[squid-users] Https_port with "official" certificate

Antony Stone Antony.Stone at squid.open.source.it
Wed Aug 24 11:49:55 UTC 2016


On Wednesday 24 August 2016 at 13:42:16, Samuraiii wrote:

> On 24.8.2016 13:18, Antony Stone wrote:
> > 
> > See "Encrypted browser-Squid connection" at the bottom of
> > http://wiki.squid-cache.org/Features/HTTPS
> 
> I have seen that, it is the cause of my subscription to this list.
> I haven't been able to find any usable hints.
> My config attempt fails

Please give more details for "fails".

Is the following your entire squid.conf (except for comments)?

Have you tried getting SSL access to Squid working before introducing 
authentication?

What are you trying, to test this, and what are the results?


Regards,


Antony.

> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl Safe_ports port 901         # SWAT
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
> 
> auth_param basic program /usr/libexec/squid/basic_pam_auth
> auth_param basic children 5
> auth_param basic realm Proxy Authentication Required
> auth_param basic credentialsttl 2 hours
> 
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
> http_access deny all
> 
> https_port 8443 \
>     cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
>     key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
>     cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
>     tls-dh=/etc/ssl/certs/dhparam.pem \
>     sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
>     cipher=HIGH
> cache_dir aufs /var/cache/squid 512 16 256
> coredump_dir /var/cache/squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320

-- 
#define SIX 1+5
#define NINE 8+1

int main() {
    printf("%d\n", SIX * NINE);
}
	- thanks to ECB for bringing this to my attention

                                                   Please reply to the list;
                                                         please *don't* CC me.


More information about the squid-users mailing list