[squid-users] Https_port with "official" certificate

Diogenes S. Jesus splash at gmail.com
Wed Aug 24 12:17:40 UTC 2016


Just one thing I noticed:

"clientca" is not the CA which issued your "cert" (sklad.duckdns.org) -
it's the CA to be used when doing client-side authentication, which I'm not
sure if you're doing.

Dio

On Wed, Aug 24, 2016 at 2:02 PM, Samuraiii <samurai.no.dojo at gmail.com>
wrote:

>
> > Please give more details for "fails".
> >
> > Is the following your entire squid.conf (except for comments)?
> >
> > Have you tried getting SSL access to Squid working before introducing
> > authentication?
> >
> > What are you trying, to test this, and what are the results?
> >
> >
> > Regards,
> >
> >
> > Antony.
> First I would like to apologize for previous incomplete mail.
> I got interrupted and accidentally sent it out before being complete.
>
> Squid fails to start for me with:
> FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:8443
> I have found that this is related to missing self signed certificate,
> and since I do not want to use self signed certificate I am asking if I
> can do anything about it.
> I would like to avoid self signed certificates so my users would not
> need to import and replace my own certs.
>
>
> And here is my complete squid.conf:
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl Safe_ports port 901         # SWAT
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
>
> auth_param basic program /usr/libexec/squid/basic_pam_auth
> auth_param basic children 5
> auth_param basic realm Proxy Authentication Required
> auth_param basic credentialsttl 2 hours
>
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
> http_access deny all
>
> https_port 8443 \
>     cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
>     key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
>     clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
>     tls-dh=/etc/ssl/certs/dhparam.pem \
>     options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
>     cipher=HIGH
> cache_dir aufs /var/cache/squid 512 16 256
> coredump_dir /var/cache/squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
>
>
> One more apology for escaped mail.
> S
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 

--------

Diogenes S. de Jesus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160824/ad094daa/attachment.html>


More information about the squid-users mailing list