<div><div dir="auto">Hello Amos,</div><div dir="auto"><br></div><div dir="auto">The problem is the connections are not getting through. It just acts like there is no WiFi connection. </div><div dir="auto"><br></div><div dir="auto">Adding the cert db every start up isn’t an issue. </div><div dir="auto"><br></div><div dir="auto">I was thinking of having a small cert cache locally instead thinking about it since. </div><div dir="auto"><br></div><div dir="auto">The connections just aren’t being made. No ssl warning. </div><div dir="auto"><br></div><div dir="auto">Thank you</div><div dir="auto"><br></div><div dir="auto">Joe</div><div dir="auto"><br></div><br><div class="gmail_quote"><div>On Thu, 16 Nov 2017 at 08:15, Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 16/11/17 02:32, Joe Foster wrote:<br>
> Good afternoon,<br>
><br>
> I have a small router onto which I have installed Squid.<br>
><br>
> I am trying to filter HTTPS urls for bad words on a blocked list.<br>
><br>
> It will require the client on the safe side of the router to install the<br>
> certificate, this isn't an issue as it's an open process and not an<br>
> illigal MITM attack.<br>
><br>
> Below is my squid.conf<br>
><br>
> As you will see I have been playing around with where to put the code<br>
> and what code to put in.<br>
><br>
> I only have a small amount of flash drive so I have put the auto-gen<br>
> cert directory in /tmp/. I am aware this is volatile memory but until I<br>
> have a better solution I will be doing this.<br>
<br>
Since /tmp is subject to random deletion of content you will need to<br>
make sure you always shutdown Squid and re-run the ssl_crtd (etc.)<br>
create command to re-generate the cert DB structures whenever the device<br>
erases its /tmp content. Otherwise your proxy will crash and/or client<br>
connections will start being terminated with strange looking errors.<br>
<br>
<br>
IMO you would probably be better off setting the cert DB to a very small<br>
size suitable for your limited space - or disabling it entirely [more on<br>
that below].<br>
<br>
><br>
> I have put a firewall rule in to forward 443 to 3128.<br>
><br>
> <a href="https://wiki.squid-cache.org/Features/SslBump" rel="noreferrer" target="_blank">https://wiki.squid-cache.org/Features/SslBump</a><br>
> <a href="https://wiki.squid-cache.org/SquidFaq/SquidAcl" rel="noreferrer" target="_blank">https://wiki.squid-cache.org/SquidFaq/SquidAcl</a><br>
><br>
> I also don't want to cache due to flash drive issues. Is this possible?<br>
><br>
<br>
From the documentation of the SSL-Bump settings:<br>
<<a href="http://www.squid-cache.org/Doc/config/http_port/" rel="noreferrer" target="_blank">http://www.squid-cache.org/Doc/config/http_port/</a>><br>
"<br>
dynamic_cert_mem_cache_size=SIZE<br>
Approximate total RAM size spent on cached generated<br>
certificates. If set to zero, caching is disabled. The<br>
default value is 4MB.<br>
"<br>
<br>
> Its the same cert in /root/ and /certs/ before anyone points it out.<br>
><br>
> Nothing has been appearing in the log files either but this is no<br>
> surprise.<br>
><br>
> Been up till 1am last few nights on this so you assistance is very<br>
> appreciated.<br>
<br>
That sounds like you are having a problem. But I don't see any mention<br>
of what that is exactly.<br>
<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div></div>