Search squid archive

Re: Https_port with "official" certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Oh, an a tiny little detail :) 

# squid -v

Squid Cache: Version 4.0.13

Service Name: squid

configure options:  '--with-openssl' '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'



On Wed, Aug 24, 2016 at 4:37 PM, Diogenes S. Jesus <splash@xxxxxxxxx> wrote:
This configuration here covers the use case described by the OP: 
https://gist.githubusercontent.com/splashx/758ff0c59ea291f32edafc516fdaad73/raw/8050fa054821657812961050332b38a56e7e3e68/

If everything works well, you'll notice you won't support HTTP proxy at all, but users can reach  both HTTP and HTTPS target websites via your HTTPS proxy.

# netstat -nltp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      32109/sshd      

tcp6       0      0 :::80                   :::*                    LISTEN      26627/apache2   

tcp6       0      0 :::3443                 :::*                    LISTEN      7303/(squid-1)  

tcp6       0      0 :::22                   :::*                    LISTEN      32109/sshd



The user connects to the proxy ONLY via HTTPS Proxy on port 3443

All traffic between the OP and the proxy is encrypted using TLS. 
A) If the user enters http://target.example.com, between the proxy and the target you'll see HTTP. 
B) If the user enters https://target.example.com, between the proxy and the target you'll see HTTPS.

If you sniff the traffic between the client and the proxy, you'll see TLS.

Tested with:

$ /Applications/Firefox\ 2.app/Contents/MacOS/firefox -v

Mozilla Firefox 48.0


Firefox set up to use PAC: Preferences > Advanced > Network > Settings: "Automatic Proxy Configuration": http://squid.example.com/proxy.pac

The downside here of course is the limited amount of clients supporting HTTPS Proxy settings.

Dio


On Wed, Aug 24, 2016 at 3:46 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
Just to rewind this conversation to the actual problem ...

On 24/08/2016 11:42 p.m., Samuraiii wrote:
> On 24.8.2016 13:18, Antony Stone wrote:
>> Unfortunately it's not Squid that's the challenge - it's the browser.
>>
>> If you're using Firefox and/or Chrome, you should be okay.
>>
>> See "Encrypted browser-Squid connection" at the bottom of
>> http://wiki.squid-cache.org/Features/HTTPS
>>
>>
>> Antony.
>>
> I have seen that, it is the cause of my subscription to this list.
> I haven't been able to find any usable hints.
> My config attempt fails
>

<snip>
>
> https_port 8443 \
>     cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
>     key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
>     cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
>     tls-dh=/etc/ssl/certs/dhparam.pem \
>     sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
>     cipher=HIGH


As Dio mentioned the cleintca= (or rather clientca=) is for
authenticating clients ceritficates. Don't use that unless you are
requiring client certs in TLS.

The rest of your config looks reasonable to me. I suspect you have found
a bug introduced during all the SSL-Bump code changes. Please make a
bugzilla report and include your exact Squid version (found with the
'squid -v' command), the https_port line(s) and the exact error message
produced on startup.

Amos

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



--

--------

Diogenes S. de Jesus



--

--------

Diogenes S. de Jesus
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux