Thank you Amos I will update the Squid config and give Squid-helpers 3.5 a go today and let you know. Do you have any idea why only some tls 1.2 connections would work with the whitelisting.? Thanks Jared DevOps Architect - Practiv On Tue, Jun 25, 2019 at 9:04 PM Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > > On 25/06/19 1:24 pm, Jared Fox wrote: > > Hi Squid-Users > > > > I need your help! > > > > So i have had been using Squid 3.5.20 (installed on Amazon Linux 2) > > and its acting as a transparent ssl proxy with whitelist of allowed > > addresses. I want to avoid running a mitm proxy and having to add CA > > certs to all services/containers etc. Traffic is routed to the squid > > instance via a route-table to Interface. > > > > " Issue 1 - upgrade from 3.5.20 to 4.4.4 (squid-4.4-4.amzn2.0.4.x86_64) " > > > > - So my working config below does not work with 4.x but it kind of > > does for 3.5.x and its appears that i require the squid-helper package > > which doesn't exist for Amazon linux. > > You will have to contact whoever created the package for that. > > You should be able to run the v3.5 helpers with a later Squid - but will > of course not gain any improvements that have been made in the later > version helpers. > > > > - When starting squid it tries to create an ssl database via > > security_file_certgen, but this shouldnt be needed as i'm providing a > > self-signed certs that doesnt get used in transparent mode but is a > > hard dependency in 3.5. > > That is a bug, side effect of the helper being started even when not > needed. As a workaround it should be sufficient to create the DB for the > helper and leave it not being used. > > > > > " Errors produced: " > > > > (security_file_certgen)2019/06/25 00:37:57 kid1| ERROR: No > > forward-proxy ports configured. > > 2019/06/25 00:37:57 kid1| ERROR: No forward-proxy ports configured. > > That is correct. You only have one port (9091) - which is an intercept port. > > At least one forward-proxy port is needed for a fully functional proxy. > 3128 is the official one for that. > > > > 2019/06/25 00:37:57 kid1| storeDirWriteCleanLogs: Starting... > > : Uninitialized SSL certificate database directory: > > /var/spool/squid/ssl_db. To initialize, run "security_file_certgen -c > > -s /var/spool/squid/ssl_db". > > 2019/06/25 00:37:57 kid1| Finished. Wrote 0 entries. > > 2019/06/25 00:37:57 kid1| Took 0.00 seconds ( 0.00 entries/sec). > > 2019/06/25 00:37:57 kid1| FATAL: mimeLoadIcon: cannot parse internal > > URL: http://ip-10-0-60-70.ec2.internal:0/squid-internal-static/icons/silk/image.png > > Side effect of not having a forward-proxy port is that all URLs for > things clients require fetching from Squid are invalid. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
