Search squid archive

Re: Squid Version 3.5.20 Any Ideas

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png


19.07.2017 21:34, Cherukuri, Naresh пишет:

Hi All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.

 

Squid.conf:

 

max_filedesc 4096

visible_hostname pctysqd2prod

logfile_rotate 10

 

access_log stdio:/var/log/squid/access.log squid

 

acl localnet src 172.16.0.0/16

acl backoffice_users src 10.136.0.0/13

acl hcity_backoffice_users src 10.142.0.0/15

acl register_users src 10.128.0.0/13

acl hcity_register_users src 10.134.0.0/15

acl partycity url_regex partycity

 

acl SSL_ports port 443

acl Safe_ports port 80          # http

#acl Safe_ports port 21         # ftp

acl Safe_ports port 443         # https

#acl Safe_ports port 70         # gopher

#acl Safe_ports port 210                # wais

#acl Safe_ports port 1025-65535 # unregistered ports

#acl Safe_ports port 280                # http-mgmt

#acl Safe_ports port 488                # gss-http

#acl Safe_ports port 591                # filemaker

#acl Safe_ports port 777                # multiling http

acl CONNECT method CONNECT

#acl allowed_sites {dst|dstdomain|dstdom_regex|url_regex) "/path/to/file"

acl backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"

acl hcity_backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"

acl backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"

acl hcity_backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"

acl register_allowed_sites url_regex "/etc/squid/register_allowed_sites"

acl hcity_register_allowed_sites url_regex "/etc/squid/hcity_register_allowed_sites"

 

http_access allow localnet register_allowed_sites

http_access deny backoffice_users backoffice_blocked_sites

http_access deny hcity_backoffice_users backoffice_blocked_sites

http_access allow backoffice_users backoffice_allowed_sites

http_access allow hcity_backoffice_users backoffice_allowed_sites

http_access allow register_users register_allowed_sites

http_access allow hcity_register_users hcity_register_allowed_sites

no_cache deny partycity

http_access deny all

 

#http_access allow manager localhost

#http_access deny manager

 

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

 

# Deny CONNECT to other than secure SSL ports

#http_access deny CONNECT !SSL_ports

http_access  allow CONNECT SSL_ports

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

http_access deny to_localhost

 

 

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

#http_access allow localnet

http_access allow localhost

 

# And finally deny all other access to this proxy

http_access deny all

 

# Squid normally listens to port 3128

http_port 3128 ssl-bump \

key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \

cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \

generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

 

acl step1 at_step SslBump1

ssl_bump peek step1

ssl_bump bump all

 

sslproxy_cert_error allow all

always_direct allow all

sslproxy_flags DONT_VERIFY_PEER

 

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1

 

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /cache/squid 10000 16 256

 

# Leave coredumps in the first cache dir

#rdescoredump_dir /var/spool/squid

coredump_dir /var/log/squid/squid

 

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

 

#url_rewrite_access allow all

#url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf

 

Cache.log

 

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)



_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux