On 16/11/2016 9:11 p.m., Patrick Chemla wrote: > Hi, > > I have same problem, and I need to use trusted CA certificates, so what > is the solution? Not to do illegal bad things that violate your contract with the CA. Any CA which lets you intercept traffic by generating sub-certificates with their root *will* be blacklisted and effectively "thrown off the Internet". It has happened already for several CA who thought that was an idle threat. > > I have a squid 3.5.20 used for multiple domains, multiple backends, > using both HTTP and HTTPS. As Alex said, what you describe here sounds a lot more like reverse-proxy than interception. Sergey who started this thread was intercepting HTTPS traffic sent by clients to an explicit proxy. All answers so far have been about that topic, which is probably *not* what you are facing. The configurations and limitations are very different. So first thing to do is be clear about what actually you are trying to do. > So questions: > > 1/ Should I set up the squid certificate with ONLY self-signed, or there > is a way to use Trusted certificates? So if only self-signed, the user > will be always forced to accept the self-signed certificate on first > time? not really good for commercial sites. > Are you the owner of the website(s) or an authorized CDN/Hosting provider for them ? > 2/ Should the backend cache_peer set as ssl on port 443, or could it be > simple http 80 (backends are internal VMs onto the same server, no > external network between squid and backends)? > That depends on your answer to the above. > 3/ Will the acls rules work OK to affect each request to the right > backend according to domain, even in HTTPS? > Yes. But the detail may not be what you expect. It depends on the above answers. > 4/ Do you know some clear and easy howto, examples, for such settings, > from where I could get how to do? > <http://wiki.squid-cache.org/ConfigExamples/> contains all of the configurations you might need. But which one(s) are correct for you depends on what you are actually needing to do. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
