On 25/06/19 1:24 pm, Jared Fox wrote: > Hi Squid-Users > > I need your help! > > So i have had been using Squid 3.5.20 (installed on Amazon Linux 2) > and its acting as a transparent ssl proxy with whitelist of allowed > addresses. I want to avoid running a mitm proxy and having to add CA > certs to all services/containers etc. Traffic is routed to the squid > instance via a route-table to Interface. > > " Issue 1 - upgrade from 3.5.20 to 4.4.4 (squid-4.4-4.amzn2.0.4.x86_64) " > > - So my working config below does not work with 4.x but it kind of > does for 3.5.x and its appears that i require the squid-helper package > which doesn't exist for Amazon linux. You will have to contact whoever created the package for that. You should be able to run the v3.5 helpers with a later Squid - but will of course not gain any improvements that have been made in the later version helpers. > - When starting squid it tries to create an ssl database via > security_file_certgen, but this shouldnt be needed as i'm providing a > self-signed certs that doesnt get used in transparent mode but is a > hard dependency in 3.5. That is a bug, side effect of the helper being started even when not needed. As a workaround it should be sufficient to create the DB for the helper and leave it not being used. > > " Errors produced: " > > (security_file_certgen)2019/06/25 00:37:57 kid1| ERROR: No > forward-proxy ports configured. > 2019/06/25 00:37:57 kid1| ERROR: No forward-proxy ports configured. That is correct. You only have one port (9091) - which is an intercept port. At least one forward-proxy port is needed for a fully functional proxy. 3128 is the official one for that. > 2019/06/25 00:37:57 kid1| storeDirWriteCleanLogs: Starting... > : Uninitialized SSL certificate database directory: > /var/spool/squid/ssl_db. To initialize, run "security_file_certgen -c > -s /var/spool/squid/ssl_db". > 2019/06/25 00:37:57 kid1| Finished. Wrote 0 entries. > 2019/06/25 00:37:57 kid1| Took 0.00 seconds ( 0.00 entries/sec). > 2019/06/25 00:37:57 kid1| FATAL: mimeLoadIcon: cannot parse internal > URL: http://ip-10-0-60-70.ec2.internal:0/squid-internal-static/icons/silk/image.png Side effect of not having a forward-proxy port is that all URLs for things clients require fetching from Squid are invalid. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
