[squid-users] Https_port with "official" certificate
Samuraiii
samurai.no.dojo at gmail.com
Wed Aug 24 12:02:43 UTC 2016
> Please give more details for "fails".
>
> Is the following your entire squid.conf (except for comments)?
>
> Have you tried getting SSL access to Squid working before introducing
> authentication?
>
> What are you trying, to test this, and what are the results?
>
>
> Regards,
>
>
> Antony.
First I would like to apologize for previous incomplete mail.
I got interrupted and accidentally sent it out before being complete.
Squid fails to start for me with:
FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:8443
I have found that this is related to missing self signed certificate,
and since I do not want to use self signed certificate I am asking if I
can do anything about it.
I would like to avoid self signed certificates so my users would not
need to import and replace my own certs.
And here is my complete squid.conf:
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
auth_param basic program /usr/libexec/squid/basic_pam_auth
auth_param basic children 5
auth_param basic realm Proxy Authentication Required
auth_param basic credentialsttl 2 hours
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all
https_port 8443 \
cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
tls-dh=/etc/ssl/certs/dhparam.pem \
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
cipher=HIGH
cache_dir aufs /var/cache/squid 512 16 256
coredump_dir /var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
One more apology for escaped mail.
S
More information about the squid-users
mailing list