Search squid archive

Re: SSL Bump for regex URL comparison

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Amos,

The problem is the connections are not getting through. It just acts like there is no WiFi connection. 

Adding the cert db every start up isn’t an issue. 

I was thinking of having a small cert cache locally instead thinking about it since. 

The connections just aren’t being made. No ssl warning. 

Thank you

Joe


On Thu, 16 Nov 2017 at 08:15, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 16/11/17 02:32, Joe Foster wrote:
> Good afternoon,
>
> I have a small router onto which I have installed Squid.
>
> I am trying to filter HTTPS urls for bad words on a blocked list.
>
> It will require the client on the safe side of the router to install the
> certificate, this isn't an issue as it's an open process and not an
> illigal MITM attack.
>
> Below is my squid.conf
>
> As you will see I have been playing around with where to put the code
> and what code to put in.
>
> I only have a small amount of flash drive so I have put the auto-gen
> cert directory in /tmp/. I am aware this is volatile memory but until I
> have a better solution I will be doing this.

Since /tmp is subject to random deletion of content you will need to
make sure you always shutdown Squid and re-run the ssl_crtd (etc.)
create command to re-generate the cert DB structures whenever the device
erases its /tmp content. Otherwise your proxy will crash and/or client
connections will start being terminated with strange looking errors.


IMO you would probably be better off setting the cert DB to a very small
size suitable for your limited space - or disabling it entirely [more on
that below].

>
> I have put a firewall rule in to forward 443 to 3128.
>
> https://wiki.squid-cache.org/Features/SslBump
> https://wiki.squid-cache.org/SquidFaq/SquidAcl
>
> I also don't want to cache due to flash drive issues. Is this possible?
>

 From the documentation of the SSL-Bump settings:
  <http://www.squid-cache.org/Doc/config/http_port/>
"
   dynamic_cert_mem_cache_size=SIZE
     Approximate total RAM size spent on cached generated
     certificates. If set to zero, caching is disabled. The
     default value is 4MB.
"

> Its the same cert in /root/ and /certs/ before anyone points it out.
>
> Nothing has been appearing in the log files either but this is no
> surprise.
>
> Been up till 1am last few nights on this so you assistance is very
> appreciated.

That sounds like you are having a problem. But I don't see any mention
of what that is exactly.

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux