[squid-users] Squid Version 3.5.20

Cherukuri, Naresh ncherukuri at partycity.com
Wed Jul 19 13:46:20 UTC 2017 

Hi All,

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.

Squid.conf:

max_filedesc 4096
visible_hostname pctysqd2prod
logfile_rotate 10

access_log stdio:/var/log/squid/access.log squid

acl localnet src 172.16.0.0/16
acl backoffice_users src 10.136.0.0/13
acl hcity_backoffice_users src 10.142.0.0/15
acl register_users src 10.128.0.0/13
acl hcity_register_users src 10.134.0.0/15
acl partycity url_regex partycity

acl SSL_ports port 443
acl Safe_ports port 80          # http
#acl Safe_ports port 21         # ftp
acl Safe_ports port 443         # https
#acl Safe_ports port 70         # gopher
#acl Safe_ports port 210                # wais
#acl Safe_ports port 1025-65535 # unregistered ports
#acl Safe_ports port 280                # http-mgmt
#acl Safe_ports port 488                # gss-http
#acl Safe_ports port 591                # filemaker
#acl Safe_ports port 777                # multiling http
acl CONNECT method CONNECT
#acl allowed_sites {dst|dstdomain|dstdom_regex|url_regex) "/path/to/file"
acl backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"
acl hcity_backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"
acl backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"
acl hcity_backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"
acl register_allowed_sites url_regex "/etc/squid/register_allowed_sites"
acl hcity_register_allowed_sites url_regex "/etc/squid/hcity_register_allowed_sites"

http_access allow localnet register_allowed_sites
http_access deny backoffice_users backoffice_blocked_sites
http_access deny hcity_backoffice_users backoffice_blocked_sites
http_access allow backoffice_users backoffice_allowed_sites
http_access allow hcity_backoffice_users backoffice_allowed_sites
http_access allow register_users register_allowed_sites
http_access allow hcity_register_users hcity_register_allowed_sites
no_cache deny partycity
http_access deny all

#http_access allow manager localhost
#http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
http_access  allow CONNECT SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost


# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 ssl-bump \
key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \
cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

sslproxy_cert_error allow all
always_direct allow all
sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /cache/squid 10000 16 256

# Leave coredumps in the first cache dir
#rdescoredump_dir /var/spool/squid
coredump_dir /var/log/squid/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

#url_rewrite_access allow all
#url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf

Cache.log

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)
2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)
2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170719/9dab7862/attachment-0001.html>

More information about the squid-users mailing list