[squid-users] Help with transparent whitelisting proxy on Squid 4.4

Amos Jeffries squid3 at treenet.co.nz
Tue Jun 25 09:04:32 UTC 2019


On 25/06/19 1:24 pm, Jared Fox wrote:
> Hi Squid-Users
> 
> I need your help!
> 
> So i have had been using Squid 3.5.20 (installed on Amazon Linux 2)
> and its acting as a transparent ssl proxy with whitelist of allowed
> addresses. I want to avoid running a mitm proxy and having to add CA
> certs to all services/containers etc. Traffic is routed to the squid
> instance via a route-table to Interface.
> 
> " Issue 1 - upgrade from 3.5.20 to 4.4.4 (squid-4.4-4.amzn2.0.4.x86_64) "
> 
> - So my working config below does not work with 4.x but it kind of
> does for 3.5.x and its appears that i require the squid-helper package
> which doesn't exist for Amazon linux.

You will have to contact whoever created the package for that.

You should be able to run the v3.5 helpers with a later Squid - but will
of course not gain any improvements that have been made in the later
version helpers.


> - When starting squid it tries to create an ssl database via
> security_file_certgen, but this shouldnt be needed as i'm providing a
> self-signed certs that doesnt get used in transparent mode but is a
> hard dependency in 3.5.

That is a bug, side effect of the helper being started even when not
needed. As a workaround it should be sufficient to create the DB for the
helper and leave it not being used.

> 
> " Errors produced: "
> 
> (security_file_certgen)2019/06/25 00:37:57 kid1| ERROR: No
> forward-proxy ports configured.
> 2019/06/25 00:37:57 kid1| ERROR: No forward-proxy ports configured.

That is correct. You only have one port (9091) - which is an intercept port.

At least one forward-proxy port is needed for a fully functional proxy.
3128 is the official one for that.


> 2019/06/25 00:37:57 kid1| storeDirWriteCleanLogs: Starting...
> : Uninitialized SSL certificate database directory:
> /var/spool/squid/ssl_db. To initialize, run "security_file_certgen -c
> -s /var/spool/squid/ssl_db".
> 2019/06/25 00:37:57 kid1|   Finished.  Wrote 0 entries.
> 2019/06/25 00:37:57 kid1|   Took 0.00 seconds (  0.00 entries/sec).
> 2019/06/25 00:37:57 kid1| FATAL: mimeLoadIcon: cannot parse internal
> URL: http://ip-10-0-60-70.ec2.internal:0/squid-internal-static/icons/silk/image.png

Side effect of not having a forward-proxy port is that all URLs for
things clients require fetching from Squid are invalid.

Amos


More information about the squid-users mailing list