Search squid archive

RE: Centos 6.5 , Squid 3.4.3-1.el6.i386 Transparent HTTPS , SSL_BUMP , HTTPS part not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Rafael,

Thank you that is good for Firefox, but as you can see, Internet Explorer
does not work at all, something with my config must be terribly / horribly
Wrong. Internet Explorer displays the same page it displays when you don't
have any internet at all.

Greetings
Robert

-----Ursprüngliche Nachricht-----
Von: Rafael Akchurin [mailto:rafael.akchurin@xxxxxxxxxxxx] 
Gesendet: Samstag, 29. März 2014 13:07
An: Robert Becskei; squid-users@xxxxxxxxxxxxxxx
Betreff: Re:  Centos 6.5 , Squid 3.4.3-1.el6.i386 Transparent
HTTPS , SSL_BUMP , HTTPS part not working

Hello Robert,

I had the same error with Firefox only, for me the solution was to patch
gadgets.cc as indicated here
https://github.com/ra-at-diladele-com/qlproxy_external/wiki/Filtering-HTTPS

Raf.

On 3/29/14 12:53 PM, "Robert Becskei" <robert.becskei@xxxxxxxxx> wrote:

>Hello everyone,
>
> These are the steps I did to install this server (inside vmware
>workstation):
>
>Ifconfig eth0 192.168.186.250
>Ifconfig eth0:0 192.168.201.250
>Ip_forward enabled
>
>1. Install centos 6
>
>2. Upgrade centos 6 (yum upgrade)
>
>3. Disable SeLinux ( I don¹t like it)
>
>4. Reboot
>
>5. Enable epel repo
>
>cd /home
>wget
>http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.r
>pm
>rpm ­Uvh epel-release-6.8.noarch.rpm
>
>6. Enable Squid repo
>cd /etc/yum.repos.d
>vi SQUID.repo
>[squid]
>name=Squid repo for CentOS 6
>baseurl=http://www1.ngtech.co.il/rpm/centos/6/i686
>failovermethod=priority
>enabled=1
>gpgcheck=0
>
>7. Yum update
>yum install perl-Crypt-OpenSSL-X509
>yum install squid
>
>8. /usr/lib/squid/ssl_crtd ­c ­s /var/lib/ssl_db
>
>9. Create certificates for SQUID like this cd /etc/pki/CA cp 
>/etc/pki/tls/openssl.cnf openssl.cnf then I¹ve edited the openssl.conf 
>like this
>dir             = .                     # Where everything is kept
>certificate     = $dir/certs/ca.crt     # The CA certificate
>private_key     = $dir/private/ca.key   # The private key
>
>+ filed in default values for company, site, domain , e-mail address.
>
>
>  10. Created key's like this :
>openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout 
>private/ca.key -out certs/ca.crt -days 3650 openssl req -config 
>openssl.cnf -new -nodes -keyout private/home.key -out home.csr -days 
>3650 openssl ca -config openssl.cnf -policy policy_anything -out 
>certs/home.crt -infiles home.csr
>
>11. Copied the files to SQUID folder
>
>/etc/squid/ssl_cert/ca.crt
>/etc/squid/ssl_cert/home.crt
>/etc/squid/ssl_cert/private/home.key
>Cd /etc/squid/ssl_cert/private/
>Cp home.key home.back
>Openssl rsa -in home.bak -out home.key
>
>12. SQUID config
>acl localnet src 192.168.201.0/24
>
>acl SSL_ports port 443
>acl Safe_ports port 80		# http
>acl Safe_ports port 21		# ftp
>acl Safe_ports port 443		# https
>acl Safe_ports port 70		# gopher
>acl Safe_ports port 210		# wais
>acl Safe_ports port 1025-65535	# unregistered ports
>acl Safe_ports port 280		# http-mgmt
>acl Safe_ports port 488		# gss-http
>acl Safe_ports port 591		# filemaker
>acl Safe_ports port 777		# multiling http
>acl CONNECT method CONNECT
>
>http_access deny !Safe_ports
>http_access deny CONNECT !SSL_ports
>
>http_access allow all
>
>http_port 3130
>
>http_port 3128 intercept
>https_port 3129 intercept ssl-bump generate-host-certificates=on 
>dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/home.crt 
>key=/etc/squid/ssl_cert/private/home.key
>
>#always_direct allow all
>ssl_bump server-first all
>#sslproxy_cert_error allow all
>#sslproxy_flags DONT_VERIFY_PEER
>
>sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB 
>sslcrtd_children 5
>
>coredump_dir /var/spool/squid
>
># Add any of your own refresh_pattern entries above these.
>refresh_pattern ^ftp:		1440	20%	10080
>refresh_pattern ^gopher:	1440	0%	1440
>refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
>refresh_pattern .		0	20%	4320
>
>
>shutdown_lifetime 1 second
>
>#debug_options ALL,2
>
>
>13. DNS server on this machine (so that proxy.home.lan resolves...) 
>/etc/named.conf // // named.conf // // Provided by Red Hat bind package 
>to configure the ISC BIND named(8) DNS // server as a caching only 
>nameserver (as a localhost DNS resolver only).
>//
>// See /usr/share/doc/bind*/sample/ for example named configuration files.
>//
>
>acl mynet {
>    192.168.201.0/24; # test network
>    127.0.0.1; # localhost
>    };
>
>options {
>	listen-on { 
>		mynet;
>		};
>	listen-on-v6 port 53 { ::1; };
>	directory 	"/var/named";
>	dump-file 	"/var/named/data/cache_dump.db";
>        statistics-file "/var/named/data/named_stats.txt";
>        memstatistics-file "/var/named/data/named_mem_stats.txt";
>	allow-query     { mynet; };
>	recursion yes;
>	
>	forward only;
>	forwarders {
>	    8.8.8.8;
>	    };
>
>	dnssec-enable yes;
>	dnssec-validation yes;
>	dnssec-lookaside auto;
>
>	/* Path to ISC DLV key */
>	bindkeys-file "/etc/named.iscdlv.key";
>
>	managed-keys-directory "/var/named/dynamic"; };
>
>logging {
>        channel default_debug {
>                file "data/named.run";
>                severity dynamic;
>        };
>};
>
>zone "." IN {
>	type hint;
>	file "named.ca";
>};
>
>include "/etc/named.rfc1912.zones";
>include "/etc/named.root.key";
>
>#############################################
>#	home.lan
>#############################################
>
>zone "home.lan" IN {
>    type master;
>    file "/var/named/home.lan/db.home";
>    allow-query {
>	mynet;
>	};
>    };
>
>/var/named/home.lan/db.home
>$ORIGIN home.lan.
>$TTL 86400
>@	IN	SOA	proxy.home.lan.	proxy.home.lan. (
>    2014032801 ; Serial
>    28800 ; Refresh
>    7200 ; Retry
>    604800 ; Expire
>    86400 ; Negative Cache TTL
>    )
>@	IN	NS	proxy.home.lan.
>proxy	IN	A	192.168.186.250
>
>
>14. Install NTP on this server to sync time properly
>
>15. Configure Windows XP client (fully updated ) to use 192.168.201.250 
>as default gateway and as DNS 16. Ping proxy.home.lan it resolves, ping 
>www.google.com it resolves 17. www.google.com I get a warning that the 
>certificate is not trusted (but only with firefox) do I want to 
>install, I can check certificate It is correctly issued by 
>proxy.home.lan for www.google.com .
>18. Install ca.crt into clients root trusted certificates 19. behold 
>error (and be very frustrated) : Peer's certificate has an invalid 
>signature
>
>I tried to re-do my steps, I tried multiple howto's (some were 
>outdated) I've tried the irc for squid, but no help. What did I overlook
here?
>Why is this not working ?
>
>Oh iptables on server is
>
>iptables -t nat -A PREROUTING -p tcp -s 192.168.201.0/24 --dport 80 -j 
>DNAT --to 192.168.201.250:3128 iptables -t nat -A PREROUTING -p tcp -s 
>192.168.201.0/24 --dport 443 -j DNAT --to 192.168.201.250:3129
>
>There is no error in log file , I have checked certificates are 
>generated for the sites I visit in /var/lib/ssl_db For example 
>www.grc.com get's a generated certificate even though I am not able to 
>access it.
>Only firefox was friendly enough to provide this error above, Internet 
>explorer does not display anything at all, regardless if certificate Is 
>installed on client or not. (guess they went 100% sure this time with 
>certificates to disallow by default)
>
>Thank you for reading this, and please help if you can.
>
>Greetings
>Robert
>
>
>
>
>
>
>
>
>
>







[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux