[squid-users] Re: how to configure squid3 transparent web proxy ssl/https? how to block sites using ssl from junio on 2013-09-01 (squid-users)

From: junio <josejunior032_at_gmail.com>
Date: Sun, 1 Sep 2013 17:24:11 -0700 (PDT)

I just did a simple setup using minimal rules, I'm doing tests with the rules
dealing with the handling of SSL certificates, this worked correctly, but a
security error page is always being displayed in the browser every time you
connect to a new web page that uses https, after ignoring the security
warning the page opens normally, the directory cache of certificates is
working properly too, I saw being generated dynamic certificates, I realized
that Some sites like "google.com" not generate the problem of security
warning in the browser but to my surprise when typing "www.google.com" and
generated a new certificate in the cache (/ var / lib / squid_ssl_db) and an
"Error code: sec unknown_issuer" and displayed, I'm using the "server-first
ssl_bump all" before when I put "client-first ssl_bump all", was displayed a
different error, what should I do to fix these errors?, I'm putting down the
configuration I'm using and a image page warning.
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4661890/shot-2013-09-01_20-01-17.jpg>

https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/ifal.pem
http_port 3129
http_port 3128 intercept

acl rede_ifal src 192.168.0.0/16
always_direct allow all
acl facebook dstdomain .facebook.com .facebook.com.br
#ssl_bump deny facebook
ssl_bump server-first all
#acl certificados_confiaveis dstdomain .google.com .google.com.br
.facebook.com .facebook.com.br .bb.com .bb.com.br
#sslproxy_cert_error allow certificados_confiaveis
#acl certificado_ruim ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
#sslproxy_cert_error deny certificado_ruim certificados_confiaveis
#sslproxy_cert_error allow certificado_ruim
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/squid_ssl_db
-M 4MB
sslcrtd_children 10
acl https proto https
http_access deny facebook https rede_ifal
http_access allow rede_ifal
http_access deny all
debug_options ALL,1 33,2 28,9

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/how-to-configure-squid3-transparent-web-proxy-ssl-https-how-to-block-sites-using-ssl-tp4661857p4661890.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Received on Mon Sep 02 2013 - 00:24:54 MDT

This archive was generated by hypermail 2.2.0 : Mon Sep 02 2013 - 12:00:03 MDT