Search squid archive

Re: https with squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Guy Helmer escreveu:
> Márcio Luciano Donada wrote:
>> Guy Helmer escreveu:
>>
>>  
>>>> I am also conducting tests with the sslbump but driving in firewall
>>>> (iptables) https connection to the squid. I am using in squid.conf as
>>>> follows:
>>>>
>>>> http_port 3128 transparent sslBump cert = / etc/squid3/ssl/cacert.pem
>>>> key = / etc/squid3/ssl/privkey.pem
>>>>
>>>> Even in directing the browser to https proxy server's IP is not
>>>> working.
>>>> Some ideas? I am using the version 3.HEAD-CVS
>>>>         
>>> It is not possible to transparently proxy HTTPS through the http_port
>>> because the connection starts as SSL, not plaintext HTTP that the
>>> http_port expects.
>>>
>>> You would need an https_port command, like:
>>>
>>> https_port 3129 transparent sslBump cert=... key=...
>>>
>>> and then set your iptables configuration to forward port 443 packets to
>>> squid's 3129 port for transparent HTTPS proxying.
>>>
>>> Hope this helps,
>>> Guy
>>>
>>>     
>>
>>
>> Thank you for your reply Guy. I think I'm now on the way, but I had a
>> problem and the log (cache.log) the following error:
>>
>> Ignoring https_port 0.0.0.0:3129 initialization failure due to SSL
>>
>> My squid.conf configuration is:
>>
>> https_port 3129 transparent sslBump cert=/etc/squid3/ssl/cacert.pem
>> key=/etc/squid3/ssl/privkey.pem.
>>
>> Generation keys:
>>
>> openssl genrsa -des3 -out privkey.pem 2048
>> openssl req -new -x509 -nodes -key privkey.pem -out cacert.pem -days 3650
>>
>> Some ideas?
>>
>>   
> This is how I generate my self-signed CA certificate and its
> accompanying key:
> 
> openssl req -new -nodes -x509 -keyout ca.key -out ca.crt -days 3650
> openssl req -new -nodes -keyout key.key -out key.req
> openssl ca -policy policy_anything -days 3650 -out key.crt -infiles key.req
> 
> It seems you may be missing the step where you sign the request and make
> a certificate.
> 
> Guy
> 

Guy,

I see that now everything is ok, so that in the logs (cache.log) I see
the following message:

Accepting https connections at 0.0.0.0:3129, FD 19

but still can not access sites with https. Only remembering that
direcionei already in the firewall https connections to the proxy


-- 
Márcio Luciano Donada <mdonada at auroraalimentos dot com dot br>
Aurora Alimentos - Cooperativa Central Oeste Catarinense
Departamento de T.I.

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux