On Wed, 23 Feb 2011 15:19:20 -0800 (PST), gohone wrote:
Thanks for you reply.
You are right about the old setting "acl all src 0.0.0.0/0.0.0.0" . I
removed it and the warning message has disappeared when the daemon
is
restarted.
Concerning my main issue I don't understand when you suggest "You
can
present a real non- self-signed certificate to the visitors via
http_port. "
I already have in my conf --> "https_port 443 accel
cert=/path/owa.pem
key=/path/ owa.pem defaultsite=exchange_outside vhost"
What is the setting you advise me to add in my config ?
No setting. The certificate MUST be one which the client will accept.
There are two ways to make the client accept it;
one is to install your self-signing CA on the client (popular amongst
home LAN and business internal setups)
the other is to pay some commonly recognised CA (who has already gone
to the trouble of installing their CA in the browsers) to sign the
certificate for you.
Since the cert Exchange is presenting is accepted by your clients, then
I would suggest using that cert on Squid's http_port instead of a
self-signed one. There are a lot of discussions and tutorials on the web
and this mailing list about how to do that.
Amos
