[squid-users] Https_port with "official" certificate

Yuri Voinov yvoinov at gmail.com
Wed Aug 24 12:26:48 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 


24.08.2016 18:23, Antony Stone пишет:
> On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote:
>
>> No one CA do not issue signing CA for subject, which is not CA itself.
>>
>> So, op wants impossible thing.
>
> Why would one need a signING certificate just to create an SSL connection
> between the browser and Squid?
>
> Surely one merely needs a valid signED certificate, same as you would
put on a
> web server to set up secure connections to it?
>
> OP is not intercepting secure traffic, nor making HTTP sites look to
the browser
> like HTTPS ones.
Then I do not understand what he wants op.
>
>
>
> Antony.
>
>> 24.08.2016 18:15, Antony Stone пишет:
>>> On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote:
>>>> Squid fails to start for me with:
>>>> FATAL: No valid signing SSL certificate configured for HTTPS_port
>>
>> [::]:8443
>>
>>>> I have found that this is related to missing self signed certificate,
>>>> and since I do not want to use self signed certificate I am asking if I
>>>> can do anything about it.
>>>> I would like to avoid self signed certificates so my users would not
>>>> need to import and replace my own certs.
>>>
>>> Have you tried adding the option "generate-host-certificates=off" to
your
>>> https_port line?
>>>
>>> I'm not an expert on this bit of Squid, but I'm just looking at
>>> http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and
>>
>> noticing
>>
>>> anything to do with a "signing certificate" (which you do not have,
>>
>> and do not
>>
>>> want to use).
>>>
>>>> And here is my complete squid.conf:
>>>>
>>>> acl SSL_ports port 443
>>>> acl Safe_ports port 80          # http
>>>> acl Safe_ports port 21          # ftp
>>>> acl Safe_ports port 443         # https
>>>> acl Safe_ports port 70          # gopher
>>>> acl Safe_ports port 210         # wais
>>>> acl Safe_ports port 1025-65535  # unregistered ports
>>>> acl Safe_ports port 280         # http-mgmt
>>>> acl Safe_ports port 488         # gss-http
>>>> acl Safe_ports port 591         # filemaker
>>>> acl Safe_ports port 777         # multiling http
>>>> acl Safe_ports port 901         # SWAT
>>>> acl CONNECT method CONNECT
>>>> http_access deny !Safe_ports
>>>> http_access deny CONNECT !SSL_ports
>>>> http_access allow localhost manager
>>>> http_access deny manager
>>>> http_access deny to_localhost
>>>>
>>>> auth_param basic program /usr/libexec/squid/basic_pam_auth
>>>> auth_param basic children 5
>>>> auth_param basic realm Proxy Authentication Required
>>>> auth_param basic credentialsttl 2 hours
>>>>
>>>> acl authenticated proxy_auth REQUIRED
>>>> http_access allow authenticated
>>>> http_access deny all
>>>>
>>>> https_port 8443 \
>>>>
>>>>     cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
>>>>     key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
>>>>     clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
>>>>     tls-dh=/etc/ssl/certs/dhparam.pem \
>>>>     options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
>>>>     cipher=HIGH
>>>>
>>>> cache_dir aufs /var/cache/squid 512 16 256
>>>> coredump_dir /var/cache/squid
>>>> refresh_pattern ^ftp:           1440    20%     10080
>>>> refresh_pattern ^gopher:        1440    0%      1440
>>>> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>>>> refresh_pattern .               0       20%     4320
>>>
>>> Antony.
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvZKIAAoJENNXIZxhPexG5iIIAJTZAbpMkYDqdVWG5thlBxG0
cJBXI/MmYN7Al6GiGGD1ttqXHv6AAIeg5NXue0qVM/hGcJuE5eTI4+10zzQImeTU
OFRHz/C4EqBCDb06lfM+spR/5xFxW4l8vXYxr9Q61YYE2JyCvmMEoABntiWrE0/+
pwoUiNK2lIVURAGMBjMzMYwAC/t0D8JRg79gsh+o/h3TtOtAiKFbZRU3Dy2EqP9E
0pNssmSvUSR4Du0mY4fZJisAnUNUzYz1qkX0GyS0zdj6LZ4r7VlTX+fjyfPGd/fg
va1nQFgA5IqQ+VKoD02GSNBkNCw56j8aOwoo3RXO6bLKPell5NFzWVC3Wrn0AXY=
=9vnU
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160824/2584f1bf/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160824/2584f1bf/attachment.key>

More information about the squid-users mailing list