-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christian, for SSL Bump Squid expects only self-signed root CA. Not server signed - it only appropriate on a reverse proxy. WBR, Yuri 30.01.2015 6:43, Christian Kundela пишет: > Dear all, > > I have problems setting up explicit proxy. (interrcept tcp 80 no problem) > > If i doaself signed Cert, and i install it in Firefox or IE, no problem. > > but if i use a CA-Cert i am using a signed cert from cacert.org, SSl Site only TXT loaded and no pictures ... this i know, when something is wrong with keyor else ? > (Install also all certs from cacert.org (also Firefox addons)) > > Key, CSR is generatedwith: > openssl genrsa -out /etc/squid/squid.key 2048 > openssl req -new -key /etc/squid/squid.key -out /etc/squid/squid.csr > > Signed on the sitecacert.org.TXT put into /etc/squid/squid.crt > > My question: what CA Cert Squid expects ? wildcard * ? as common name i choose www.mydomain.net (is an example, for csr i used my real domain name). > > How can trace this Problem (debug)or is the Cert wrong ?i stuck here ... > > > Best regards > > Many Thanks in advice > > > > Here is the squid.conf (changes done in config, added SquidGuard, C-Icap and MS update (from squid-cache.org) works all perfect) > IP of server is 192.168.1.1/24 > > ## squid.conf begin > # > # Recommended minimum configuration: > # > # Example rule allowing access from your local networks. > # Adapt to list your (internal) IP networks from where browsing > # should be allowed > #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network > #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > acl localnet src fc00::/7 # RFC 4193 local private network range > acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines > acl localnet src 192.168.1.0/24 > > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > > # MS Update > acl windowsupdate dstdomain windowsupdate.microsoft.com > acl windowsupdate dstdomain .update.microsoft.com > acl windowsupdate dstdomain download.windowsupdate.com > acl windowsupdate dstdomain redir.metaservices.microsoft.com > acl windowsupdate dstdomain images.metaservices.microsoft.com > acl windowsupdate dstdomain c.microsoft.com > acl windowsupdate dstdomain www.download.windowsupdate.com > acl windowsupdate dstdomain wustat.windows.com > acl windowsupdate dstdomain crl.microsoft.com > acl windowsupdate dstdomain sls.microsoft.com > acl windowsupdate dstdomain productactivation.one.microsoft.com > acl windowsupdate dstdomain ntservicepack.microsoft.com > acl windowsupdate dstdomain ctldl.windowsupdate.com > > acl CONNECT method CONNECT > > # MS Update > acl wuCONNECT dstdomain www.update.microsoft.com > acl wuCONNECT dstdomain sls.microsoft.com > > # > # Recommended minimum Access Permission configuration: > # > # Deny requests to certain unsafe ports > http_access deny !Safe_ports > > # Deny CONNECT to other than secure SSL ports > http_access deny CONNECT !SSL_ports > > # Only allow cachemgr access from localhost > http_access allow localhost manager > http_access deny manager > > # We strongly recommend the following be uncommented to protect innocent > # web applications running on the proxy server who think the only > # one who can access services on "localhost" is a local user > http_access deny to_localhost > > # > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > # > > # MS Update > http_access allow CONNECT wuCONNECT localnet > http_access allow CONNECT wuCONNECT localhost > http_access allow windowsupdate localnet > http_access allow windowsupdate localhost > > # Example rule allowing access from your local networks. > # Adapt localnet in the ACL section to list your (internal) IP networks > # from where browsing should be allowed > http_access allow localnet > http_access allow localhost > > # And finally deny all other access to this proxy > http_access deny all > > # SSL Stuff > always_direct allow all > ssl_bump server-first all > #sslproxy_cert_error allow all > #sslproxy_flags DONT_VERIFY_PEER > > # Squid normally listens to port 3128 > http_port localhost:3128 > http_port 192.168.1.1:3130 ssl-bump cert=/etc/squid/server.crt key=/etc/squid/server.key# TEST > http_port localhost:3129 intercept > > # Uncomment and adjust the following to add a disk cache directory. > cache_dir ufs /var/squid/cache 40000 16 256 > > # Added > cache_mem 2 GB > > # Leave coredumps in the first cache dir > coredump_dir /var/squid/cache > > # MS Update > refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims > refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims > refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims > > # > # Add any of your own refresh_pattern entries above these. > # > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > # Added > max_filedescriptors 1024 > > # MS Update > range_offset_limit 200 MB windowsupdate > maximum_object_size 200 MB > quick_abort_min -1 > > # Path to the redirector program > url_rewrite_program /usr/local/bin/squidGuard > > # Number of redirector processes to spawn > url_rewrite_children 20 > > # To prevent loops, don't send requests from localhost to the redirector > url_rewrite_access deny localhost > > # SquidClamav C-Icap > icap_enable on > icap_send_client_ip on > icap_send_client_username on > icap_client_username_encode off > icap_client_username_header X-Authenticated-User > icap_preview_enable on > icap_preview_size 1024 > icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav > adaptation_access service_req allow all > icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav > adaptation_access service_resp allow all > ## squid.conf end > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJUy2gxAAoJENNXIZxhPexGwZMIAKX1uyFzdKrjq0FJvMMsL/9d 22R06xyExxuRIdWwp4IHAhWDud1dLlnAkEckmwCYdeUQJLeue/ccf6QIwblqT8ld PruboM2+a3vE9KNKwXVUbv9UDhE933cq34/vX+kiBFIKc4/5TMFEjO9t/yeuamKl 3vYiRM9P7763AeCYRexB2tMHw9ghItstubav6ZzY2rmkdbqP+KlsaUL5jZOULTS7 FD8y8y3MW2jWFACYjqLZQ+0qjDJU2rcjEZR/w9jGGjGT7EEFxIPzvS9lAt5jVxIh E8FzSnBKMw0FYQVEQW6mW6gfwNOhjTxTJKFlGigkITIp3R9vQaYhBwe8lYypTcQ= =wjv1 -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
