[squid-users] Https_port with "official" certificate

Antony Stone Antony.Stone at squid.open.source.it
Wed Aug 24 12:23:13 UTC 2016


On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote:

> No one CA do not issue signing CA for subject, which is not CA itself.
> 
> So, op wants impossible thing.

Why would one need a signING certificate just to create an SSL connection 
between the browser and Squid?

Surely one merely needs a valid signED certificate, same as you would put on a 
web server to set up secure connections to it?

OP is not intercepting secure traffic, nor making HTTP sites look to the browser 
like HTTPS ones.


Antony.

> 24.08.2016 18:15, Antony Stone пишет:
> > On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote:
> >> Squid fails to start for me with:
> >> FATAL: No valid signing SSL certificate configured for HTTPS_port
> 
> [::]:8443
> 
> >> I have found that this is related to missing self signed certificate,
> >> and since I do not want to use self signed certificate I am asking if I
> >> can do anything about it.
> >> I would like to avoid self signed certificates so my users would not
> >> need to import and replace my own certs.
> > 
> > Have you tried adding the option "generate-host-certificates=off" to your
> > https_port line?
> > 
> > I'm not an expert on this bit of Squid, but I'm just looking at
> > http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and
> 
> noticing
> 
> > anything to do with a "signing certificate" (which you do not have,
> 
> and do not
> 
> > want to use).
> > 
> >> And here is my complete squid.conf:
> >> 
> >> acl SSL_ports port 443
> >> acl Safe_ports port 80          # http
> >> acl Safe_ports port 21          # ftp
> >> acl Safe_ports port 443         # https
> >> acl Safe_ports port 70          # gopher
> >> acl Safe_ports port 210         # wais
> >> acl Safe_ports port 1025-65535  # unregistered ports
> >> acl Safe_ports port 280         # http-mgmt
> >> acl Safe_ports port 488         # gss-http
> >> acl Safe_ports port 591         # filemaker
> >> acl Safe_ports port 777         # multiling http
> >> acl Safe_ports port 901         # SWAT
> >> acl CONNECT method CONNECT
> >> http_access deny !Safe_ports
> >> http_access deny CONNECT !SSL_ports
> >> http_access allow localhost manager
> >> http_access deny manager
> >> http_access deny to_localhost
> >> 
> >> auth_param basic program /usr/libexec/squid/basic_pam_auth
> >> auth_param basic children 5
> >> auth_param basic realm Proxy Authentication Required
> >> auth_param basic credentialsttl 2 hours
> >> 
> >> acl authenticated proxy_auth REQUIRED
> >> http_access allow authenticated
> >> http_access deny all
> >> 
> >> https_port 8443 \
> >> 
> >>     cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> >>     key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> >>     clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> >>     tls-dh=/etc/ssl/certs/dhparam.pem \
> >>     options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> >>     cipher=HIGH
> >> 
> >> cache_dir aufs /var/cache/squid 512 16 256
> >> coredump_dir /var/cache/squid
> >> refresh_pattern ^ftp:           1440    20%     10080
> >> refresh_pattern ^gopher:        1440    0%      1440
> >> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> >> refresh_pattern .               0       20%     4320
> > 
> > Antony.

-- 
I think broken pencils are pointless.

                                                   Please reply to the list;
                                                         please *don't* CC me.


More information about the squid-users mailing list