13.04.2017 22:57, Olly Lennox пишет: > Hi There, > > I've been battling for the last few days on a little project to setup a Raspberry PI device as a small parental blocking server. I've managed to configure the device to work as a transparent proxy using squid which is assigned as the default gateway via DHCP and after a lot of messing about I've finally got to the point where it's routing traffic correctly, proxying and blocking unwanted websites over HTTP. > > The problem I have is that for the life of me I cannot get things to work over HTTPS. It's working over the older, insecure web browsers where anything goes but the more modern browsers will not accept the SSL certificates and fail with insecure messages. I've tried various ways of generating a cert and also generating a CA cert and signing my other cert with it to no avail. I've had a mixture of errors back from the browser from WEAK_ALGORITHM to BAD_AUTHORITY to INVALID_CERT. > > I've been using openssl to generate self-signed certificates and create a der file. Below is a recent attempt but I've tried lots of different approaches: > > ------------ > openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout squid.key -out squid.crt > openssl req -new -x509 -key squid.key -out squid.pem > openssl x509 -in squid.pem -inform pem -out squid.der -outform der > ------------ > > > Then my config in Squid is like this, the dhparams file I generated as per instructions in the squid wiki: First of all: what's Squid's version? > > ------------ > http_port 3128 intercept > https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem You squid's built with interception support? show squid -v output. > > ssl_bump server-first all This ^^^^^^^^^^^^^^^^^^^^^ option valid only up to Squid 3.4. If you using 3.5.x, you should use new peek-n-splice rules. > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Don't do this. Never. This force squid to ignore (and hide) all security issues with SSL from user and from you. > sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS > > ------------ > > The only routing rules I'm using are to forward port 80/443 to 3128/2129 respectively and also a POST_ROUTING "masquerade" rule which I got from a guide (and I'm not sure I 100% understand!) 80/443 should be NATed to squid's box on squid's box. > > > Can anyone tell me where I'm going wrong? This is only for use on very small networks (home router + 2 or 3 trusted devices and users) so security between the rPI and the client is not a major concern - I just want it to work in the most simple and foolproof way possible. You doing wrong only one: you not give any important to resolve issue information. At least squid's version and build options. > > Any advice would be very welcome. > > Thanks, > > Olly > oliver@xxxxxxxxxxxx > lennox-it.uk > tel: 07900 648 252 > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -- Bugs to the Future
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
