<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px"><div id="yui_3_16_0_ym19_1_1495634426742_4456"><span id="yui_3_16_0_ym19_1_1495634426742_4809">Thanks for the clarification.</span></div><div id="yui_3_16_0_ym19_1_1495634426742_4456"><span><br></span></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><span id="yui_3_16_0_ym19_1_1495634426742_4612">I went back to the squid.conf I was using successfully (without encryption) and changed http_port to https_port and added the cert and key you mentioned. Since I'm not all that knowledgeable about SSL certs, I had some trouble with squid not liking the keys I provided. So I eventually found this command to generate what I need:</span></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><span><br></span></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><span id="yui_3_16_0_ym19_1_1495634426742_4713">openssl req -newkey rsa:4096 -x509 -keyout /etc/squid/squid.pem -out /etc/squid/squid.pem -days 365 -nodes<br></span></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><span><br></span></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><span id="yui_3_16_0_ym19_1_1495634426742_4810">which puts them into the same file, which squid seemed to be ok with.</span></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><span><br></span></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr">Then I tried starting another instance of Chrome using:</div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr">chrome --proxy-server=https://my-domain-name:8092<br></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr">but it didn't work. No errors, nothing unusual. Chrome simply behaved like there was no proxy configured. I found documentation on chromium.org that showed the format as:</div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr">chrome --proxy-server="https://my-domain-name:8092"<br></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><span style="font-family: arial;"><br></span></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><span style="font-family: arial;" id="yui_3_16_0_ym19_1_1495634426742_5100">so I tried adding the quotes, but no change.</span></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><span style="font-family: arial;"><br></span></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><span style="font-family: arial;" id="yui_3_16_0_ym19_1_1495634426742_5212">I then removed the private key from squid.pem and saved it as another file on the Windows computer running Chrome, and added it as a cert. No problem there, but no change.</span></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><span style="font-family: arial;"><br></span></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><span style="font-family: arial;" id="yui_3_16_0_ym19_1_1495634426742_5271">My squid.conf is below. I'm at a loss as far as what to try next.</span></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><span style="font-family: arial;"><br></span></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><span style="font-family: arial;"><br></span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5535"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5536">auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwd</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5537"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5538">auth_param digest realm myrealm</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5539"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5540">auth_param digest children 2</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5541"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5542">acl auth_users proxy_auth REQUIRED</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5543"><span style="font-family: arial;" id="yui_3_16_0_ym19_1_1495634426742_5650">acl SSL_ports port 443</span><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5549"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5550">acl Safe_ports port 80 # http</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5551"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5552">acl Safe_ports port 21 # ftp</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5553"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5554">acl Safe_ports port 443 # https</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5555"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5556">acl Safe_ports port 70 # gopher</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5557"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5558">acl Safe_ports port 210 # wais</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5559"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5560">acl Safe_ports port 1025-65535 # unregistered ports</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5561"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5562">acl Safe_ports port 280 # http-mgmt</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5563"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5564">acl Safe_ports port 488 # gss-http</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5565"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5566">acl Safe_ports port 591 # filemaker</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5567"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5568">acl Safe_ports port 777 # multiling http</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5569"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5570">acl CONNECT method CONNECT</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5571"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5572">http_access deny !Safe_ports</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5573"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5574">http_access deny CONNECT !SSL_ports</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5575"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5576">http_access allow auth_users</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5577"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5578">http_access allow all</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5579"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5580">#http_port 8092</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5581"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5582">https_port 8092 cert=/etc/squid/squid.pem key=/etc/squid/squid.pem</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5583"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5584">cache deny all</font></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5585"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5586">access_log none</font></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"></div><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_5587"><font face="arial" id="yui_3_16_0_ym19_1_1495634426742_5588">netdb_filename none</font></div><div id="yui_3_16_0_ym19_1_1495634426742_4456" dir="ltr"><span><br></span></div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1495634426742_4455"><br><br></div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1495634426742_4430" style="display: block;"> <div style="font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 13px;" id="yui_3_16_0_ym19_1_1495634426742_4429"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1495634426742_4428"> <div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_4427"> <font size="2" face="Arial" id="yui_3_16_0_ym19_1_1495634426742_4426"> <hr size="1" id="yui_3_16_0_ym19_1_1495634426742_4425"> <b id="yui_3_16_0_ym19_1_1495634426742_5102"><span style="font-weight:bold;" id="yui_3_16_0_ym19_1_1495634426742_5101">From:</span></b> Amos Jeffries <squid3@treenet.co.nz><br> <b><span style="font-weight: bold;">To:</span></b> squid-users@lists.squid-cache.org <br> <b><span style="font-weight: bold;">Sent:</span></b> Wednesday, May 24, 2017 7:57 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_ym19_1_1495634426742_4501"><br><div dir="ltr" id="yui_3_16_0_ym19_1_1495634426742_4500">On 24/05/17 13:44, j m wrote:<br clear="none">> I'd like to set up a proxy on a home server so I can use it remotely <br clear="none">> for web browsing; no filtering, nothing fancy, just a pass-through of <br clear="none">> sorts to get around web filters. That part I've got working. The <br clear="none">> part I haven't had luck with is encrypting the browser-to-proxy <br clear="none">> connection. I've found some tutorials online but part of the problem <br clear="none">> is I don't know what this feature is called when searching for <br clear="none">> solutions to problems.<br clear="none">><br clear="none">> I have squid 3.5.23 on Ubuntu compiled with<br clear="none">><br clear="none">> '--with-openssl' '--enable-ssl' '--enable-ssl-crtd'<br clear="none">><br clear="none">> so I believe I'm set there. However, upon finally getting a <br clear="none">> squid.conf that doesn't cause immediate errors when squid is started, <br clear="none">> I find that the squid process is gone after several seconds and find <br clear="none">> lots of these in syslog:<br clear="none">><br clear="none">> (squid-1): The ssl_crtd helpers are crashing too rapidly, need help!<br clear="none">><br clear="none">> I found a suggestion to fix this problem, but it didn't help:<br clear="none">><br clear="none">> rc-service squid stop<br clear="none">> rm -rf /var/lib/ssl_db<br clear="none">> /usr/lib/squid3/ssl_crtd -c -s /var/lib/ssl_db<br clear="none">> rc-service squid start<br clear="none">><br clear="none">><br clear="none">> So firstly, what is the actual name for what I want (encrypting proxy <br clear="none">> to browser)?<br clear="none">><br clear="none"><br clear="none"><br clear="none">Some people seem to be calling it "HTTPS", but that is not correct and <br clear="none">thankfully makes it difficult to find the bad info. (that said our own <br clear="none">wiki documents it on the HTTPS page referenced below :-P ).<br clear="none"><br clear="none">The current IETF term for it is "TLS explicit proxy". Previously it did <br clear="none">not have a formal term and often got described in words like "TLS proxy" <br clear="none">or sometimes "TLS to the proxy" and variants switching "SSL" for "TLS". <br clear="none">It also has some relation to early forms of "HTTP opportunistic <br clear="none">security" - though that now means an HTTP version of emails STARTTLS <br clear="none">that is quite unrelated to anything Squid supports at present.<div class="yqt4271505684" id="yqtfd29211"><br clear="none"><br clear="none"><br clear="none"><br clear="none">> And secondly, any advice on the error? Or even better, a good <br clear="none">> tutorial on setting this up? I thought if I follow a configuration <br clear="none">> exactly, I'd be off and running with little problem.</div><br clear="none">><br clear="none">><br clear="none"><br clear="none">The ssl_crtd helper in not related to TLS explicit proxy. It is a part <br clear="none">of SSL-Bump features for intercepting HTTPS traffic, specifically it is <br clear="none">the part that forges certificates.<br clear="none"><br clear="none">You could avoid it entirely by removing the --enable-ssl-crtd build <br clear="none">option if you don't need SSL-Bump features later. Otherwise check the <br clear="none">directory creation and ownership permissions are correct and that Squid <br clear="none">http_port is *not* setup to use ssl-bump features (yet).<br clear="none"><br clear="none"><br clear="none">The TLS explicit proxy is simply a Squid that uses https_port to receive <br clear="none">proxy traffic, as opposed to http_port. You will need a server <br clear="none">certificate for that, but nothing else special on Squid's side of <br clear="none">things. eg:<br clear="none"> https_port 3128 cert=blah_public.pem key=blah_private.key<br clear="none"><br clear="none">The tricky part is getting a browser to talk TLS to anything other than <br clear="none">origin servers. The details we know of are all at <br clear="none"><<a shape="rect" href="http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection" target="_blank">http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection</a>>.<br clear="none"><br clear="none">Amos<br clear="none"><br clear="none">_______________________________________________<br clear="none">squid-users mailing list<br clear="none"><a shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br clear="none"><a shape="rect" href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><div class="yqt4271505684" id="yqtfd99407"><br clear="none"></div></div><br><br></div> </div> </div> </div></div></body></html>