Guy Helmer escreveu: > Márcio Luciano Donada wrote: >> Guy Helmer escreveu: >> >> >>>> I am also conducting tests with the sslbump but driving in firewall >>>> (iptables) https connection to the squid. I am using in squid.conf as >>>> follows: >>>> >>>> http_port 3128 transparent sslBump cert = / etc/squid3/ssl/cacert.pem >>>> key = / etc/squid3/ssl/privkey.pem >>>> >>>> Even in directing the browser to https proxy server's IP is not >>>> working. >>>> Some ideas? I am using the version 3.HEAD-CVS >>>> >>> It is not possible to transparently proxy HTTPS through the http_port >>> because the connection starts as SSL, not plaintext HTTP that the >>> http_port expects. >>> >>> You would need an https_port command, like: >>> >>> https_port 3129 transparent sslBump cert=... key=... >>> >>> and then set your iptables configuration to forward port 443 packets to >>> squid's 3129 port for transparent HTTPS proxying. >>> >>> Hope this helps, >>> Guy >>> >>> >> >> >> Thank you for your reply Guy. I think I'm now on the way, but I had a >> problem and the log (cache.log) the following error: >> >> Ignoring https_port 0.0.0.0:3129 initialization failure due to SSL >> >> My squid.conf configuration is: >> >> https_port 3129 transparent sslBump cert=/etc/squid3/ssl/cacert.pem >> key=/etc/squid3/ssl/privkey.pem. >> >> Generation keys: >> >> openssl genrsa -des3 -out privkey.pem 2048 >> openssl req -new -x509 -nodes -key privkey.pem -out cacert.pem -days 3650 >> >> Some ideas? >> >> > This is how I generate my self-signed CA certificate and its > accompanying key: > > openssl req -new -nodes -x509 -keyout ca.key -out ca.crt -days 3650 > openssl req -new -nodes -keyout key.key -out key.req > openssl ca -policy policy_anything -days 3650 -out key.crt -infiles key.req > > It seems you may be missing the step where you sign the request and make > a certificate. > > Guy > Guy, I see that now everything is ok, so that in the logs (cache.log) I see the following message: Accepting https connections at 0.0.0.0:3129, FD 19 but still can not access sites with https. Only remembering that direcionei already in the firewall https connections to the proxy -- Márcio Luciano Donada <mdonada at auroraalimentos dot com dot br> Aurora Alimentos - Cooperativa Central Oeste Catarinense Departamento de T.I.
