[squid-users] Https_port with "official" certificate
Diogenes S. Jesus
splash at gmail.com
Wed Aug 24 14:37:31 UTC 2016
This configuration here covers the use case described by the OP:
https://gist.githubusercontent.com/splashx/758ff0c59ea291f32edafc516fdaad73/raw/8050fa054821657812961050332b38a56e7e3e68/
If everything works well, you'll notice you won't support HTTP proxy at
all, but users can reach both HTTP and HTTPS target websites via your
HTTPS proxy.
# netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
32109/sshd
tcp6 0 0 :::80 :::* LISTEN
26627/apache2
tcp6 0 0 :::3443 :::* LISTEN
7303/(squid-1)
tcp6 0 0 :::22 :::* LISTEN
32109/sshd
The user connects to the proxy ONLY via HTTPS Proxy on port 3443
All traffic between the OP and the proxy is encrypted using TLS.
A) If the user enters http://target.example.com, between the proxy and the
target you'll see HTTP.
B) If the user enters https://target.example.com, between the proxy and the
target you'll see HTTPS.
If you sniff the traffic between the client and the proxy, you'll see TLS.
Tested with:
$ /Applications/Firefox\ 2.app/Contents/MacOS/firefox -v
Mozilla Firefox 48.0
Firefox set up to use PAC: Preferences > Advanced > Network > Settings:
"Automatic Proxy Configuration": http://squid.example.com/proxy.pac
The downside here of course is the limited amount of clients supporting
HTTPS Proxy settings.
Dio
On Wed, Aug 24, 2016 at 3:46 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> Just to rewind this conversation to the actual problem ...
>
> On 24/08/2016 11:42 p.m., Samuraiii wrote:
> > On 24.8.2016 13:18, Antony Stone wrote:
> >> Unfortunately it's not Squid that's the challenge - it's the browser.
> >>
> >> If you're using Firefox and/or Chrome, you should be okay.
> >>
> >> See "Encrypted browser-Squid connection" at the bottom of
> >> http://wiki.squid-cache.org/Features/HTTPS
> >>
> >>
> >> Antony.
> >>
> > I have seen that, it is the cause of my subscription to this list.
> > I haven't been able to find any usable hints.
> > My config attempt fails
> >
>
> <snip>
> >
> > https_port 8443 \
> > cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> > key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> > cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> > tls-dh=/etc/ssl/certs/dhparam.pem \
> > sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> > cipher=HIGH
>
>
> As Dio mentioned the cleintca= (or rather clientca=) is for
> authenticating clients ceritficates. Don't use that unless you are
> requiring client certs in TLS.
>
> The rest of your config looks reasonable to me. I suspect you have found
> a bug introduced during all the SSL-Bump code changes. Please make a
> bugzilla report and include your exact Squid version (found with the
> 'squid -v' command), the https_port line(s) and the exact error message
> produced on startup.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
--
--------
Diogenes S. de Jesus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160824/bce4c338/attachment.html>
More information about the squid-users
mailing list