[squid-users] Squid 3.5.27 - While access https website, always "Your connection is not secure"

fourirakbar fourir.akbar at gmail.com
Sat Apr 28 08:56:23 UTC 2018 

Maybe this is same with  this topic
<http://squid-web-proxy-cache.1019090.n4.nabble.com/option-to-auto-recreate-the-ssl-db-td4682130.html> 
. But now I use squid version 3.5.27

Here my squid version
Squid Cache: Version 3.5.27
Service Name: squid
Ubuntu linux

This binary uses OpenSSL 1.0.2g  1 Mar 2016. For legal restrictions on
distribution see https://www.openssl.org/source/license.html

configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g
-O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security
-Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -fPIE -pie
-Wl,-z,relro -Wl,-z,now -Wl,--as-needed' 'CXX=g++' 'CC=gcc'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline'
'--disable-arch-native' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation'
'--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy' '--with-openssl'
'--enable-ssl' '--enable-ssl-crtd' '--enable-build-info=Ubuntu linux'
'--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2
-fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall'
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now
-Wl,--as-needed' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
-fPIE -fstack-protector-strong -Wformat -Werror=format-security'


I also make follow this tutorial:  Dynamic SSL Cert
<https://wiki.squid-cache.org/Features/DynamicSslCert>   from squid wiki.

*And my squid.conf*
    acl SSL_ports port 443 
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp 
    acl Safe_ports port 443 # https 
    acl Safe_ports port 70 # gopher 
    acl Safe_ports port 210 # wais 
    acl Safe_ports port 1025-65535 # unregistered ports 
    acl Safe_ports port 280 # http-mgmt 
    acl Safe_ports port 488 # gss-http 
    acl Safe_ports port 591 # filemaker 
    acl Safe_ports port 777 # multiling http 
    acl Safe_ports port 445 # windows update 
    acl CONNECT method CONNECT 

    http_port 3128 ssl-bump \
        cert=/etc/squid/ssl_cert/myCA.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

    http_port 3129 intercept

    https_port 3130 intercept ssl-bump \
        cert=/etc/squid/ssl_cert/myCA.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

    http_access allow  all

    always_direct allow all 
    ssl_bump server-first all 

    sslproxy_flags DONT_VERIFY_PEER 

    # Just try to open instagram.com, but it also can't work. Same problem
    # acl whitelist ssl::server_name .instagram.com
    # acl step1 at_step SslBump1
    # ssl_bump peek step1
    # ssl_bump splice whitelist
    # ssl_bump bump all

    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports

    cache_mem 512 MB 
    cache_swap_low 98 
    cache_swap_high 99 

    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
    refresh_pattern .               0       20%     4320

    #sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
/usr/local/squid/var/lib/ssl_db -M 4MB
    #sslcrtd_children 5

    shutdown_lifetime 8 second 

    visible_hostname X450LD


Now I try to open https://about.gitlab.com

*There is an error on cache log:*
   ssl_crtd helper database '/var/lib/ssl_db' failed: Failed to open file
/var/lib/ssl_db/index.txt

In browser (I use firefox), it show an error "your connection is not
secure". I try add exception and view detail about certificate. And it show
like the picture below
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377437/gitlab5.png> 

And I compare with other client that the traffic not through my squid proxy
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377437/gitlab4.png> 

Its different. How can solved this?
Thank you very much





--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

More information about the squid-users mailing list