On Sun, 2018-06-10 at 19:55 +1200, Amos Jeffries wrote: On 10/06/18 02:23, James Lay wrote:On Sat, 2018-06-09 at 07:17 -0600, James Lay wrote:On Sun, 2018-06-10 at 01:13 +1200, Amos Jeffries wrote:On 10/06/18 01:02, James Lay wrote:So in my config file I have:sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MBHowever I do not see this after compiling and installing. Has this goneaway in 4? Thank you.JamesIt's now called security_file_certgen.<http://www.squid-cache.org/Versions/v4/squid-4.0.24-RELEASENOTES.html#ss2.4>AmosThanks Amos...I'll read this before asking anymore questions ☺So ok...after making the changes to the config to account for newsecurity_file_certgen and tls_outgoing_options (thanks Amos!) I amgreeted with (hostname changed from real):FATAL: mimeLoadIcon: cannot parse internal URL:http://<hostname>:0/squid-internal-static/icons/silk/image.pngThere should be an error about no forward-proxy port as well. Squidrequires at least one port able to receive requests for those URLs fromclients. Port 3128 is normally that port, but you have repurposed it forinterception, which disqualifies it.The hostname in these URLs is taken from that port's IP addressreverse-DNS name, or the proxies public/visible hostname. Whichevermeets the requirement of being resolvable in DNS.Here's my config line:./configure --prefix=/opt/squid --with-openssl=/opt/libressl--sysconfdir=/opt/squid/etc --enable-ssl --enable-ssl-crtd--enable-linux-netfilter --enable-follow-x-forwarded-for--with-large-files --enable-xternal-acl-helpers=noneMissing 'e' on --enable-external-acl-helpers....sslproxy_cert_error allow alltls_outgoing_options capath=/etc/ssl/certs flags=DONT_VERIFY_PEERPlease avoid DONT_VERIFY_PEER and "allow all" for cert errors. They areuseless for both production AND debugging since all they do is hidesecurity issues from *you*.It is best to watch for security issues and fix them. Not just ignoreeverything.Amos_______________________________________________squid-users mailing listsquid-users@xxxxxxxxxxxxxxxxxxxxxhttp://lists.squid-cache.org/listinfo/squid-users Thanks Amos...your insight always helps. You were right on point...I did have the no forward proxy error. After adding an additional http_port squid came right up...thanks again. James |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
