[squid-users] SSL Bump, CA Cert

Christian Kundela christian.kundela at a1business.at
Fri Jan 30 00:43:09 UTC 2015


Dear all,

I have problems setting up explicit proxy. (interrcept tcp 80 no problem)

If i doaself signed Cert, and i install it in Firefox or IE, no problem.

but if i use a CA-Cert i am using a signed cert from cacert.org, SSl 
Site only TXT loaded and no pictures ... this i know, when something is 
wrong with keyor else ?
(Install also all certs from cacert.org (also Firefox addons))

Key, CSR is generatedwith:
openssl genrsa -out /etc/squid/squid.key 2048
openssl req -new -key /etc/squid/squid.key -out /etc/squid/squid.csr

Signed on the sitecacert.org.TXT put into /etc/squid/squid.crt

My question: what CA Cert Squid expects ? wildcard * ? as common name i 
choose www.mydomain.net (is an example, for csr i used my real domain name).

How can trace this Problem (debug)or is the Cert wrong ?i stuck here ...


Best regards

Many Thanks in advice



Here is the squid.conf (changes done in config, added SquidGuard, C-Icap 
and MS update (from squid-cache.org) works all perfect)
IP of server is 192.168.1.1/24

## squid.conf begin
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8            # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12         # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
acl localnet src fc00::/7               # RFC 4193 local private network 
range
acl localnet src fe80::/10              # RFC 4291 link-local (directly 
plugged) machines
acl localnet src 192.168.1.0/24

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

# MS Update
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl windowsupdate dstdomain ctldl.windowsupdate.com

acl CONNECT method CONNECT

# MS Update
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# MS Update
http_access allow CONNECT wuCONNECT localnet
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate localnet
http_access allow windowsupdate localhost

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# SSL Stuff
always_direct allow all
ssl_bump server-first all
#sslproxy_cert_error allow all
#sslproxy_flags DONT_VERIFY_PEER

# Squid normally listens to port 3128
http_port localhost:3128
http_port 192.168.1.1:3130 ssl-bump cert=/etc/squid/server.crt 
key=/etc/squid/server.key# TEST
http_port localhost:3129 intercept

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/squid/cache 40000 16 256

# Added
cache_mem 2 GB

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

# MS Update
refresh_pattern -i 
microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 
43200 reload-into-ims
refresh_pattern -i 
windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 
80% 43200 reload-into-ims
refresh_pattern -i 
windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 
43200 reload-into-ims

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

# Added
max_filedescriptors 1024

# MS Update
range_offset_limit 200 MB windowsupdate
maximum_object_size 200 MB
quick_abort_min -1

# Path to the redirector program
url_rewrite_program   /usr/local/bin/squidGuard

# Number of redirector processes to spawn
url_rewrite_children  20

# To prevent loops, don't send requests from localhost to the redirector
url_rewrite_access    deny  localhost

# SquidClamav C-Icap
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=1 
icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 
icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all
## squid.conf end


More information about the squid-users mailing list