Thanks for the clarification.
I went back to the squid.conf I was using successfully (without encryption) and changed http_port to https_port and added the cert and key you mentioned. Since I'm not all that knowledgeable about SSL certs, I had some trouble with squid not liking the keys I provided. So I eventually found this command to generate what I need:
openssl req -newkey rsa:4096 -x509 -keyout /etc/squid/squid.pem -out /etc/squid/squid.pem -days 365 -nodes
which puts them into the same file, which squid seemed to be ok with.
Then I tried starting another instance of Chrome using:
chrome --proxy-server=https://my-domain-name:8092
but it didn't work. No errors, nothing unusual. Chrome simply behaved like there was no proxy configured. I found documentation on chromium.org that showed the format as:
chrome --proxy-server="https://my-domain-name:8092"
so I tried adding the quotes, but no change.
I then removed the private key from squid.pem and saved it as another file on the Windows computer running Chrome, and added it as a cert. No problem there, but no change.
My squid.conf is below. I'm at a loss as far as what to try next.
auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwd
auth_param digest realm myrealm
auth_param digest children 2
acl auth_users proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow auth_users
http_access allow all
#http_port 8092
https_port 8092 cert=/etc/squid/squid.pem key=/etc/squid/squid.pem
cache deny all
access_log none
netdb_filename none
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Sent: Wednesday, May 24, 2017 7:57 AM
Subject: Re: SSL bump, SSL intercept, explicit, secure proxy, what is it called?
On 24/05/17 13:44, j m wrote:
> I'd like to set up a proxy on a home server so I can use it remotely
> for web browsing; no filtering, nothing fancy, just a pass-through of
> sorts to get around web filters. That part I've got working. The
> part I haven't had luck with is encrypting the browser-to-proxy
> connection. I've found some tutorials online but part of the problem
> is I don't know what this feature is called when searching for
> solutions to problems.
>
> I have squid 3.5.23 on Ubuntu compiled with
>
> '--with-openssl' '--enable-ssl' '--enable-ssl-crtd'
>
> so I believe I'm set there. However, upon finally getting a
> squid.conf that doesn't cause immediate errors when squid is started,
> I find that the squid process is gone after several seconds and find
> lots of these in syslog:
>
> (squid-1): The ssl_crtd helpers are crashing too rapidly, need help!
>
> I found a suggestion to fix this problem, but it didn't help:
>
> rc-service squid stop
> rm -rf /var/lib/ssl_db
> /usr/lib/squid3/ssl_crtd -c -s /var/lib/ssl_db
> rc-service squid start
>
>
> So firstly, what is the actual name for what I want (encrypting proxy
> to browser)?
>
Some people seem to be calling it "HTTPS", but that is not correct and
thankfully makes it difficult to find the bad info. (that said our own
wiki documents it on the HTTPS page referenced below :-P ).
The current IETF term for it is "TLS explicit proxy". Previously it did
not have a formal term and often got described in words like "TLS proxy"
or sometimes "TLS to the proxy" and variants switching "SSL" for "TLS".
It also has some relation to early forms of "HTTP opportunistic
security" - though that now means an HTTP version of emails STARTTLS
that is quite unrelated to anything Squid supports at present.
> And secondly, any advice on the error? Or even better, a good
> tutorial on setting this up? I thought if I follow a configuration
> exactly, I'd be off and running with little problem.
>
>
The ssl_crtd helper in not related to TLS explicit proxy. It is a part
of SSL-Bump features for intercepting HTTPS traffic, specifically it is
the part that forges certificates.
You could avoid it entirely by removing the --enable-ssl-crtd build
option if you don't need SSL-Bump features later. Otherwise check the
directory creation and ownership permissions are correct and that Squid
http_port is *not* setup to use ssl-bump features (yet).
The TLS explicit proxy is simply a Squid that uses https_port to receive
proxy traffic, as opposed to http_port. You will need a server
certificate for that, but nothing else special on Squid's side of
things. eg:
https_port 3128 cert=blah_public.pem key=blah_private.key
The tricky part is getting a browser to talk TLS to anything other than
origin servers. The details we know of are all at
<http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection>.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
> I'd like to set up a proxy on a home server so I can use it remotely
> for web browsing; no filtering, nothing fancy, just a pass-through of
> sorts to get around web filters. That part I've got working. The
> part I haven't had luck with is encrypting the browser-to-proxy
> connection. I've found some tutorials online but part of the problem
> is I don't know what this feature is called when searching for
> solutions to problems.
>
> I have squid 3.5.23 on Ubuntu compiled with
>
> '--with-openssl' '--enable-ssl' '--enable-ssl-crtd'
>
> so I believe I'm set there. However, upon finally getting a
> squid.conf that doesn't cause immediate errors when squid is started,
> I find that the squid process is gone after several seconds and find
> lots of these in syslog:
>
> (squid-1): The ssl_crtd helpers are crashing too rapidly, need help!
>
> I found a suggestion to fix this problem, but it didn't help:
>
> rc-service squid stop
> rm -rf /var/lib/ssl_db
> /usr/lib/squid3/ssl_crtd -c -s /var/lib/ssl_db
> rc-service squid start
>
>
> So firstly, what is the actual name for what I want (encrypting proxy
> to browser)?
>
Some people seem to be calling it "HTTPS", but that is not correct and
thankfully makes it difficult to find the bad info. (that said our own
wiki documents it on the HTTPS page referenced below :-P ).
The current IETF term for it is "TLS explicit proxy". Previously it did
not have a formal term and often got described in words like "TLS proxy"
or sometimes "TLS to the proxy" and variants switching "SSL" for "TLS".
It also has some relation to early forms of "HTTP opportunistic
security" - though that now means an HTTP version of emails STARTTLS
that is quite unrelated to anything Squid supports at present.
> And secondly, any advice on the error? Or even better, a good
> tutorial on setting this up? I thought if I follow a configuration
> exactly, I'd be off and running with little problem.
>
>
The ssl_crtd helper in not related to TLS explicit proxy. It is a part
of SSL-Bump features for intercepting HTTPS traffic, specifically it is
the part that forges certificates.
You could avoid it entirely by removing the --enable-ssl-crtd build
option if you don't need SSL-Bump features later. Otherwise check the
directory creation and ownership permissions are correct and that Squid
http_port is *not* setup to use ssl-bump features (yet).
The TLS explicit proxy is simply a Squid that uses https_port to receive
proxy traffic, as opposed to http_port. You will need a server
certificate for that, but nothing else special on Squid's side of
things. eg:
https_port 3128 cert=blah_public.pem key=blah_private.key
The tricky part is getting a browser to talk TLS to anything other than
origin servers. The details we know of are all at
<http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection>.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
