[squid-users] Re: SSLBump, help to configure for 3.1.0.16 from Andres Salazar on 2010-02-16 (squid-users)

From: Andres Salazar <ndrsslzr80_at_gmail.com>
Date: Tue, 16 Feb 2010 13:54:38 -0600

Hello,

Iam still having issues with SSLBump .. apparently iam now getting
this error when I visit an https site with my browser explicity
configured to use the https_port .

2010/02/16 14:31:14| clientNegotiateSSL: Error negotiating SSL
connection on FD 8: error:1407609B:SSL
routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1)

Below is my sanitized config.

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
https_port 3129 sslBump cert=/usr/local/squid/etc/server.crt
key=/usr/local/squid/etc/server.key
always_direct allow all
visible_hostname proxy1.komatsu.ca
unique_hostname proxy1.komatsu.ca
hierarchy_stoplist cgi-bin ?
coredump_dir /usr/local/squid/var/cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Notice i didnt use transparent, because I wanted to test it first
without doing it transparent.

I used this to generate the crt and key:
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out /tmp/server.csr
openssl x509 -req -days 1825 -in /tmp/server.csr -signkey server.key
-out server.crt

Also.. in regards to the transparent option.. Is it ok if I redirect
port 443 and 80 from the NAT box to another box on the network via
iptables? Or should both squid and the NAT gateway be in the same
network?

Thanks

Andres
Received on Tue Feb 16 2010 - 19:54:46 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 18 2010 - 12:00:06 MST