# squid -v
Squid Cache: Version 4.0.13
Service Name: squid
configure options: '--with-openssl' '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
This configuration here covers the use case described by the OP:https://gist.githubusercontent.com/splashx/ 758ff0c59ea291f32edafc516fdaad 73/raw/ 8050fa054821657812961050332b38 a56e7e3e68/ If everything works well, you'll notice you won't support HTTP proxy at all, but users can reach both HTTP and HTTPS target websites via your HTTPS proxy.# netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 32109/sshd
tcp6 0 0 :::80 :::* LISTEN 26627/apache2
tcp6 0 0 :::3443 :::* LISTEN 7303/(squid-1)
tcp6 0 0 :::22 :::* LISTEN 32109/sshd
The user connects to the proxy ONLY via HTTPS Proxy on port 3443All traffic between the OP and the proxy is encrypted using TLS.A) If the user enters http://target.example.com, between the proxy and the target you'll see HTTP.B) If the user enters https://target.example.com, between the proxy and the target you'll see HTTPS.If you sniff the traffic between the client and the proxy, you'll see TLS.Tested with:$ /Applications/Firefox\ 2.app/Contents/MacOS/firefox -v
Mozilla Firefox 48.0
Firefox set up to use PAC: Preferences > Advanced > Network > Settings: "Automatic Proxy Configuration": http://squid.example.com/proxy.pac The downside here of course is the limited amount of clients supporting HTTPS Proxy settings.Dio--On Wed, Aug 24, 2016 at 3:46 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:Just to rewind this conversation to the actual problem ...
On 24/08/2016 11:42 p.m., Samuraiii wrote:
> On 24.8.2016 13:18, Antony Stone wrote:
>> Unfortunately it's not Squid that's the challenge - it's the browser.
>>
>> If you're using Firefox and/or Chrome, you should be okay.
>>
>> See "Encrypted browser-Squid connection" at the bottom of
>> http://wiki.squid-cache.org/Features/HTTPS
>>
>>
>> Antony.
>>
> I have seen that, it is the cause of my subscription to this list.
> I haven't been able to find any usable hints.
> My config attempt fails
>
<snip>
>
> https_port 8443 \
> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain. As Dio mentioned the cleintca= (or rather clientca=) is forpem \
> tls-dh=/etc/ssl/certs/dhparam.pem \
> sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> cipher=HIGH
authenticating clients ceritficates. Don't use that unless you are
requiring client certs in TLS.
The rest of your config looks reasonable to me. I suspect you have found
a bug introduced during all the SSL-Bump code changes. Please make a
bugzilla report and include your exact Squid version (found with the
'squid -v' command), the https_port line(s) and the exact error message
produced on startup.
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
--------
Diogenes S. de Jesus
--------
Diogenes S. de Jesus
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users