Re: [squid-users] HTTPS proxying from Serge Egelman on 2008-07-31 (squid-users)

From: Serge Egelman <egelman_at_cs.cmu.edu>
Date: Thu, 31 Jul 2008 08:16:17 -0700

I've removed the password, but that didn't seem to make much difference
other than no longer prompting me at startup.

The other responses mentioned using this in transparent mode. Is that
the only way of doing it? The machine I'm running this on is not on the
local network, and I don't think I'd be able to add a gateway to our lab
machines unless I decided to buy a whole new one.

Thanks,

serge

Henrik Nordstrom wrote:
> ons 2008-07-30 klockan 23:32 -0700 skrev Serge Egelman:
>
>> I'm trying to set up squid to forward SSL connections. I previously had
>> it set up just as logging proxy for conducting laboratory usability
>> studies (we would configure the browsers on our lab machines to use the
>> proxy, then I could check the logs afterwards to see where people were
>> going). So I know it works for a minimal configuration. I'm working on
>> a study now where I need to inject a self signed certificate into an SSL
>> session (I'm looking at warning messages), but can't seem to get squid
>> configured correctly (the idea is that we'll have the lab machines use
>> configured to use the proxy again).
>
> To unwrap SSL and apply your own certificates when running as a proxy
> you need the sslBump feature making Squid intercept CONNECT requests and
> terminate the SSL locally. But it's unrelated from Squid opening the
> port.
>
> As you seem to have the SSL keys encrypted you need to either start
> Squid interactively using the -N command line option, or tell Squid how
> to retreive the SSL key encryption password by using the
> ssl_password_program directive in squid.conf.
>
> To avoid this most people keeps the keys unencrypted on the server to
> avoid the administrative burden of having to enter the password on each
> restart (including unplanned restarts..). To decrypt a encrypted key use
> the following command:
>
> openssl rsa -in encrypted.pem -out unencrypted.pem
>
> Regards
> Henrik
>

-- 
/*
PhD Candidate
Carnegie Mellon University
"Whoever said there's no such thing as a free lunch was never a grad 
student."
All views contained in this message, either expressed or implied, are 
the views of my employer, and not my own.
*/

Received on Thu Jul 31 2008 - 15:17:23 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 01 2008 - 12:00:04 MDT