Hello everyone, These are the steps I did to install this server (inside vmware workstation): Ifconfig eth0 192.168.186.250 Ifconfig eth0:0 192.168.201.250 Ip_forward enabled 1. Install centos 6 2. Upgrade centos 6 (yum upgrade) 3. Disable SeLinux ( I don?t like it) 4. Reboot 5. Enable epel repo cd /home wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm rpm ?Uvh epel-release-6.8.noarch.rpm 6. Enable Squid repo cd /etc/yum.repos.d vi SQUID.repo [squid] name=Squid repo for CentOS 6 baseurl=http://www1.ngtech.co.il/rpm/centos/6/i686 failovermethod=priority enabled=1 gpgcheck=0 7. Yum update yum install perl-Crypt-OpenSSL-X509 yum install squid 8. /usr/lib/squid/ssl_crtd ?c ?s /var/lib/ssl_db 9. Create certificates for SQUID like this cd /etc/pki/CA cp /etc/pki/tls/openssl.cnf openssl.cnf then I?ve edited the openssl.conf like this dir = . # Where everything is kept certificate = $dir/certs/ca.crt # The CA certificate private_key = $dir/private/ca.key # The private key + filed in default values for company, site, domain , e-mail address. 10. Created key's like this : openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 3650 openssl req -config openssl.cnf -new -nodes -keyout private/home.key -out home.csr -days 3650 openssl ca -config openssl.cnf -policy policy_anything -out certs/home.crt -infiles home.csr 11. Copied the files to SQUID folder /etc/squid/ssl_cert/ca.crt /etc/squid/ssl_cert/home.crt /etc/squid/ssl_cert/private/home.key Cd /etc/squid/ssl_cert/private/ Cp home.key home.back Openssl rsa -in home.bak -out home.key 12. SQUID config acl localnet src 192.168.201.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all http_port 3130 http_port 3128 intercept https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/home.crt key=/etc/squid/ssl_cert/private/home.key #always_direct allow all ssl_bump server-first all #sslproxy_cert_error allow all #sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5 coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 shutdown_lifetime 1 second #debug_options ALL,2 13. DNS server on this machine (so that proxy.home.lan resolves...) /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // acl mynet { 192.168.201.0/24; # test network 127.0.0.1; # localhost }; options { listen-on { mynet; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { mynet; }; recursion yes; forward only; forwarders { 8.8.8.8; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; ############################################# # home.lan ############################################# zone "home.lan" IN { type master; file "/var/named/home.lan/db.home"; allow-query { mynet; }; }; /var/named/home.lan/db.home $ORIGIN home.lan. $TTL 86400 @ IN SOA proxy.home.lan. proxy.home.lan. ( 2014032801 ; Serial 28800 ; Refresh 7200 ; Retry 604800 ; Expire 86400 ; Negative Cache TTL ) @ IN NS proxy.home.lan. proxy IN A 192.168.186.250 14. Install NTP on this server to sync time properly 15. Configure Windows XP client (fully updated ) to use 192.168.201.250 as default gateway and as DNS 16. Ping proxy.home.lan it resolves, ping www.google.com it resolves 17. www.google.com I get a warning that the certificate is not trusted (but only with firefox) do I want to install, I can check certificate It is correctly issued by proxy.home.lan for www.google.com . 18. Install ca.crt into clients root trusted certificates 19. behold error (and be very frustrated) : Peer's certificate has an invalid signature I tried to re-do my steps, I tried multiple howto's (some were outdated) I've tried the irc for squid, but no help. What did I overlook here? Why is this not working ? Oh iptables on server is iptables -t nat -A PREROUTING -p tcp -s 192.168.201.0/24 --dport 80 -j DNAT --to 192.168.201.250:3128 iptables -t nat -A PREROUTING -p tcp -s 192.168.201.0/24 --dport 443 -j DNAT --to 192.168.201.250:3129 There is no error in log file , I have checked certificates are generated for the sites I visit in /var/lib/ssl_db For example www.grc.com get's a generated certificate even though I am not able to access it. Only firefox was friendly enough to provide this error above, Internet explorer does not display anything at all, regardless if certificate Is installed on client or not. (guess they went 100% sure this time with certificates to disallow by default) Thank you for reading this, and please help if you can. Greetings Robert
