I think I found it..
trying to run ssl_crtd myself to issue a cert it says:
Error while parsing the crtd request: Broken signing certificate!
shouldn't that end up in squid logs as well?
Klavs Klavsen wrote on 03/12/2015 03:48 PM:
I just found the config, stating that ssl-bump is only supported in
intercept mode.. that invalides accel :)
I setup a client on same LAN as squid, and told it to use squid box as
default gw. for traffic to public addresses..
intercept on port 80 works fine.
on https however I get an SSL connect error.
This is my config related to that:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s
/etc/ssl/certs/cache/ -M 4MB
sslcrtd_children 8 startup=1 idle=1
https_port 3130 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
key=/etc/squid/ca.private cert=/etc/squid/ca.cert
sslproxy_flags DONT_VERIFY_PEER
always_direct allow all
http_port 3129 intercept
shutdown_lifetime 3
sslproxy_cert_error allow all
ssl_bump server-first all
I'm running squid-3.4.9. (I can easily upgrade to newer if that will
help any :) - on centos 7.0.
What debug options should/could I set to hopefully enlighten me? squid
logs nothing in cache.log or access.log except:
1426171540.277 0 10.43.18.168 TAG_NONE/400 4047 NONE
error:invalid-request - HIER_NONE/- text/html
Amos Jeffries wrote on 03/12/2015 02:27 PM:
On 13/03/2015 1:52 a.m., Klavs Klavsen wrote:
I'd rather not have to route everything (incl. normal ingoing web
traffic) through the squid box.. and the firewalls are proprietary stuff
- so can't install squid there :)
You don't, port 80 TCP is all that *needs* it, and only for the traffic
from clients you want to go through Squid.
If you are passing outgoing web traffic through Squid the responses
(incoming) have to come back through it.
If you have external stuff making requests to internal servers, that can
be left alone in the same way Squid' outgoing traffic is.
Are we talking more or less than 100Mbps of port 80 traffic here?
It works fine in accel mode.. and I can limit what urls each client ip
is able to access, and disable caching..
Shouldn't accel mode, for this use case (curl access from websites - all
using http/1.1 with host header) be good enough - or are there security
issues I am not aware of?
You guessed it. CVE-2009-0801 - the Host header is not trustworthy.
accel/reverse-proxy mode has no protection at all since the upstream
servers are expected to be explicitly configured or the allowed domains
restricted to those hosted by the CDN the proxy is part of.
... and the Host header is not always present, though that case has
declined a lot in the past few years.
I realize I move the DNS lookup to the squid box - but that's actually
what I want in this case.
Actually you will need two DN lookups to be happening if you use accel.
Only the intercept mode with NAT lookups has ability to avoid the second
one by using ORIGINAL_DST.
accel mode normaly avoids the second DNS lookup by having the upstream
servers explicitly configured. You dont want to do that manually for
every Internet server in existence so forcing a DNS lookup with
"always_direct allow all" is required.
Routings your friend, really :-)
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
--
Regards,
Klavs Klavsen, GSEC - kl@xxxxxxx - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
