[squid-users] Https_port with "official" certificate
Diogenes S. Jesus
splash at gmail.com
Wed Aug 24 14:39:51 UTC 2016
Oh, an a tiny little detail :)
# squid -v
Squid Cache: Version 4.0.13
Service Name: squid
configure options: '--with-openssl' '--prefix=/usr' '--localstatedir=/var'
'--libexecdir=/lib/squid' '--datadir=/share/squid'
'--sysconfdir=/etc/squid' '--with-default-user=proxy'
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
On Wed, Aug 24, 2016 at 4:37 PM, Diogenes S. Jesus <splash at gmail.com> wrote:
> This configuration here covers the use case described by the OP:
> https://gist.githubusercontent.com/splashx/758ff0c59ea291f32edafc516fdaad
> 73/raw/8050fa054821657812961050332b38a56e7e3e68/
>
> If everything works well, you'll notice you won't support HTTP proxy at
> all, but users can reach both HTTP and HTTPS target websites via your
> HTTPS proxy.
>
> # netstat -nltp
>
> Active Internet connections (only servers)
>
> Proto Recv-Q Send-Q Local Address Foreign Address State
> PID/Program name
>
> tcp 0 0 0.0.0.0:22 0.0.0.0:*
> LISTEN 32109/sshd
>
> tcp6 0 0 :::80 :::*
> LISTEN 26627/apache2
>
> tcp6 0 0 :::3443 :::*
> LISTEN 7303/(squid-1)
>
> tcp6 0 0 :::22 :::*
> LISTEN 32109/sshd
>
>
> The user connects to the proxy ONLY via HTTPS Proxy on port 3443
>
> All traffic between the OP and the proxy is encrypted using TLS.
> A) If the user enters http://target.example.com, between the proxy and
> the target you'll see HTTP.
> B) If the user enters https://target.example.com, between the proxy and
> the target you'll see HTTPS.
>
> If you sniff the traffic between the client and the proxy, you'll see TLS.
>
> Tested with:
>
> $ /Applications/Firefox\ 2.app/Contents/MacOS/firefox -v
>
> Mozilla Firefox 48.0
>
> Firefox set up to use PAC: Preferences > Advanced > Network > Settings:
> "Automatic Proxy Configuration": http://squid.example.com/proxy.pac
>
> The downside here of course is the limited amount of clients supporting
> HTTPS Proxy settings.
>
> Dio
>
>
> On Wed, Aug 24, 2016 at 3:46 PM, Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
>
>> Just to rewind this conversation to the actual problem ...
>>
>> On 24/08/2016 11:42 p.m., Samuraiii wrote:
>> > On 24.8.2016 13:18, Antony Stone wrote:
>> >> Unfortunately it's not Squid that's the challenge - it's the browser.
>> >>
>> >> If you're using Firefox and/or Chrome, you should be okay.
>> >>
>> >> See "Encrypted browser-Squid connection" at the bottom of
>> >> http://wiki.squid-cache.org/Features/HTTPS
>> >>
>> >>
>> >> Antony.
>> >>
>> > I have seen that, it is the cause of my subscription to this list.
>> > I haven't been able to find any usable hints.
>> > My config attempt fails
>> >
>>
>> <snip>
>> >
>> > https_port 8443 \
>> > cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
>> > key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
>> > cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
>> > tls-dh=/etc/ssl/certs/dhparam.pem \
>> > sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
>> > cipher=HIGH
>>
>>
>> As Dio mentioned the cleintca= (or rather clientca=) is for
>> authenticating clients ceritficates. Don't use that unless you are
>> requiring client certs in TLS.
>>
>> The rest of your config looks reasonable to me. I suspect you have found
>> a bug introduced during all the SSL-Bump code changes. Please make a
>> bugzilla report and include your exact Squid version (found with the
>> 'squid -v' command), the https_port line(s) and the exact error message
>> produced on startup.
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>
> --
>
> --------
>
> Diogenes S. de Jesus
>
--
--------
Diogenes S. de Jesus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160824/a98c0fb5/attachment-0001.html>
More information about the squid-users
mailing list