[squid-users] Https_port with "official" certificate

Samuraiii samurai.no.dojo at gmail.com
Wed Aug 24 12:02:43 UTC 2016


> Please give more details for "fails".
>
> Is the following your entire squid.conf (except for comments)?
>
> Have you tried getting SSL access to Squid working before introducing 
> authentication?
>
> What are you trying, to test this, and what are the results?
>
>
> Regards,
>
>
> Antony.
First I would like to apologize for previous incomplete mail.
I got interrupted and accidentally sent it out before being complete.

Squid fails to start for me with:
FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:8443
I have found that this is related to missing self signed certificate,
and since I do not want to use self signed certificate I am asking if I
can do anything about it.
I would like to avoid self signed certificates so my users would not
need to import and replace my own certs.


And here is my complete squid.conf:

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost

auth_param basic program /usr/libexec/squid/basic_pam_auth
auth_param basic children 5
auth_param basic realm Proxy Authentication Required
auth_param basic credentialsttl 2 hours

acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all

https_port 8443 \
    cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
    key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
    clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
    tls-dh=/etc/ssl/certs/dhparam.pem \
    options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
    cipher=HIGH
cache_dir aufs /var/cache/squid 512 16 256
coredump_dir /var/cache/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320


One more apology for escaped mail.
S



More information about the squid-users mailing list