[squid-users] Squid Version 3.5.20 Any Ideas
Yuri
yvoinov at gmail.com
Wed Jul 19 15:36:24 UTC 2017
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
http://i.imgur.com/A153C7A.png
19.07.2017 21:34, Cherukuri, Naresh пишет:
>
> Hi All,
>
>
>
> I installed Squid version 3.5.20 on RHEL 7 and generated self-signed
> CA certificates, My users are complaining about certificate errors.
> When I looked at cache.log I see so many error messages like below.
> Below is my squid.conf file. Any ideas how to address below errors.
>
>
>
> Squid.conf:
>
>
>
> max_filedesc 4096
>
> visible_hostname pctysqd2prod
>
> logfile_rotate 10
>
>
>
> access_log stdio:/var/log/squid/access.log squid
>
>
>
> acl localnet src 172.16.0.0/16
>
> acl backoffice_users src 10.136.0.0/13
>
> acl hcity_backoffice_users src 10.142.0.0/15
>
> acl register_users src 10.128.0.0/13
>
> acl hcity_register_users src 10.134.0.0/15
>
> acl partycity url_regex partycity
>
>
>
> acl SSL_ports port 443
>
> acl Safe_ports port 80 # http
>
> #acl Safe_ports port 21 # ftp
>
> acl Safe_ports port 443 # https
>
> #acl Safe_ports port 70 # gopher
>
> #acl Safe_ports port 210 # wais
>
> #acl Safe_ports port 1025-65535 # unregistered ports
>
> #acl Safe_ports port 280 # http-mgmt
>
> #acl Safe_ports port 488 # gss-http
>
> #acl Safe_ports port 591 # filemaker
>
> #acl Safe_ports port 777 # multiling http
>
> acl CONNECT method CONNECT
>
> #acl allowed_sites {dst|dstdomain|dstdom_regex|url_regex) "/path/to/file"
>
> acl backoffice_allowed_sites url_regex
> "/etc/squid/backoffice_allowed_sites"
>
> acl hcity_backoffice_allowed_sites url_regex
> "/etc/squid/backoffice_allowed_sites"
>
> acl backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"
>
> acl hcity_backoffice_blocked_sites url_regex
> "/etc/squid/backoffice_blocklist"
>
> acl register_allowed_sites url_regex "/etc/squid/register_allowed_sites"
>
> acl hcity_register_allowed_sites url_regex
> "/etc/squid/hcity_register_allowed_sites"
>
>
>
> http_access allow localnet register_allowed_sites
>
> http_access deny backoffice_users backoffice_blocked_sites
>
> http_access deny hcity_backoffice_users backoffice_blocked_sites
>
> http_access allow backoffice_users backoffice_allowed_sites
>
> http_access allow hcity_backoffice_users backoffice_allowed_sites
>
> http_access allow register_users register_allowed_sites
>
> http_access allow hcity_register_users hcity_register_allowed_sites
>
> no_cache deny partycity
>
> http_access deny all
>
>
>
> #http_access allow manager localhost
>
> #http_access deny manager
>
>
>
> # Deny requests to certain unsafe ports
>
> http_access deny !Safe_ports
>
>
>
> # Deny CONNECT to other than secure SSL ports
>
> #http_access deny CONNECT !SSL_ports
>
> http_access allow CONNECT SSL_ports
>
> # We strongly recommend the following be uncommented to protect innocent
>
> # web applications running on the proxy server who think the only
>
> # one who can access services on "localhost" is a local user
>
> http_access deny to_localhost
>
>
>
>
>
> # Example rule allowing access from your local networks.
>
> # Adapt localnet in the ACL section to list your (internal) IP networks
>
> # from where browsing should be allowed
>
> #http_access allow localnet
>
> http_access allow localhost
>
>
>
> # And finally deny all other access to this proxy
>
> http_access deny all
>
>
>
> # Squid normally listens to port 3128
>
> http_port 3128 ssl-bump \
>
> key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \
>
> cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \
>
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>
>
>
> acl step1 at_step SslBump1
>
> ssl_bump peek step1
>
> ssl_bump bump all
>
>
>
> sslproxy_cert_error allow all
>
> always_direct allow all
>
> sslproxy_flags DONT_VERIFY_PEER
>
>
>
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslcrtd_children 8 startup=1 idle=1
>
>
>
> # Uncomment and adjust the following to add a disk cache directory.
>
> #cache_dir ufs /cache/squid 10000 16 256
>
>
>
> # Leave coredumps in the first cache dir
>
> #rdescoredump_dir /var/spool/squid
>
> coredump_dir /var/log/squid/squid
>
>
>
> # Add any of your own refresh_pattern entries above these.
>
> refresh_pattern ^ftp: 1440 20% 10080
>
> refresh_pattern ^gopher: 1440 0% 1440
>
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>
> refresh_pattern . 0 20% 4320
>
>
>
> #url_rewrite_access allow all
>
> #url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf
>
>
>
> Cache.log
>
>
>
> 2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown (1/0)
>
> 2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown (1/0)
>
> 2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown (1/0)
>
> 2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown (1/0)
>
> 2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown (1/0)
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170719/9f554715/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170719/9f554715/attachment-0001.sig>
More information about the squid-users
mailing list