I've removed the password, but that didn't seem to make much difference
other than no longer prompting me at startup.
The other responses mentioned using this in transparent mode. Is that
the only way of doing it? The machine I'm running this on is not on the
local network, and I don't think I'd be able to add a gateway to our lab
machines unless I decided to buy a whole new one.
Thanks,
serge
Henrik Nordstrom wrote:
ons 2008-07-30 klockan 23:32 -0700 skrev Serge Egelman:
I'm trying to set up squid to forward SSL connections. I previously had
it set up just as logging proxy for conducting laboratory usability
studies (we would configure the browsers on our lab machines to use the
proxy, then I could check the logs afterwards to see where people were
going). So I know it works for a minimal configuration. I'm working on
a study now where I need to inject a self signed certificate into an SSL
session (I'm looking at warning messages), but can't seem to get squid
configured correctly (the idea is that we'll have the lab machines use
configured to use the proxy again).
To unwrap SSL and apply your own certificates when running as a proxy
you need the sslBump feature making Squid intercept CONNECT requests and
terminate the SSL locally. But it's unrelated from Squid opening the
port.
As you seem to have the SSL keys encrypted you need to either start
Squid interactively using the -N command line option, or tell Squid how
to retreive the SSL key encryption password by using the
ssl_password_program directive in squid.conf.
To avoid this most people keeps the keys unencrypted on the server to
avoid the administrative burden of having to enter the password on each
restart (including unplanned restarts..). To decrypt a encrypted key use
the following command:
openssl rsa -in encrypted.pem -out unencrypted.pem
Regards
Henrik
--
/*
PhD Candidate
Carnegie Mellon University
"Whoever said there's no such thing as a free lunch was never a grad
student."
All views contained in this message, either expressed or implied, are
the views of my employer, and not my own.
*/
