Hi Everyone, I compiled an configured squid in the way to get a transparent ssl proxy. With the debug flag an looking into the access.log, no errors or warnings are shown. When intercepting http traffic, everything works fine but there is trouble with ssl. On the Client (ipad) - safari tells me that it cant establish a safe connection - nothing more. the acces.logs shows: ext/html 1330094808.367 3 172.20.0.113 NONE/400 3563 %BF%18%C6%CC%D5%CB%B5+%C5Eq - NONE/- text/html 1330094809.922 8 172.20.0.113 NONE/400 3546 NONE error:invalid-request - NONE/- text/html 1330094811.938 2 172.20.0.113 NONE/400 3546 NONE error:invalid-request - NONE/- text/html 1330094813.603 3 172.20.0.113 NONE/400 3552 NONE error:invalid-request - NONE/- text/html 1330094813.673 2 172.20.0.113 NONE/400 3552 NONE error:invalid-request - NONE/- text/html 1330094813.744 10 172.20.0.113 NONE/400 3546 NONE error:invalid-request - NONE/- text/html here is my config and stuff: ip_forward =1 Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:www redir ports 3128 REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 3129 Squid Cache: Version 3.1.19 configure options: '--enable-ssl' '--enable-ssl-crtd' '--enable-linux-netfilter' --with-squid=/root/squid-3.1.19 --enable-ltdl-convenience and here the squid.conf # # Recommended minimum configuration: # acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl SSL method CONNECT ssl_bump allow all ## allow users to webistes attemping to use certs belonging to other domains acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH sslproxy_cert_error allow BadSite sslproxy_cert_error deny all # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 172.20.0.0/24 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost localnet ### MEINE REGELN FÜR TRANSPARENT SSL PROXYING always_direct allow all ssl_bump allow all # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # Squid Transparent http listens to port 3128 http_port 172.20.0.79:3128 intercept http_port 127.0.0.1:3128 intercept # Squid Transparent SSL https listens to por 3129 http_port 172.20.0.79:3129 intercept ssl-bump cert=/etc/apache2/ssl/server.crt key=/etc/apache2/ssl/server.key http_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB options=ALL cert=/etc/apache2/ssl/apache.pem sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /etc/apache2/ssl2 -M 4MB sslcrtd_children 50 Hope someone can help me. Best regards, Jan
