495658631655_4479" dir="ltr">The link you reference on getting Firefox to work with this refers to Firefox 33, so by now I'd think I could directly add the proxy to the normal place in Firefox options?</div><div id="yui_3_16_0_ym19_1_1495658631655_4479" dir="ltr"><br></div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1495658631655_4480">squid.conf:</div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1495658631655_4480"><br></div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1495658631655_4480"><div id="yui_3_16_0_ym19_1_1495658631655_5679">auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd</div><div id="yui_3_16_0_ym19_1_1495658631655_5680">auth_param basic children 5</div><div id="yui_3_16_0_ym19_1_1495658631655_5681">auth_param basic realm Squid proxy-caching web server</div><div id="yui_3_16_0_ym19_1_1495658631655_5682">auth_param basic credentialsttl 2 hours</div><div id="yui_3_16_0_ym19_1_1495658631655_5683">auth_param basic casesensitive off</div><div id="yui_3_16_0_ym19_1_1495658631655_5684">acl ncsa_users proxy_auth REQUIRED</div><div id="yui_3_16_0_ym19_1_1495658631655_5685">http_access allow ncsa_users</div><div id="yui_3_16_0_ym19_1_1495658631655_5686"><br></div><div id="yui_3_16_0_ym19_1_1495658631655_5690">acl auth_users proxy_auth REQUIRED</div><div id="yui_3_16_0_ym19_1_1495658631655_5691">acl SSL_ports port 443<br></div><div id="yui_3_16_0_ym19_1_1495658631655_5694">acl Safe_ports port 80 # http</div><div id="yui_3_16_0_ym19_1_1495658631655_5695">acl Safe_ports port 21 # ftp</div><div id="yui_3_16_0_ym19_1_1495658631655_5696">acl Safe_ports port 443 # https</div><div id="yui_3_16_0_ym19_1_1495658631655_5697">acl Safe_ports port 70 # gopher</div><div id="yui_3_16_0_ym19_1_1495658631655_5698">acl Safe_ports port 210 # wais</div><div id="yui_3_16_0_ym19_1_1495658631655_5699">acl Safe_ports port 1025-65535 # unregistered ports</div><div id="yui_3_16_0_ym19_1_1495658631655_5700">acl Safe_ports port 280 # http-mgmt</div><div id="yui_3_16_0_ym19_1_1495658631655_5701">acl Safe_ports port 488 # gss-http</div><div id="yui_3_16_0_ym19_1_1495658631655_5702">acl Safe_ports port 591 # filemaker</div><div id="yui_3_16_0_ym19_1_1495658631655_5703">acl Safe_ports port 777 # multiling http</div><div id="yui_3_16_0_ym19_1_1495658631655_5704">acl CONNECT method CONNECT</div><div id="yui_3_16_0_ym19_1_1495658631655_5705">http_access deny !Safe_ports</div><div id="yui_3_16_0_ym19_1_1495658631655_5706">http_access deny CONNECT !SSL_ports</div><div id="yui_3_16_0_ym19_1_1495658631655_5707">http_access allow auth_users</div><div id="yui_3_16_0_ym19_1_1495658631655_5708">http_access allow all</div><div id="yui_3_16_0_ym19_1_1495658631655_5709">#http_port 8092</div><div id="yui_3_16_0_ym19_1_1495658631655_5710">https_port 8092 cert=/etc/squid/squid.pem</div><div id="yui_3_16_0_ym19_1_1495658631655_5711">cache deny all</div><div id="yui_3_16_0_ym19_1_1495658631655_5712">access_log none</div><div id="yui_3_16_0_ym19_1_1495658631655_5713">netdb_filename none</div><div dir="ltr" id="yui_3_16_0_ym19_1_1495658631655_5714"><br id="yui_3_16_0_ym19_1_1495658631655_5715"></div><br></div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1495658631655_4485" style="display: block;"> <div style="font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 13px;" id="yui_3_16_0_ym19_1_1495658631655_4484"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1495658631655_4483"> <div dir="ltr" id="yui_3_16_0_ym19_1_1495658631655_4482"> <font size="2" face="Arial" id="yui_3_16_0_ym19_1_1495658631655_4481"> <hr size="1" id="yui_3_16_0_ym19_1_1495658631655_4538"> <b id="yui_3_16_0_ym19_1_1495658631655_5735"><span style="font-weight:bold;" id="yui_3_16_0_ym19_1_1495658631655_5734">From:</span></b> Amos Jeffries <squid3@treenet.co.nz><br> <b><span style="font-weight: bold;">To:</span></b> squid-users@lists.squid-cache.org <br> <b><span style="font-weight: bold;">Sent:</span></b> Wednesday, May 24, 2017 7:57 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_ym19_1_1495658631655_4539"><br><div dir="ltr" id="yui_3_16_0_ym19_1_1495658631655_4540">On 24/05/17 13:44, j m wrote:<br clear="none">> I'd like to set up a proxy on a home server so I can use it remotely <br clear="none">> for web browsing; no filtering, nothing fancy, just a pass-through of <br clear="none">> sorts to get around web filters. That part I've got working. The <br clear="none">> part I haven't had luck with is encrypting the browser-to-proxy <br clear="none">> connection. I've found some tutorials online but part of the problem <br clear="none">> is I don't know what this feature is called when searching for <br clear="none">> solutions to problems.<br clear="none">><br clear="none">> I have squid 3.5.23 on Ubuntu compiled with<br clear="none">><br clear="none">> '--with-openssl' '--enable-ssl' '--enable-ssl-crtd'<br clear="none">><br clear="none">> so I believe I'm set there. However, upon finally getting a <br clear="none">> squid.conf that doesn't cause immediate errors when squid is started, <br clear="none">> I find that the squid process is gone after several seconds and find <br clear="none">> lots of these in syslog:<br clear="none">><br clear="none">> (squid-1): The ssl_crtd helpers are crashing too rapidly, need help!<br clear="none">><br clear="none">> I found a suggestion to fix this problem, but it didn't help:<br clear="none">><br clear="none">> rc-service squid stop<br clear="none">> rm -rf /var/lib/ssl_db<br clear="none">> /usr/lib/squid3/ssl_crtd -c -s /var/lib/ssl_db<br clear="none">> rc-service squid start<br clear="none">><br clear="none">><br clear="none">> So firstly, what is the actual name for what I want (encrypting proxy <br clear="none">> to browser)?<br clear="none">><br clear="none"><br clear="none"><br clear="none">Some people seem to be calling it "HTTPS", but that is not correct and <br clear="none">thankfully makes it difficult to find the bad info. (that said our own <br clear="none">wiki documents it on the HTTPS page referenced below :-P ).<br clear="none"><br clear="none">The current IETF term for it is "TLS explicit proxy". Previously it did <br clear="none">not have a formal term and often got described in words like "TLS proxy" <br clear="none">or sometimes "TLS to the proxy" and variants switching "SSL" for "TLS". <br clear="none">It also has some relation to early forms of "HTTP opportunistic <br clear="none">security" - though that now means an HTTP version of emails STARTTLS <br clear="none">that is quite unrelated to anything Squid supports at present.<div class="yqt0323402162" id="yqtfd47429"><br clear="none"><br clear="none"><br clear="none"><br clear="none">> And secondly, any advice on the error? Or even better, a good <br clear="none">> tutorial on setting this up? I thought if I follow a configuration <br clear="none">> exactly, I'd be off and running with little problem.</div><br clear="none">><br clear="none">><br clear="none"><br clear="none">The ssl_crtd helper in not related to TLS explicit proxy. It is a part <br clear="none">of SSL-Bump features for intercepting HTTPS traffic, specifically it is <br clear="none">the part that forges certificates.<br clear="none"><br clear="none">You could avoid it entirely by removing the --enable-ssl-crtd build <br clear="none">option if you don't need SSL-Bump features later. Otherwise check the <br clear="none">directory creation and ownership permissions are correct and that Squid <br clear="none">http_port is *not* setup to use ssl-bump features (yet).<br clear="none"><br clear="none"><br clear="none">The TLS explicit proxy is simply a Squid that uses https_port to receive <br clear="none">proxy traffic, as opposed to http_port. You will need a server <br clear="none">certificate for that, but nothing else special on Squid's side of <br clear="none">things. eg:<br clear="none"> https_port 3128 cert=blah_public.pem key=blah_private.key<br clear="none"><br clear="none">The tricky part is getting a browser to talk TLS to anything other than <br clear="none">origin servers. The details we know of are all at <br clear="none"><<a shape="rect" href="http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection" target="_blank">http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection</a>>.<br clear="none"><br clear="none">Amos<br clear="none"><br clear="none">_______________________________________________<br clear="none">squid-users mailing list<br clear="none"><a shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br clear="none"><a shape="rect" href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><div class="yqt0323402162" id="yqtfd83364"><br clear="none"></div></div><br><br></div> </div> </div> </div></div></body></html>