Re: [squid-users] https with squid from Márcio Luciano Donada on 2008-08-15 (squid-users)

From: Márcio Luciano Donada <mdonada_at_auroraalimentos.com.br>
Date: Fri, 15 Aug 2008 14:52:46 -0300

Guy Helmer escreveu:
> Márcio Luciano Donada wrote:
>> Guy Helmer escreveu:
>>
>>
>>>> I am also conducting tests with the sslbump but driving in firewall
>>>> (iptables) https connection to the squid. I am using in squid.conf as
>>>> follows:
>>>>
>>>> http_port 3128 transparent sslBump cert = / etc/squid3/ssl/cacert.pem
>>>> key = / etc/squid3/ssl/privkey.pem
>>>>
>>>> Even in directing the browser to https proxy server's IP is not
>>>> working.
>>>> Some ideas? I am using the version 3.HEAD-CVS
>>>>
>>> It is not possible to transparently proxy HTTPS through the http_port
>>> because the connection starts as SSL, not plaintext HTTP that the
>>> http_port expects.
>>>
>>> You would need an https_port command, like:
>>>
>>> https_port 3129 transparent sslBump cert=... key=...
>>>
>>> and then set your iptables configuration to forward port 443 packets to
>>> squid's 3129 port for transparent HTTPS proxying.
>>>
>>> Hope this helps,
>>> Guy
>>>
>>>
>>
>>
>> Thank you for your reply Guy. I think I'm now on the way, but I had a
>> problem and the log (cache.log) the following error:
>>
>> Ignoring https_port 0.0.0.0:3129 initialization failure due to SSL
>>
>> My squid.conf configuration is:
>>
>> https_port 3129 transparent sslBump cert=/etc/squid3/ssl/cacert.pem
>> key=/etc/squid3/ssl/privkey.pem.
>>
>> Generation keys:
>>
>> openssl genrsa -des3 -out privkey.pem 2048
>> openssl req -new -x509 -nodes -key privkey.pem -out cacert.pem -days 3650
>>
>> Some ideas?
>>
>>
> This is how I generate my self-signed CA certificate and its
> accompanying key:
>
> openssl req -new -nodes -x509 -keyout ca.key -out ca.crt -days 3650
> openssl req -new -nodes -keyout key.key -out key.req
> openssl ca -policy policy_anything -days 3650 -out key.crt -infiles key.req
>
> It seems you may be missing the step where you sign the request and make
> a certificate.
>
> Guy
>

Guy,

I see that now everything is ok, so that in the logs (cache.log) I see
the following message:

Accepting https connections at 0.0.0.0:3129, FD 19

but still can not access sites with https. Only remembering that
direcionei already in the firewall https connections to the proxy

-- 
Márcio Luciano Donada <mdonada at auroraalimentos dot com dot br>
Aurora Alimentos - Cooperativa Central Oeste Catarinense
Departamento de T.I.

Received on Fri Aug 15 2008 - 17:53:04 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 15 2008 - 12:00:03 MDT