Search squid archive

Can't get Squid configured properly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

My goal is to do some local modification through ICAP to websites before they hit my browser. The basics work, but then there is the SslBump.
Compiled and installed squid-4.6 on FreeBSD 12 in a jail with --with-openssl, --enable-ssl-crtd amongst other options. 

created certificates as per:
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

Non encrypted sites work fine, no encripted site works:
"duckduckgo.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site."
with no advanced option to continue. Other sites give that option, but finally resulting in: 

"
(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign 
"
in the end all https sites directly or indirectly in that error. From what I read in various discussions after searching these errors 4.6 should automatically download intermediate certificates. 

Some guidance would be welcomed.

Config:
acl localnet src 192.168.0.0/16

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl ssl_exclude_domains ssl::server_name "/usr/local/etc/squid/ssl_excl_domains.conf" 
ssl_bump splice localhost
ssl_bump peek step1 all
ssl_bump splice ssl_exclude_domains
ssl_bump bump all

http_access deny !Safe_ports
http_access deny !SSL_ports

http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost

http_access deny all
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB tls-ce> sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/cache/ssl_db -M> 
sslcrtd_children 5

cache deny all

coredump_dir /var/squid/cache

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

TIA,

Ingo
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux