[squid-users] About to upgrade from 3 to 4
James Lay
jlay at slave-tothe-box.net
Sat Jun 9 14:23:05 UTC 2018
On Sat, 2018-06-09 at 07:17 -0600, James Lay wrote:
> On Sun, 2018-06-10 at 01:13 +1200, Amos Jeffries wrote:
> > On 10/06/18 01:02, James Lay wrote:
> >
> > So in my config file I have:
> > sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
> > However I do not see this after compiling and installing. Has this
> > goneaway in 4? Thank you.
> > James
> >
> > It's now called security_file_certgen.
> > <http://www.squid-cache.org/Versions/v4/squid-4.0.24-RELEASENOTES.h
> > tml#ss2.4>
> > Amos
>
> Thanks Amos...I'll read this before asking anymore questions ☺
>
> James
> _______________________________________________squid-users mailing
> listsquid-users at lists.squid-cache.orghttp://lists.squid-cache.org/lis
> tinfo/squid-users
So ok...after making the changes to the config to account for
new security_file_certgen and tls_outgoing_options (thanks Amos!) I am
greeted with (hostname changed from real):
FATAL: mimeLoadIcon: cannot parse internal URL: http://<hostname>:0/squ
id-internal-static/icons/silk/image.png
Here's my config line:
./configure --prefix=/opt/squid --with-openssl=/opt/libressl --
sysconfdir=/opt/squid/etc --enable-ssl --enable-ssl-crtd --enable-
linux-netfilter --enable-follow-x-forwarded-for --with-large-files --
enable-xternal-acl-helpers=none
full config (I realize this might not be the most secure on the planet,
for now this is a dev box and I'm just testing functionality):
acl localnet src 192.168.1.0/24acl SSL_ports port 443acl Safe_ports
port 80acl Safe_ports port 443acl CONNECT method CONNECTacl
allowed_http_sites url_regex "/opt/squid/etc/http_url.txt"
http_access deny !Safe_portshttp_access deny CONNECT
!SSL_Portshttp_access allow SSL_portshttp_access allow
allowed_http_siteshttp_access deny all
acl broken_ips dst "/opt/squid/etc/broken_ips.txt"ssl_bump splice
broken_ipsacl broken_https_sites ssl::server_name_regex
"/opt/squid/etc/broken_url.txt"ssl_bump splice
broken_https_sitesssl_bump peek allacl allowed_https_sites
ssl::server_name_regex "/opt/squid/etc/http_url.txt"ssl_bump splice
allowed_https_sitesssl_bump terminate all
sslproxy_cert_error allow alltls_outgoing_options capath=/etc/ssl/certs
flags=DONT_VERIFY_PEER
sslcrtd_program /opt/squid/libexec/security_file_certgen -s
/opt/squid/var/ -M 4MBsslcrtd_children 5
http_port gateway:3128 intercepthttps_port gateway:3129 intercept ssl-
bump cert=/opt/squid/etc/certs/sslsplit_ca_cert.pem
cafile=/opt/squid/etc/certs/sslsplit_ca_cert.pem
key=/opt/squid/etc/certs/sslsplit_ca_key.pem generate-host-
certificates=on dynamic_cert_mem_cache_size=4MB
sslflags=NO_SESSION_REUSE
logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni
%ssl::>cert_subject %>Hs %<st %Ss:%Sh
access_log syslog:daemon.info mine
refresh_pattern -i (cgi-bin|\?) 0 0% 0refresh_pattern
. 0 20% 4320
coredump_dir /opt/squid/var
At this point I have no clue what to do next...any troubleshooting
steps would be wonderful. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180609/86485da1/attachment-0001.html>
More information about the squid-users
mailing list