Hey, First try to use the next example: https://github.com/elico/yt-classification-service-example/blob/master/redwood/init-local-rootca.sh To create a rootCA key and certificate, which doesn't require you to use a password. And I have also seen this article you have used and it has two ways to create the rootca. One with the CA.pl script and the other one is with the openssl tool. As long as you don't need the CA.pl specifically I would recommend using openssl. It's plain simple to just create a rootCA certificate. All The Bests, Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx Zoom: Coming soon -----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Majed Zouhairy Sent: Thursday, April 1, 2021 1:42 PM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: compile squid with tumbleweed >Peace, as part of self developing, we decided that turning on sslbump + splice is a good idea, so how to install squid with ssl support on tumbleweed? answer: it is already compiled with ssl support but now i followed: https://medium.com/@steensply/installing-and-configuring-squid-proxy-for-ssl-bumping-or-peek-n-splice-34afd3f69522 to enable ssl bumping. specifically those commands: /usr/share/ssl/misc/CA.pl -newca /usr/share/ssl/misc/CA.pl -newreq /usr/share/ssl/misc/CA.pl -sign openssl x509 -in newcert.pem -outform DER -out squidTrusted.der copied the 3 files to /etc/squid/certs sudo chown squid:squid -R /etc/squid/certs sudo /usr/libexec/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB sudo chown squid:squid -R /var/lib/squid sudo chmod 700 /etc/squid/certs/... (newcrt.pem newkey.pem squidTrusted.der) sudo squid -z asks for certificate password then 2021/04/01 13:16:57| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03| Created PID file (/run/squid.pid) zouhairy@proxy:~> 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured for HTTP_port 0.0.0.0:8080 2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally. CPU Usage: 0.047 seconds = 0.031 user + 0.016 sys Maximum Resident Size: 62352 KB Page faults with physical i/o: 0 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured for HTTP_port 0.0.0.0:8080 2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally. CPU Usage: 0.040 seconds = 0.032 user + 0.008 sys Maximum Resident Size: 62272 KB Page faults with physical i/o: 0 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured for HTTP_port 0.0.0.0:8080 2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally. CPU Usage: 0.042 seconds = 0.008 user + 0.034 sys Maximum Resident Size: 63360 KB Page faults with physical i/o: 0 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured for HTTP_port 0.0.0.0:8080 2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally. CPU Usage: 0.047 seconds = 0.032 user + 0.016 sys Maximum Resident Size: 62992 KB Page faults with physical i/o: 0 2021/04/01 13:17:03 kid1| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback. Enter PEM pass phrase: 2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate configured for HTTP_port 0.0.0.0:8080 2021/04/01 13:17:03 kid1| Squid Cache (Version 4.14): Terminated abnormally. CPU Usage: 0.045 seconds = 0.030 user + 0.015 sys Maximum Resident Size: 62640 KB Page faults with physical i/o: 0 2021/04/01 13:17:03| Removing PID file (/run/squid.pid) squid conf: acl localnet (network/24) acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 8080 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl blockfiles urlpath_regex -i "/etc/squid/blocks.files.acl" http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost visible_hostname proxy.example.vx dns_v4_first on http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 #http_port 8080 #sslproxy_capath /home/zouhairy/demoCA http_port 8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem key=/etc/squid/certs/newkey.pem capath=/home/zouhairy/demoCA #acl step1 at_step SslBump1 #ssl_bump peek step1 #ssl_bump bump all #sslcrtd_program /usr/libexec/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB #sslcrtd_children 5 ssl_bump peek all ssl_bump splice all #ssl_bump server-first all sslproxy_cert_error allow all tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS range_offset_limit 200 MB maximum_object_size 200 MB quick_abort_min -1 cache_dir ufs /var/cache/squid 3000 16 256 # Leave coredumps in the first cache dir coredump_dir /var/cache/squid cache_mem 1024 MB netdb_filename none # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=\"%ssl::>sni\" referer=\"%{Referer}>h\"" url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l /var/log/squid/ url_rewrite_children 16 startup=8 idle=2 concurrency=4 #debug_options ALL,1 33,2 28,9 what to change? _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
