|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 24.08.2016 18:23, Antony Stone пишет: > On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote: > >> No one CA do not issue signing CA for subject, which is not CA itself. >> >> So, op wants impossible thing. > > Why would one need a signING certificate just to create an SSL connection > between the browser and Squid? > > Surely one merely needs a valid signED certificate, same as you would put on a > web server to set up secure connections to it? > > OP is not intercepting secure traffic, nor making HTTP sites look to the browser > like HTTPS ones. Then I do not understand what he wants op. > > > > Antony. > >> 24.08.2016 18:15, Antony Stone пишет: >>> On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote: >>>> Squid fails to start for me with: >>>> FATAL: No valid signing SSL certificate configured for HTTPS_port >> >> [::]:8443 >> >>>> I have found that this is related to missing self signed certificate, >>>> and since I do not want to use self signed certificate I am asking if I >>>> can do anything about it. >>>> I would like to avoid self signed certificates so my users would not >>>> need to import and replace my own certs. >>> >>> Have you tried adding the option "generate-host-certificates=off" to your >>> https_port line? >>> >>> I'm not an expert on this bit of Squid, but I'm just looking at >>> http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and >> >> noticing >> >>> anything to do with a "signing certificate" (which you do not have, >> >> and do not >> >>> want to use). >>> >>>> And here is my complete squid.conf: >>>> >>>> acl SSL_ports port 443 >>>> acl Safe_ports port 80 # http >>>> acl Safe_ports port 21 # ftp >>>> acl Safe_ports port 443 # https >>>> acl Safe_ports port 70 # gopher >>>> acl Safe_ports port 210 # wais >>>> acl Safe_ports port 1025-65535 # unregistered ports >>>> acl Safe_ports port 280 # http-mgmt >>>> acl Safe_ports port 488 # gss-http >>>> acl Safe_ports port 591 # filemaker >>>> acl Safe_ports port 777 # multiling http >>>> acl Safe_ports port 901 # SWAT >>>> acl CONNECT method CONNECT >>>> http_access deny !Safe_ports >>>> http_access deny CONNECT !SSL_ports >>>> http_access allow localhost manager >>>> http_access deny manager >>>> http_access deny to_localhost >>>> >>>> auth_param basic program /usr/libexec/squid/basic_pam_auth >>>> auth_param basic children 5 >>>> auth_param basic realm Proxy Authentication Required >>>> auth_param basic credentialsttl 2 hours >>>> >>>> acl authenticated proxy_auth REQUIRED >>>> http_access allow authenticated >>>> http_access deny all >>>> >>>> https_port 8443 \ >>>> >>>> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \ >>>> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \ >>>> clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \ >>>> tls-dh=/etc/ssl/certs/dhparam.pem \ >>>> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \ >>>> cipher=HIGH >>>> >>>> cache_dir aufs /var/cache/squid 512 16 256 >>>> coredump_dir /var/cache/squid >>>> refresh_pattern ^ftp: 1440 20% 10080 >>>> refresh_pattern ^gopher: 1440 0% 1440 >>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >>>> refresh_pattern . 0 20% 4320 >>> >>> Antony. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXvZKIAAoJENNXIZxhPexG5iIIAJTZAbpMkYDqdVWG5thlBxG0 cJBXI/MmYN7Al6GiGGD1ttqXHv6AAIeg5NXue0qVM/hGcJuE5eTI4+10zzQImeTU OFRHz/C4EqBCDb06lfM+spR/5xFxW4l8vXYxr9Q61YYE2JyCvmMEoABntiWrE0/+ pwoUiNK2lIVURAGMBjMzMYwAC/t0D8JRg79gsh+o/h3TtOtAiKFbZRU3Dy2EqP9E 0pNssmSvUSR4Du0mY4fZJisAnUNUzYz1qkX0GyS0zdj6LZ4r7VlTX+fjyfPGd/fg va1nQFgA5IqQ+VKoD02GSNBkNCw56j8aOwoo3RXO6bLKPell5NFzWVC3Wrn0AXY= =9vnU -----END PGP SIGNATURE----- |
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
