[squid-users] https_port

[Adiel Plasencia Herrera]

Hello,


They would help me with a configuration of my squid that I want to 
  implement.



My proxy passes all traffic to a parent proxy and I want clients to
   connect to my proxy via https.



Can you help me how to implement the connection to my proxy via   
https?



To better explain what I want attached 2 pictures. The
   image with 1.jpg name shows my proxy configuration with type HTTp that

   connects well to internet.



What I want is for the connection to my proxy to be by the form of the 
  2.jpg image that uses the HTTPS type.



Or if it is possible then leave the 2 forms.





This is my current configuration:







acl trabajadores src 10.5.7.3 10.5.7.5



acl SSL_ports port 443

acl Safe_ports port 3128# proxy server

acl Safe_ports port 80# http

acl Safe_ports port 21# ftp

acl Safe_ports port 443# https

acl Safe_ports port 70# gopher

acl Safe_ports port 210# wais

acl Safe_ports port 1025-65535# unregistered ports

acl Safe_ports port 280# http-mgmt

acl Safe_ports port 488# gss-http


acl Safe_ports port 591# filemaker

acl Safe_ports port 777# multiling 
  http

acl CONNECT method CONNECT



http_access allow trabajadores

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny all





http_port 3128





cache_peer 10.5.7.2   parent  3128 0  no-query default   
login=PASS

forwarded_for on



#hierarchy_stoplist cgi-bin ?



cache_swap_low 90

cache_swap_high 95



#update_headers on

cache_mem 128 MB

#cache_access_log 

cache_dir ufs /var/spool/squid3 512 16 256



access_log daemon:/var/log/squid3/access.log squid

cache_log /var/log/squid3/cache.log

cache_store_log daemon:/var/log/squid3/store.log





refresh_pattern ^ftp:  
144020%10080

refresh_pattern ^gopher:1440  
0%1440

refresh_pattern -i (/cgi-bin/|\?) 00%  
0

refresh_pattern .0  
20%4320







cache_mgr ad...@example.com

#visible_hostname proxy.example.com

#unique_hostname proxy.example.com





nonhierarchical_direct off



dns_nameservers 10.5.7.2

coredump_dir /var/spool/squid3



max_filedescriptors 3200
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port

[Amos Jeffries]

On 08/06/17 03:28, Adiel Plasencia Herrera wrote:


Hello,

They would help me with a configuration of my squid that I want to 
implement.


My proxy passes all traffic to a parent proxy and I want clients to 
connect to my proxy via https.


Can you help me how to implement the connection to my proxy via https?

To better explain what I want attached 2 pictures. The image with 
1.jpg name shows my proxy configuration with type HTTp that connects 
well to internet.


What I want is for the connection to my proxy to be by the form of the 
2.jpg image that uses the HTTPS type.


Or if it is possible then leave the 2 forms.


What operating system are you using, and what applications are you 
wanting to use this proxy connection?


The normal configuration is simply to add an https_port line with cert= 
parameter to your squid.conf. More details on that below.






This is my current configuration:
acl trabajadores src 10.5.7.3 10.5.7.5





http_access allow trabajadores
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports


You custom http_access rules ("allow trabajadores") should be down here 
after the basic security checks.



http_access deny all


http_port 3128


The above port is for receiving plain-text connections to the proxy. 
Most software supports this, with a few exceptions (usually Java apps).



To accept TLS connections to the proxy (not HTTPS *over* the proxy), 
what you do is add an https_port line here. That https_port line needs a 
cert= parameter containing the proxy server certificate. You may need 
other TLS/SSL parameters to fine tune what the TLS does, but just start 
with getting that basic setup to work.

 

For example:
  https_port 3129 cert=/etc/squid/proxy.pem

(the proxy.pem file here contains both the public server cert and 
private server key for that cert).


Many GUI applications (most notably browsers) do not support this type 
of connection to a proxy (or not well if they do). Which is where the 
Q's about your OS and applications come in. You may need to setup 
environment variables or PAC files to get the applications to work.



Note that this is *very* different situation to intercepting port 443 
traffic. Much more different than port 3128 vs. intercepted port 80. 
HTTPS traffic goes through these TLS proxy connections with 
double-layered encryption, so this setup does *not* magically make the 
proxy able to see inside HTTPS if that is what you are really after.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] https_port question

[Alex Samad]

Hi

Looking at http://www.squid-cache.org/Doc/config/https_port/

I am trying to work out where I place intermediary CA certs.

I am setting up a reverse proxy setup, trying to terminate the SSL here.

cert=  points to SSL certificate PEM file, this seems to be a public
and private combo file. can I also place intermediary here ?

Alex
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] https_port and capath

[senor]

Previous questions on this list referred to using the capath= option to 
https_port directive to fill in certificates missing in the chain to the Root 
CA trusted by the clients. I can not seem to get that to work.

I see no error in parsing even with debug on (debug section 3,9). The directive 
is read and no error produced but also no hint that the file pointed to by 
capath is used for anything. The SSL negotiation is not changed. The same 2 
certs are passed. Just the signing cert and the signed cert.

directive:
 https_port 192.168.12.10:8443 intercept ssl-bump cert=/etc/squid/mitm.crt 
key=/etc/squid/mitm.key cafile=/etc/squid/mitm_chain.crt 
generate-host-certificates=on dynamic_cert_mem_cache_size=32MB name=mitm

The RootCA.crt is trusted by clients.
The Root CA signed intermediate1
Intermediate1 signed intermediate2
cert=intermediate2
cafile=intermediate1

This command succeeds:
openssl verify -CAfile RootCA.crt -untrusted intermediate1.crt 
intermediateL2.crt
If the untrusted intermediate1 is added to client the MITM works.

I realize this wouldn't be used very often and I'd prefer not using it myself 
but it is necessary in this case. 
Any hints?
Thanks in advance,
Senor
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port question

[Amos Jeffries]

On 20/05/2015 4:36 p.m., Alex Samad wrote:
> Hi
> 
> Looking at http://www.squid-cache.org/Doc/config/https_port/
> 
> I am trying to work out where I place intermediary CA certs.

In the file pointed to by cacert= parameter seems to work for some.


> 
> I am setting up a reverse proxy setup, trying to terminate the SSL here.
> 
> cert=  points to SSL certificate PEM file, this seems to be a public
> and private combo file. can I also place intermediary here ?

You can place any or all of the server keys in there. But due to
oddities in the OpenSSL API you need both the cert= and cacert=
https_port parameters pointing at it to use the intermediary ones inside.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] HTTPS_PORT AND SSL CERT

[Julien TEHERY]

Hi there,

I'm actually facing a problem with Squid 4.6-1 (Debian 10).
I'm using squid with https_port directive, using an SSL certficate ( a true 
one, not self signed)

Here is the simple setup:

https_port X.X.X.X:8443 tls-cert=/etc/squid/mywildcard.com.pem

The fact is that setup works for all firefox version using a proxy.pac file for 
HTTPS connexions to the squid server.
But for chrome this is quite different. Indeed chrome uses the system's proxy 
settings and i noticed that sometimes it would work and sometinles it would 
fail.
To make it work all the time i had to add my intermediate certificate (thawte) 
in the local store, so that means intermediate certificate has not been 
delivered by the squid server as it should.

The pem file in the above setup allreadycontains this (pem file done by 
concatenating  private key, cert, intermediate and root CA. I also tried the 
following syntax:

https_port X.X.X.X:8443 cert=/etc/squid/mywildcard..com.cer 
key=/etc/squid/mywildcard.com.key 
cafile=/etc/squid/mywildcard..com-intermediaire.txt

but each time i try to see with openssl client if my intermediate is delivered, 
it's not
I use "openssl s_client -showcerts -connect myproxy.com:8443"

If i do the same thing on an apache server with the same certificate files i 
can see both certificate and intermediate. Why squid isn't able to show it, did 
i miss something ?


Thanks for your help
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port and capath

[Amos Jeffries]

On 29/03/2017 11:07 a.m., senor wrote:
> Previous questions on this list referred to using the capath= option
> to https_port directive to fill in certificates missing in the chain
> to the Root CA trusted by the clients. I can not seem to get that to
> work.
> 
> I see no error in parsing even with debug on (debug section 3,9). The
> directive is read and no error produced but also no hint that the
> file pointed to by capath is used for anything. The SSL negotiation
> is not changed. The same 2 certs are passed. Just the signing cert
> and the signed cert.
>
> directive:
> https_port 192.168.12.10:8443 intercept ssl-bump \
>  cert=/etc/squid/mitm.crt key=/etc/squid/mitm.key \
>  cafile=/etc/squid/mitm_chain.crt generate-host-certificates=on \
>  dynamic_cert_mem_cache_size=32MB name=mitm
> 
> The RootCA.crt is trusted by clients.
> The Root CA signed intermediate1
> Intermediate1 signed intermediate2
> cert=intermediate2
> cafile=intermediate1
> 
> This command succeeds:
> openssl verify -CAfile RootCA.crt -untrusted intermediate1.crt 
> intermediateL2.crt
> If the untrusted intermediate1 is added to client the MITM works.
> 
> I realize this wouldn't be used very often and I'd prefer not using it myself 
> but it is necessary in this case. 
> Any hints?

The cert= and key= parameters are used by the cert generator.

The cafile= parameter and the generator output are used by the
verification and maybe sent to the client.

So your PEM file in *both* cert= and cafile= need to contain the whole
chain of intermediates.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Https_port with "official" certificate

[Samuraiii]

Hello,
I am trying to setup squid as SSL protected proxy for few users without
any intention to use ssl-bumping or any other MITM technique.
I just want to have SSL secured connection between browser and proxy.
Proxy will not be "transparent" and will be using PAC file for
configuration and PAM for authentication.
I want to avoid any "other software" alternative as stunnel etc...
I also have (for server involved) valid "Lets encrypt" certificate which
I would like to use for this.
What can I do to achieve this on squid 3.5?

With thanks
S

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] https_port Listen on different IP

[houheming]

Hi squid-users,

 I have to use squid in a very uncommon way, here it is:

1.   Configure squid to be a https tproxy proxy;

2.   For some https server IPs , configure squid to send the client
browser certificates which signed by some specific root CAs;

3.   For other https server IPs, configure squid to send client browser
certificates which signed by default root CA;

 

Here is part of my squid.conf:

 

#default root CA for default https servers

https_port 443 tproxy ssl-bump cert=/usr/local/squid/server.crt
key=/usr/local/squid/server.key version=1 generate-host-certificates=on

#for special server baidu.com

https_port 180.97.33.107:443 tproxy ssl-bump
cert=/usr/local/squid/server_baidu.crt key=/usr/local/squid/server_baidu.key
version=1 generate-host-certificates=on

https_port 180.97.33.108:443 tproxy ssl-bump
cert=/usr/local/squid//server_baidu.crt
key=/usr/local/squid/server_baidu.key version=1
generate-host-certificates=on

 

 

The problem is if I configure squid like this, the line2 and line3 will
never work; If I switch line1 with line2 and line3(put line2 and line3 at
the above of line 1 in squid.conf), then only line2 and line3 will get its
chance to work, line1 will not work. 



 

>From the screenshot , you can see that when I use "squid -k parse" to check
squid.conf, it shows that it will initialize three SSL context, but if you
check the port, only the first SSL context is initialized.

 

Any help will be appreciated!

 

Horise Hou

 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HTTPS_PORT AND SSL CERT

[Amos Jeffries]

On 26/05/20 7:24 pm, Julien TEHERY wrote:
> To make it work all the time i had to add my intermediate certificate
> (thawte) in the local store, so that means intermediate certificate has
> not been delivered by the squid server as it should.

The experimental GnuTLS support in Debian package does not yet support
certificate chains. That is still some ways off.

For now if there is a chain with intermediate certificates you still
need to use an OpenSSL build of Squid.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HTTPS_PORT AND SSL CERT

[Ronan Lucio]

If your server listens on a public IP, you can use a valid certificate.

On Tue, May 26, 2020 at 7:24 PM Julien TEHERY
 wrote:
>
> Hi there,
>
> I'm actually facing a problem with Squid 4.6-1 (Debian 10).
> I'm using squid with https_port directive, using an SSL certficate ( a true 
> one, not self signed)
>
> Here is the simple setup:
>
> https_port X.X.X.X:8443 tls-cert=/etc/squid/mywildcard.com.pem
>
> The fact is that setup works for all firefox version using a proxy.pac file 
> for HTTPS connexions to the squid server.
> But for chrome this is quite different. Indeed chrome uses the system's proxy 
> settings and i noticed that sometimes it would work and sometinles it would 
> fail.
> To make it work all the time i had to add my intermediate certificate 
> (thawte) in the local store, so that means intermediate certificate has not 
> been delivered by the squid server as it should.
>
> The pem file in the above setup allreadycontains this (pem file done by 
> concatenating  private key, cert, intermediate and root CA. I also tried the 
> following syntax:
>
> https_port X.X.X.X:8443 cert=/etc/squid/mywildcard..com.cer 
> key=/etc/squid/mywildcard.com.key 
> cafile=/etc/squid/mywildcard..com-intermediaire.txt
>
> but each time i try to see with openssl client if my intermediate is 
> delivered, it's not
> I use "openssl s_client -showcerts -connect myproxy.com:8443"
>
> If i do the same thing on an apache server with the same certificate files i 
> can see both certificate and intermediate. Why squid isn't able to show it, 
> did i miss something ?
>
>
> Thanks for your help
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HTTPS_PORT AND SSL CERT

[Julien TEHERY]

It's allready the case, the server as a public IP and a valid cert.
As Amos says, it is related to the gnutls implementation which is experimental. 
squid has to be built with openssl to support chain certificates.

De : Ronan Lucio 
Envoyé : mercredi 27 mai 2020 02:10
À : Julien TEHERY 
Cc : squid-users@lists.squid-cache.org 
Objet : Re: [squid-users] HTTPS_PORT AND SSL CERT

If your server listens on a public IP, you can use a valid certificate.

On Tue, May 26, 2020 at 7:24 PM Julien TEHERY
 wrote:
>
> Hi there,
>
> I'm actually facing a problem with Squid 4.6-1 (Debian 10).
> I'm using squid with https_port directive, using an SSL certficate ( a true 
> one, not self signed)
>
> Here is the simple setup:
>
> https_port X.X.X.X:8443 tls-cert=/etc/squid/mywildcard.com.pem
>
> The fact is that setup works for all firefox version using a proxy.pac file 
> for HTTPS connexions to the squid server.
> But for chrome this is quite different. Indeed chrome uses the system's proxy 
> settings and i noticed that sometimes it would work and sometinles it would 
> fail.
> To make it work all the time i had to add my intermediate certificate 
> (thawte) in the local store, so that means intermediate certificate has not 
> been delivered by the squid server as it should.
>
> The pem file in the above setup allreadycontains this (pem file done by 
> concatenating  private key, cert, intermediate and root CA. I also tried the 
> following syntax:
>
> https_port X.X.X.X:8443 cert=/etc/squid/mywildcard..com.cer 
> key=/etc/squid/mywildcard.com.key 
> cafile=/etc/squid/mywildcard..com-intermediaire.txt
>
> but each time i try to see with openssl client if my intermediate is 
> delivered, it's not
> I use "openssl s_client -showcerts -connect myproxy.com:8443"
>
> If i do the same thing on an apache server with the same certificate files i 
> can see both certificate and intermediate. Why squid isn't able to show it, 
> did i miss something ?
>
>
> Thanks for your help
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HTTPS_PORT AND SSL CERT

[Julien TEHERY]

Unfortunately, i've just compiled/ and built deb packages a fresh new squid 4.11
Now SSL support should be fully operational, but the certificate i still not 
showing the intermediate.

I just tried https_port 8443 tls-cert=/etc/squid/wildcard.mycompany.com.pem
where in the pem file i have in this precise order:


  *   cert key
  *   server cert
  *   intermediate cert

openssl client shows only the cert issuer, as it should show both.
Did I missed something ?

On 26/05/20 7:24 pm, Julien TEHERY wrote:
> To make it work all the time i had to add my intermediate certificate
> (thawte) in the local store, so that means intermediate certificate has
> not been delivered by the squid server as it should.

The experimental GnuTLS support in Debian package does not yet support
certificate chains. That is still some ways off.

For now if there is a chain with intermediate certificates you still
need to use an OpenSSL build of Squid.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HTTPS_PORT AND SSL CERT

[Julien TEHERY]

I retried everything possible in terms of order in the pem file.
from my workstation, if i do "openssl s_client -showcerts -connect 
mysquid.mycompany.com:8443" i only get one certificate/issuer, but the same 
command on same server but different port (apache listenning on 443), i 
correctly get 2 certificates/issuers:

I precise my https configuration isn't for ssl_bump purpose but only to provide 
secure access to the http proxy through the WAN with a valid certificate.
Do you some of you use complete certificates (including intermediate) with 
squid? If yes please tell me how you made it work.
I do have the latest stable squid version built with openssl support.

If squid isn't able to do that, as we  do with so many other softwares, I 
should consider to use an haproxy server or apache reverse proxy in front of 
the squid to handle correctly the SSL cert.

Regards,




De : Julien TEHERY 
Envoyé : mercredi 27 mai 2020 09:54
À : Amos Jeffries ; squid-users@lists.squid-cache.org 

Objet : RE: [squid-users] HTTPS_PORT AND SSL CERT

Unfortunately, i've just compiled/ and built deb packages a fresh new squid 4.11
Now SSL support should be fully operational, but the certificate i still not 
showing the intermediate.

I just tried https_port 8443 tls-cert=/etc/squid/wildcard.mycompany.com.pem
where in the pem file i have in this precise order:


  *   cert key
  *   server cert
  *   intermediate cert

openssl client shows only the cert issuer, as it should show both.
Did I missed something ?

On 26/05/20 7:24 pm, Julien TEHERY wrote:
> To make it work all the time i had to add my intermediate certificate
> (thawte) in the local store, so that means intermediate certificate has
> not been delivered by the squid server as it should.

The experimental GnuTLS support in Debian package does not yet support
certificate chains. That is still some ways off.

For now if there is a chain with intermediate certificates you still
need to use an OpenSSL build of Squid.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HTTPS_PORT AND SSL CERT

[Matus UHLAR - fantomas]

On 28.05.20 06:32, Julien  TEHERY wrote:

I retried everything possible in terms of order in the pem file.  from my
workstation, if i do "openssl s_client -showcerts -connect
mysquid.mycompany.com:8443" i only get one certificate/issuer, but the same
command on same server but different port (apache listenning on 443), i
correctly get 2 certificates/issuers:

I precise my https configuration isn't for ssl_bump purpose but only to provide 
secure access to the http proxy through the WAN with a valid certificate.
Do you some of you use complete certificates (including intermediate) with 
squid? If yes please tell me how you made it work.
I do have the latest stable squid version built with openssl support.


you apparnetly need ptovide concatenated list of your squid certificate and
intermediate certificate that signed your squid certificate.

You don't need to provide the root certificate that signed intermediate
certificate, since browsers  to have that certificate installed
(otherwise they wouldn't trust the certificate at all).


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HTTPS_PORT AND SSL CERT

[Julien TEHERY]

Yes, that's what i did. As I explained before, i provided to squid a pem file 
containing:


  *   sever key
  *   server cert
  *   intermediate cert

with in squid.conf:

https_port 8443 tls-cert=path/to/my/wildcard.pem

I did not try to add root cert as i'm aware it's not necessary

I've spent so many hours on something that should work quickly..

De : squid-users  de la part de 
Matus UHLAR - fantomas 
Envoyé : jeudi 28 mai 2020 10:12
À : squid-users@lists.squid-cache.org 
Objet : Re: [squid-users] HTTPS_PORT AND SSL CERT

On 28.05.20 06:32, Julien  TEHERY wrote:
>I retried everything possible in terms of order in the pem file.  from my
>workstation, if i do "openssl s_client -showcerts -connect
>mysquid.mycompany.com:8443" i only get one certificate/issuer, but the same
>command on same server but different port (apache listenning on 443), i
>correctly get 2 certificates/issuers:
>
>I precise my https configuration isn't for ssl_bump purpose but only to 
>provide secure access to the http proxy through the WAN with a valid 
>certificate.
>Do you some of you use complete certificates (including intermediate) with 
>squid? If yes please tell me how you made it work.
>I do have the latest stable squid version built with openssl support.

you apparnetly need ptovide concatenated list of your squid certificate and
intermediate certificate that signed your squid certificate.

You don't need to provide the root certificate that signed intermediate
certificate, since browsers  to have that certificate installed
(otherwise they wouldn't trust the certificate at all).


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Antony Stone]

On Wednesday 24 August 2016 at 13:09:52, Samuraiii wrote:

> Hello,
> I am trying to setup squid as SSL protected proxy for few users without
> any intention to use ssl-bumping or any other MITM technique.
> I just want to have SSL secured connection between browser and proxy.
> Proxy will not be "transparent" and will be using PAC file for
> configuration and PAM for authentication.
> I want to avoid any "other software" alternative as stunnel etc...
> I also have (for server involved) valid "Lets encrypt" certificate which
> I would like to use for this.
> What can I do to achieve this on squid 3.5?

Unfortunately it's not Squid that's the challenge - it's the browser.

If you're using Firefox and/or Chrome, you should be okay.

See "Encrypted browser-Squid connection" at the bottom of
http://wiki.squid-cache.org/Features/HTTPS


Antony.

-- 
Wanted: telepath.   You know where to apply.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Samuraiii]

On 24.8.2016 13:18, Antony Stone wrote:
> Unfortunately it's not Squid that's the challenge - it's the browser.
>
> If you're using Firefox and/or Chrome, you should be okay.
>
> See "Encrypted browser-Squid connection" at the bottom of
> http://wiki.squid-cache.org/Features/HTTPS
>
>
> Antony.
>
I have seen that, it is the cause of my subscription to this list.
I haven't been able to find any usable hints.
My config attempt fails


acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost

auth_param basic program /usr/libexec/squid/basic_pam_auth
auth_param basic children 5
auth_param basic realm Proxy Authentication Required
auth_param basic credentialsttl 2 hours

acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all

https_port 8443 \
cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
tls-dh=/etc/ssl/certs/dhparam.pem \
sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
cipher=HIGH
cache_dir aufs /var/cache/squid 512 16 256
coredump_dir /var/cache/squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Antony Stone]

On Wednesday 24 August 2016 at 13:42:16, Samuraiii wrote:

> On 24.8.2016 13:18, Antony Stone wrote:
> > 
> > See "Encrypted browser-Squid connection" at the bottom of
> > http://wiki.squid-cache.org/Features/HTTPS
> 
> I have seen that, it is the cause of my subscription to this list.
> I haven't been able to find any usable hints.
> My config attempt fails

Please give more details for "fails".

Is the following your entire squid.conf (except for comments)?

Have you tried getting SSL access to Squid working before introducing 
authentication?

What are you trying, to test this, and what are the results?


Regards,


Antony.

> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 901 # SWAT
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
> 
> auth_param basic program /usr/libexec/squid/basic_pam_auth
> auth_param basic children 5
> auth_param basic realm Proxy Authentication Required
> auth_param basic credentialsttl 2 hours
> 
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
> http_access deny all
> 
> https_port 8443 \
> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> tls-dh=/etc/ssl/certs/dhparam.pem \
> sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> cipher=HIGH
> cache_dir aufs /var/cache/squid 512 16 256
> coredump_dir /var/cache/squid
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern .   0   20% 4320

-- 
#define SIX 1+5
#define NINE 8+1

int main() {
printf("%d\n", SIX * NINE);
}
- thanks to ECB for bringing this to my attention

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Samuraiii]

> Please give more details for "fails".
>
> Is the following your entire squid.conf (except for comments)?
>
> Have you tried getting SSL access to Squid working before introducing 
> authentication?
>
> What are you trying, to test this, and what are the results?
>
>
> Regards,
>
>
> Antony.
First I would like to apologize for previous incomplete mail.
I got interrupted and accidentally sent it out before being complete.

Squid fails to start for me with:
FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:8443
I have found that this is related to missing self signed certificate,
and since I do not want to use self signed certificate I am asking if I
can do anything about it.
I would like to avoid self signed certificates so my users would not
need to import and replace my own certs.


And here is my complete squid.conf:

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost

auth_param basic program /usr/libexec/squid/basic_pam_auth
auth_param basic children 5
auth_param basic realm Proxy Authentication Required
auth_param basic credentialsttl 2 hours

acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all

https_port 8443 \
cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
tls-dh=/etc/ssl/certs/dhparam.pem \
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
cipher=HIGH
cache_dir aufs /var/cache/squid 512 16 256
coredump_dir /var/cache/squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320


One more apology for escaped mail.
S

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Antony Stone]

On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote:

> Squid fails to start for me with:
> FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:8443
>
> I have found that this is related to missing self signed certificate,
> and since I do not want to use self signed certificate I am asking if I
> can do anything about it.
> I would like to avoid self signed certificates so my users would not
> need to import and replace my own certs.

Have you tried adding the option "generate-host-certificates=off" to your 
https_port line?

I'm not an expert on this bit of Squid, but I'm just looking at
http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and noticing 
anything to do with a "signing certificate" (which you do not have, and do not 
want to use).

> And here is my complete squid.conf:
> 
> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 901 # SWAT
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
> 
> auth_param basic program /usr/libexec/squid/basic_pam_auth
> auth_param basic children 5
> auth_param basic realm Proxy Authentication Required
> auth_param basic credentialsttl 2 hours
> 
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
> http_access deny all
> 
> https_port 8443 \
> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> tls-dh=/etc/ssl/certs/dhparam.pem \
> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> cipher=HIGH
> cache_dir aufs /var/cache/squid 512 16 256
> coredump_dir /var/cache/squid
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern .   0   20% 4320

Antony.

-- 
You can tell that the day just isn't going right when you find yourself using 
the telephone before the toilet.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Diogenes S. Jesus]

Just one thing I noticed:

"clientca" is not the CA which issued your "cert" (sklad.duckdns.org) -
it's the CA to be used when doing client-side authentication, which I'm not
sure if you're doing.

Dio

On Wed, Aug 24, 2016 at 2:02 PM, Samuraiii 
wrote:

>
> > Please give more details for "fails".
> >
> > Is the following your entire squid.conf (except for comments)?
> >
> > Have you tried getting SSL access to Squid working before introducing
> > authentication?
> >
> > What are you trying, to test this, and what are the results?
> >
> >
> > Regards,
> >
> >
> > Antony.
> First I would like to apologize for previous incomplete mail.
> I got interrupted and accidentally sent it out before being complete.
>
> Squid fails to start for me with:
> FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:8443
> I have found that this is related to missing self signed certificate,
> and since I do not want to use self signed certificate I am asking if I
> can do anything about it.
> I would like to avoid self signed certificates so my users would not
> need to import and replace my own certs.
>
>
> And here is my complete squid.conf:
>
> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 901 # SWAT
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
>
> auth_param basic program /usr/libexec/squid/basic_pam_auth
> auth_param basic children 5
> auth_param basic realm Proxy Authentication Required
> auth_param basic credentialsttl 2 hours
>
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
> http_access deny all
>
> https_port 8443 \
> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> tls-dh=/etc/ssl/certs/dhparam.pem \
> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> cipher=HIGH
> cache_dir aufs /var/cache/squid 512 16 256
> coredump_dir /var/cache/squid
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern .   0   20% 4320
>
>
> One more apology for escaped mail.
> S
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 



Diogenes S. de Jesus
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
No one CA do not issue signing CA for subject, which is not CA itself.

So, op wants impossible thing.


24.08.2016 18:15, Antony Stone пишет:
> On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote:
>
>> Squid fails to start for me with:
>> FATAL: No valid signing SSL certificate configured for HTTPS_port
[::]:8443
>>
>> I have found that this is related to missing self signed certificate,
>> and since I do not want to use self signed certificate I am asking if I
>> can do anything about it.
>> I would like to avoid self signed certificates so my users would not
>> need to import and replace my own certs.
>
> Have you tried adding the option "generate-host-certificates=off" to your
> https_port line?
>
> I'm not an expert on this bit of Squid, but I'm just looking at
> http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and
noticing
> anything to do with a "signing certificate" (which you do not have,
and do not
> want to use).
>
>> And here is my complete squid.conf:
>>
>> acl SSL_ports port 443
>> acl Safe_ports port 80  # http
>> acl Safe_ports port 21  # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70  # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535  # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl Safe_ports port 901 # SWAT
>> acl CONNECT method CONNECT
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> http_access deny to_localhost
>>
>> auth_param basic program /usr/libexec/squid/basic_pam_auth
>> auth_param basic children 5
>> auth_param basic realm Proxy Authentication Required
>> auth_param basic credentialsttl 2 hours
>>
>> acl authenticated proxy_auth REQUIRED
>> http_access allow authenticated
>> http_access deny all
>>
>> https_port 8443 \
>> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
>> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
>> clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
>> tls-dh=/etc/ssl/certs/dhparam.pem \
>> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
>> cipher=HIGH
>> cache_dir aufs /var/cache/squid 512 16 256
>> coredump_dir /var/cache/squid
>> refresh_pattern ^ftp:   144020% 10080
>> refresh_pattern ^gopher:14400%  1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
>> refresh_pattern .   0   20% 4320
>
> Antony.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvZCjAAoJENNXIZxhPexG5scH/3BeBhhmHmi9HjNt/gEVaM3U
xx1VqyOm3a+1gsfRJFpwag3NCvCoqfy0+XR/QV0OLaRVrmbBSp6YgIEDZsD7JLhZ
ZauSTvv/KPeMU0obAqI1ax3/w7MzlsjburDt47LDnxaBoXULooiThRYy4w8Uzwi9
bHiHPzQ7OBvPuu2z+4WrojhrexGjBQflZ7I1ACuze0ZNyL0zZi+zitQ/K11NUsyA
wXgS0R3t8k5pY/9ZhLvHFc9Zgj6FRaEY9sQ0z4TLlL+vq9t/ceT9xbWooFyL3GAU
2D1aNTpB5d7ejhfiSBagUw1DgHvjeC0uH33Ox0JLfKdfxYQikU/dkWWHnrv/qKc=
=7Z61
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Samuraiii]

On 24.8.2016 14:18, Yuri Voinov wrote:
>
> No one CA do not issue signing CA for subject, which is not CA itself.
>
> So, op wants impossible thing.
>
I have tried to drop clientca option, to add generate-host-certificates=off
 but outcome is still same error...

even with just this as config:
https_port 8443 accel \
cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Antony Stone]

On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote:

> No one CA do not issue signing CA for subject, which is not CA itself.
> 
> So, op wants impossible thing.

Why would one need a signING certificate just to create an SSL connection 
between the browser and Squid?

Surely one merely needs a valid signED certificate, same as you would put on a 
web server to set up secure connections to it?

OP is not intercepting secure traffic, nor making HTTP sites look to the 
browser 
like HTTPS ones.


Antony.

> 24.08.2016 18:15, Antony Stone пишет:
> > On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote:
> >> Squid fails to start for me with:
> >> FATAL: No valid signing SSL certificate configured for HTTPS_port
> 
> [::]:8443
> 
> >> I have found that this is related to missing self signed certificate,
> >> and since I do not want to use self signed certificate I am asking if I
> >> can do anything about it.
> >> I would like to avoid self signed certificates so my users would not
> >> need to import and replace my own certs.
> > 
> > Have you tried adding the option "generate-host-certificates=off" to your
> > https_port line?
> > 
> > I'm not an expert on this bit of Squid, but I'm just looking at
> > http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and
> 
> noticing
> 
> > anything to do with a "signing certificate" (which you do not have,
> 
> and do not
> 
> > want to use).
> > 
> >> And here is my complete squid.conf:
> >> 
> >> acl SSL_ports port 443
> >> acl Safe_ports port 80  # http
> >> acl Safe_ports port 21  # ftp
> >> acl Safe_ports port 443 # https
> >> acl Safe_ports port 70  # gopher
> >> acl Safe_ports port 210 # wais
> >> acl Safe_ports port 1025-65535  # unregistered ports
> >> acl Safe_ports port 280 # http-mgmt
> >> acl Safe_ports port 488 # gss-http
> >> acl Safe_ports port 591 # filemaker
> >> acl Safe_ports port 777 # multiling http
> >> acl Safe_ports port 901 # SWAT
> >> acl CONNECT method CONNECT
> >> http_access deny !Safe_ports
> >> http_access deny CONNECT !SSL_ports
> >> http_access allow localhost manager
> >> http_access deny manager
> >> http_access deny to_localhost
> >> 
> >> auth_param basic program /usr/libexec/squid/basic_pam_auth
> >> auth_param basic children 5
> >> auth_param basic realm Proxy Authentication Required
> >> auth_param basic credentialsttl 2 hours
> >> 
> >> acl authenticated proxy_auth REQUIRED
> >> http_access allow authenticated
> >> http_access deny all
> >> 
> >> https_port 8443 \
> >> 
> >> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> >> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> >> clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> >> tls-dh=/etc/ssl/certs/dhparam.pem \
> >> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> >> cipher=HIGH
> >> 
> >> cache_dir aufs /var/cache/squid 512 16 256
> >> coredump_dir /var/cache/squid
> >> refresh_pattern ^ftp:   144020% 10080
> >> refresh_pattern ^gopher:14400%  1440
> >> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> >> refresh_pattern .   0   20% 4320
> > 
> > Antony.

-- 
I think broken pencils are pointless.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Predictable.


24.08.2016 18:22, Samuraiii пишет:
> On 24.8.2016 14:18, Yuri Voinov wrote:
> >
>> No one CA do not issue signing CA for subject, which is not CA itself.
>>
>> So, op wants impossible thing.
>>
> I have tried to drop clientca option, to add
generate-host-certificates=off
>  but outcome is still same error...
>
> even with just this as config:
> https_port 8443 accel \
> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvZGzAAoJENNXIZxhPexG8DMH/RSvPBJGW2cyA9RFWQU9bwnl
9mPyiFB8nGOFh5EK5m9+BTaE3vItK6wOslS+jwMHD7J/o9NcaVVXQl4duaANG9oA
gA6K3f3pfUEcIl3eBDU534DM+GZfgKaH8vkUoM9kbKomzp42Co8KXscMzwLv0m8S
fbytyQG51ksg1J5UbZph7dKjTUWDbvdY+ILCw0OqwwOcEC/32oaIHexURZN3htbB
qVqeyrtD+xLoBzvSRTyCo9yTp7hmjtz3cFMMVM4W8nvuH7yuAL3Y4hOch3OmEAJO
m9Cgo3SLQNEs64FMuYXefql7GTbKzs+2XHf2C1p4khZguTAZIgUDq0mnYYUE3nE=
=e9Gg
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Antony Stone]

On Wednesday 24 August 2016 at 14:22:18, Samuraiii wrote:

> On 24.8.2016 14:18, Yuri Voinov wrote:
> > No one CA do not issue signing CA for subject, which is not CA itself.
> > 
> > So, op wants impossible thing.
> 
> I have tried to drop clientca option, to add generate-host-certificates=off
>  but outcome is still same error...
> 
> even with just this as config:
> https_port 8443 accel \

Why are you using accelerator mode?  Surely this is just a normal forwarding 
proxy?

> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem


Antony.

-- 
"Reports that say that something hasn't happened are always interesting to me, 
because as we know, there are known knowns; there are things we know we know. 
We also know there are known unknowns; that is to say we know there are some 
things we do not know. But there are also unknown unknowns - the ones we don't 
know we don't know."

 - Donald Rumsfeld, US Secretary of Defence

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Samuraiii]

On 24.8.2016 14:24, Antony Stone wrote:
> On Wednesday 24 August 2016 at 14:22:18, Samuraiii wrote:
>
>> On 24.8.2016 14:18, Yuri Voinov wrote:
>>> No one CA do not issue signing CA for subject, which is not CA itself.
>>>
>>> So, op wants impossible thing.
>> I have tried to drop clientca option, to add generate-host-certificates=off
>>  but outcome is still same error...
>>
>> even with just this as config:
>> https_port 8443 accel \
> Why are you using accelerator mode?  Surely this is just a normal forwarding 
> proxy?
It was just kind of random try.
Error is still same.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


24.08.2016 18:23, Antony Stone пишет:
> On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote:
>
>> No one CA do not issue signing CA for subject, which is not CA itself.
>>
>> So, op wants impossible thing.
>
> Why would one need a signING certificate just to create an SSL connection
> between the browser and Squid?
>
> Surely one merely needs a valid signED certificate, same as you would
put on a
> web server to set up secure connections to it?
>
> OP is not intercepting secure traffic, nor making HTTP sites look to
the browser
> like HTTPS ones.
Then I do not understand what he wants op.
>
>
>
> Antony.
>
>> 24.08.2016 18:15, Antony Stone пишет:
>>> On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote:
 Squid fails to start for me with:
 FATAL: No valid signing SSL certificate configured for HTTPS_port
>>
>> [::]:8443
>>
 I have found that this is related to missing self signed certificate,
 and since I do not want to use self signed certificate I am asking if I
 can do anything about it.
 I would like to avoid self signed certificates so my users would not
 need to import and replace my own certs.
>>>
>>> Have you tried adding the option "generate-host-certificates=off" to
your
>>> https_port line?
>>>
>>> I'm not an expert on this bit of Squid, but I'm just looking at
>>> http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and
>>
>> noticing
>>
>>> anything to do with a "signing certificate" (which you do not have,
>>
>> and do not
>>
>>> want to use).
>>>
 And here is my complete squid.conf:

 acl SSL_ports port 443
 acl Safe_ports port 80  # http
 acl Safe_ports port 21  # ftp
 acl Safe_ports port 443 # https
 acl Safe_ports port 70  # gopher
 acl Safe_ports port 210 # wais
 acl Safe_ports port 1025-65535  # unregistered ports
 acl Safe_ports port 280 # http-mgmt
 acl Safe_ports port 488 # gss-http
 acl Safe_ports port 591 # filemaker
 acl Safe_ports port 777 # multiling http
 acl Safe_ports port 901 # SWAT
 acl CONNECT method CONNECT
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 http_access allow localhost manager
 http_access deny manager
 http_access deny to_localhost

 auth_param basic program /usr/libexec/squid/basic_pam_auth
 auth_param basic children 5
 auth_param basic realm Proxy Authentication Required
 auth_param basic credentialsttl 2 hours

 acl authenticated proxy_auth REQUIRED
 http_access allow authenticated
 http_access deny all

 https_port 8443 \

 cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
 key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
 clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
 tls-dh=/etc/ssl/certs/dhparam.pem \
 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
 cipher=HIGH

 cache_dir aufs /var/cache/squid 512 16 256
 coredump_dir /var/cache/squid
 refresh_pattern ^ftp:   144020% 10080
 refresh_pattern ^gopher:14400%  1440
 refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
 refresh_pattern .   0   20% 4320
>>>
>>> Antony.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvZKIAAoJENNXIZxhPexG5iIIAJTZAbpMkYDqdVWG5thlBxG0
cJBXI/MmYN7Al6GiGGD1ttqXHv6AAIeg5NXue0qVM/hGcJuE5eTI4+10zzQImeTU
OFRHz/C4EqBCDb06lfM+spR/5xFxW4l8vXYxr9Q61YYE2JyCvmMEoABntiWrE0/+
pwoUiNK2lIVURAGMBjMzMYwAC/t0D8JRg79gsh+o/h3TtOtAiKFbZRU3Dy2EqP9E
0pNssmSvUSR4Du0mY4fZJisAnUNUzYz1qkX0GyS0zdj6LZ4r7VlTX+fjyfPGd/fg
va1nQFgA5IqQ+VKoD02GSNBkNCw56j8aOwoo3RXO6bLKPell5NFzWVC3Wrn0AXY=
=9vnU
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Samuraiii]

>   look to the browser
>
>   > like HTTPS ones.
> Then I do not understand what he wants op.
>
>
>

http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection

Secure connection to squid proxy without need for anything else (on
client side) than configuring proxy in browser.
Using provided signed certificates.
No SSL-bumping or whatever just forwarding.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Antony Stone]

On Wednesday 24 August 2016 at 14:26:48, Yuri Voinov wrote:

> 24.08.2016 18:23, Antony Stone пишет:
> > On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote:
> >> No one CA do not issue signing CA for subject, which is not CA itself.
> >> 
> >> So, op wants impossible thing.
> > 
> > Why would one need a signING certificate just to create an SSL connection
> > between the browser and Squid?
> > 
> > Surely one merely needs a valid signED certificate, same as you would
> > put on a web server to set up secure connections to it?
> > 
> > OP is not intercepting secure traffic, nor making HTTP sites look to
> > the browser like HTTPS ones.
> 
> Then I do not understand what he wants op.

He wants to configure his browser to connect to the proxy over an SSL 
connection, and then inside this secure connection send standard HTTP and 
HTTPS requests, just as a browser would do over an unsecured connection to the 
proxy on Squid's standard port 3128.

It's nothing to do with whether either the client or the destination server 
believe the web content itself to be secured with SSL/TLS.

See "Encrypted browser-Squid connection" at the bottom of
http://wiki.squid-cache.org/Features/HTTPS


Antony.

-- 
Archaeologists have found a previously-unknown dinosaur which seems to have 
had a very large vocabulary.  They've named it Thesaurus.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


24.08.2016 18:31, Samuraiii пишет:
>
>>   look to the browser
>>
>>   > like HTTPS ones.
>> Then I do not understand what he wants op.
>>
>>
>>
>
>
http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection
>
> Secure connection to squid proxy without need for anything else (on
client side) than configuring proxy in browser.
> Using provided signed certificates.
> No SSL-bumping or whatever just forwarding.
Firstly, the concept is not safe. Users will have a secure connection to
the proxy - as well as the next? HTTP? User misled green padlock,
believes all secure connection - as external traffic is not encrypted
after the fact. Second. You seriously think that the world will sit
under HTTPS? What, for example, you want to protect on news sites?
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvZR2AAoJENNXIZxhPexGuysH/isUCXkB+snA0NlEimmF9Z2k
wC7jugsj7Fu5hzmx2JFI/Q6X+uuJ/bxzjqwkMQGA3358EZI3PtYfuvJmRoF5g4eE
X4zoy9anB+Phvo1T4/EhT5v8utLBndRgeD0j2btAQmQSYimB6HGoxxrW4XM6EZj3
s/WCPXmfdIdbu/hOvnrPE0a7y7RRbvLx5tvem0jdBpOcLyK4jq40p4f8J57dF5Qk
w0wSKgLe9R+FBjRhj+MxBbjFNDsU1/nP/Nb4wmTgCQ0OPMUprlVIpyz3TDv4qRhY
fxb2nkKZuf1ouKJy/ewtNpZZqX52Pqao1wGWr1U/I/bZtdHVpI87hrKHgj4o3pA=
=0NS/
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


24.08.2016 18:32, Antony Stone пишет:
> On Wednesday 24 August 2016 at 14:26:48, Yuri Voinov wrote:
>
>> 24.08.2016 18:23, Antony Stone пишет:
>>> On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote:
 No one CA do not issue signing CA for subject, which is not CA itself.

 So, op wants impossible thing.
>>>
>>> Why would one need a signING certificate just to create an SSL
connection
>>> between the browser and Squid?
>>>
>>> Surely one merely needs a valid signED certificate, same as you would
>>> put on a web server to set up secure connections to it?
>>>
>>> OP is not intercepting secure traffic, nor making HTTP sites look to
>>> the browser like HTTPS ones.
>>
>> Then I do not understand what he wants op.
>
> He wants to configure his browser to connect to the proxy over an SSL
> connection, and then inside this secure connection send standard HTTP and
> HTTPS requests, just as a browser would do over an unsecured
connection to the
> proxy on Squid's standard port 3128.
Yeah, I get it. It seems to me, is absolutely crazy and insecure idea.
>
>
> It's nothing to do with whether either the client or the destination
server
> believe the web content itself to be secured with SSL/TLS.
>
> See "Encrypted browser-Squid connection" at the bottom of
> http://wiki.squid-cache.org/Features/HTTPS
>
>
> Antony.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvZTTAAoJENNXIZxhPexG3n4H/0O+OLxWoxAIoVq4B2g33Ep0
Iz4JkLx542E4gQjCzhtO3Ikjxoh2VLwwkF/S6PZqNvmQg6dJ6sbZVSsUBtJa6h+6
dWCM6gEeH/xnO3B5krKw9t721fyMpQEmb2uKCLyDxpJHiJLGShifliFykfcZwJ+m
Vt7+bp1R4KWtYGfh/2QUyRwzReMqlEkuNIJ2/KHucuuEfMauOB/Gn42MsPQDxZKZ
I0eJmi4Eo8jzYKyC1ZLsZVPVqVSuMz152QYdhBuUb5AJo/DaWVuyEwmhP0MYmEbU
bSYzQh8FiKuTsrHKYoqqo6m7fLtbz2o5ouGP8kbq6l93E9JBsmBwSsR28Urzwyg=
=C3LP
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Against this backdrop, even a bump SSL security seems a masterpiece.


24.08.2016 18:32, Antony Stone пишет:
> On Wednesday 24 August 2016 at 14:26:48, Yuri Voinov wrote:
>
>> 24.08.2016 18:23, Antony Stone пишет:
>>> On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote:
 No one CA do not issue signing CA for subject, which is not CA itself.

 So, op wants impossible thing.
>>>
>>> Why would one need a signING certificate just to create an SSL
connection
>>> between the browser and Squid?
>>>
>>> Surely one merely needs a valid signED certificate, same as you would
>>> put on a web server to set up secure connections to it?
>>>
>>> OP is not intercepting secure traffic, nor making HTTP sites look to
>>> the browser like HTTPS ones.
>>
>> Then I do not understand what he wants op.
>
> He wants to configure his browser to connect to the proxy over an SSL
> connection, and then inside this secure connection send standard HTTP and
> HTTPS requests, just as a browser would do over an unsecured
connection to the
> proxy on Squid's standard port 3128.
>
> It's nothing to do with whether either the client or the destination
server
> believe the web content itself to be secured with SSL/TLS.
>
> See "Encrypted browser-Squid connection" at the bottom of
> http://wiki.squid-cache.org/Features/HTTPS
>
>
> Antony.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvZT/AAoJENNXIZxhPexG2NQH/3zgESU+lH6DAOGxvB/9IPUa
P9OUKg4Ss9sRj8l1zUhAxy1Gf5A9vbX0qxUKF7KhhwsmUU1BSG+F2ocbouG4YGwJ
VNeyPSLhsQ9AF83OZEaaov4cra9YuYSk7pGxm4SdafTYDyPU96UCcj5MwEQfRzjq
TgB7GVrhGQ7TalEjGKGW8qP6nI1apriEkKXNCbEvm6Q3tpIjp72cx/LuQv/pu03x
BOFpZoUxzn61a2JUV4+lUcz6lmeji3kcTSWhuMBgE+W8klqxRYGOtVTGwNLv08N2
v1HYYI05BrCtqVYaPXAfKNxgqzBIS8X7fFSf14JrnpsF0W6d994g5La3EnOpZ/4=
=kNOJ
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Samuraiii]

>
>   > No SSL-bumping or whatever just forwarding.
> Firstly, the concept is not safe. Users will have a secure connection
> to the proxy - as well as the next? HTTP? User misled green padlock,
> believes all secure connection - as external traffic is not encrypted
> after the fact. Second. You seriously think that the world will sit
> under HTTPS? What, for example, you want to protect on news sites?
>
>
Since I would like to set up proxy for few people I am comfortable in
telling them what to want from it and what not.
Second what about of security on proxy login info?
Last I asked this because I stumbled on this on official squid wiki.
It wouldn't cross my mind that it existed.
It should be corrected, if it is impossible to set it up.
I really do not like your quick judgement.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


24.08.2016 18:44, Samuraiii пишет:
>
>>
>>   > No SSL-bumping or whatever just forwarding.
>> Firstly, the concept is not safe. Users will have a secure connection
to the proxy - as well as the next? HTTP? User misled green padlock,
believes all secure connection - as external traffic is not encrypted
after the fact. Second. You seriously think that the world will sit
under HTTPS? What, for example, you want to protect on news sites?
>>
>>
> Since I would like to set up proxy for few people I am comfortable in
telling them what to want from it and what not.
> Second what about of security on proxy login info?
> Last I asked this because I stumbled on this on official squid wiki.
> It wouldn't cross my mind that it existed.
> It should be corrected, if it is impossible to set it up.
> I really do not like your quick judgement.
What is the question - is the answer. Telepaths vacation.

I also do not like a lot of things in the modern sense of security.
However, I did not create this world in this. In addition, as far as I
know, the functionality that you want to see - do not exist in nature.
Either fully encrypted connections - or not at all. Proxy is not a Web
server that can encrypt only the login and then leave unprotected
connection or let the tunnel.
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvZeoAAoJENNXIZxhPexGR8oH/2qrV0Hqc2A8OnmO/m5Xd+2/
Rhlmabr5yofll/aqg3qwmYwY76QcONt2+Ur4kmbf99chwALV/68qVyahPTbyB/8w
NY9/lYffQYeff63bWj/VbbdjYtH1vjp2NmD47nfv5fJFaVOTtGlvVhJ55VLtY2eC
IfT/WflvA6aGnG7IyyvTa0EDN7unhgvBJEwUXvmhnCDJVF0NWWp9NcWZytufF3g9
9V02KYIaw49TFmUOMn0R3f42HHpCrlYLNNG8yy3yBs2t5o4dhQ+dMvTE6MWQrzgR
kPLoJcLKzrlFN8aY1MzKo7MjiAY8WGkkayZnaS65c//sZFa63CI4/q17Iu++qJM=
=6+l5
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Samurai]

Ok
This is answer (not) I was looking for. 
Thank you 
S

On 24 August 2016 14:48:40 CEST, Yuri Voinov  wrote:
>
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
> 
>
>
>24.08.2016 18:44, Samuraiii пишет:
>>
>>>
>>>   > No SSL-bumping or whatever just forwarding.
>>> Firstly, the concept is not safe. Users will have a secure
>connection
>to the proxy - as well as the next? HTTP? User misled green padlock,
>believes all secure connection - as external traffic is not encrypted
>after the fact. Second. You seriously think that the world will sit
>under HTTPS? What, for example, you want to protect on news sites?
>>>
>>>
>> Since I would like to set up proxy for few people I am comfortable in
>telling them what to want from it and what not.
>> Second what about of security on proxy login info?
>> Last I asked this because I stumbled on this on official squid wiki.
>> It wouldn't cross my mind that it existed.
>> It should be corrected, if it is impossible to set it up.
>> I really do not like your quick judgement.
>What is the question - is the answer. Telepaths vacation.
>
>I also do not like a lot of things in the modern sense of security.
>However, I did not create this world in this. In addition, as far as I
>know, the functionality that you want to see - do not exist in nature.
>Either fully encrypted connections - or not at all. Proxy is not a Web
>server that can encrypt only the login and then leave unprotected
>connection or let the tunnel.
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>-BEGIN PGP SIGNATURE-
>Version: GnuPG v2
> 
>iQEcBAEBCAAGBQJXvZeoAAoJENNXIZxhPexGR8oH/2qrV0Hqc2A8OnmO/m5Xd+2/
>Rhlmabr5yofll/aqg3qwmYwY76QcONt2+Ur4kmbf99chwALV/68qVyahPTbyB/8w
>NY9/lYffQYeff63bWj/VbbdjYtH1vjp2NmD47nfv5fJFaVOTtGlvVhJ55VLtY2eC
>IfT/WflvA6aGnG7IyyvTa0EDN7unhgvBJEwUXvmhnCDJVF0NWWp9NcWZytufF3g9
>9V02KYIaw49TFmUOMn0R3f42HHpCrlYLNNG8yy3yBs2t5o4dhQ+dMvTE6MWQrzgR
>kPLoJcLKzrlFN8aY1MzKo7MjiAY8WGkkayZnaS65c//sZFa63CI4/q17Iu++qJM=
>=6+l5
>-END PGP SIGNATURE-
>
>
>
>
>
>___
>squid-users mailing list
>squid-users@lists.squid-cache.org
>http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Antony Stone]

On Wednesday 24 August 2016 at 14:35:03, Yuri Voinov wrote:

> >> Then I do not understand what he wants op.
> 
> http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connecti
> on
> 
> > Secure connection to squid proxy without need for anything else (on
> > client side) than configuring proxy in browser.
> 
> > Using provided signed certificates.
> > No SSL-bumping or whatever just forwarding.
> 
> Firstly, the concept is not safe. Users will have a secure connection to
> the proxy

Yes, that is all the OP is looking for.

> as well as the next?

Once it leaves the OP's network I suspect the risk (of eavesdropping etc) is 
reduced.

> HTTP? User misled green padlock,

I do not think the browser will show an SSL/TLS padlock for a secured proxy 
connection - it only shows this for a secured connection to the destination 
server.  Therefore no misled users.

> believes all secure connection - as external traffic is not encrypted
> after the fact. Second. You seriously think that the world will sit
> under HTTPS? What, for example, you want to protect on news sites?

I don't understand what you are saying here.

The connection across the local network between browser and proxy is secured.

Beyond that everything works across the Internet just as normal - HTTP sites 
are not secured, HTTPS sites are secured.  The user sees SSL padlock and 
certificate chain for HTTPS sites, nothing for HTTP sites.

So, the design is more secure over the local network than the standard 
arrangement, and exactly the same beyond the local network.

No security is being compromised or downgraded.


Antony.

-- 
Douglas was one of those writers who honourably failed to get anywhere with 
'weekending'.  It put a premium on people who could write things that lasted 
thirty seconds, and Douglas was incapable of writing a single sentence that 
lasted less than thirty seconds.

 - Geoffrey Perkins, about Douglas Adams

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


24.08.2016 19:24, Antony Stone пишет:
> On Wednesday 24 August 2016 at 14:35:03, Yuri Voinov wrote:
>
 Then I do not understand what he wants op.
>>
>>
http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connecti
>> on
>>
>>> Secure connection to squid proxy without need for anything else (on
>>> client side) than configuring proxy in browser.
>>
>>> Using provided signed certificates.
>>> No SSL-bumping or whatever just forwarding.
>>
>> Firstly, the concept is not safe. Users will have a secure connection to
>> the proxy
>
> Yes, that is all the OP is looking for.
>
>> as well as the next?
>
> Once it leaves the OP's network I suspect the risk (of eavesdropping
etc) is
> reduced.
>
>> HTTP? User misled green padlock,
>
> I do not think the browser will show an SSL/TLS padlock for a secured
proxy
> connection - it only shows this for a secured connection to the
destination
> server.  Therefore no misled users.
>
>> believes all secure connection - as external traffic is not encrypted
>> after the fact. Second. You seriously think that the world will sit
>> under HTTPS? What, for example, you want to protect on news sites?
>
> I don't understand what you are saying here.
May be some misunderstanding here.

If we are talking about encryption, just authentication proxy - is one
thing. If encryption of all client traffic at all only to the proxy, not
caring about what happens to it next - is another.

>
> The connection across the local network between browser and proxy is
secured.
>
> Beyond that everything works across the Internet just as normal - HTTP
sites
> are not secured, HTTPS sites are secured.  The user sees SSL padlock and
> certificate chain for HTTPS sites, nothing for HTTP sites.
>
> So, the design is more secure over the local network than the standard
> arrangement, and exactly the same beyond the local network.
Correct LAN design solves most of these problems.
>
>
> No security is being compromised or downgraded.
Not sure.
>
>
>
> Antony.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvaF5AAoJENNXIZxhPexG7MMH/RYfzKl3PMQFBtbjZ8jg6Jra
4dtgJifJTLjSsF0NSqRtT/iZ8KpW3SrSJ+10Ht9IoVbjGiAL8p8/FMLh8/ImTmqJ
QxqI0ovLgj/YuHoxlm4U25L7NG0amzUTINhNXRw79Yvp5RxNEyAmfFpy0mAfD34h
ClXQQeWsCalS8Wz7yGqpgp28T9m86l3BNe+SoP+Q1/tfIkopcGD4Hz32N32J/Bsm
Wen8JMW2f6BAa0mIbb+tV9q1dI5stommTtprCzi8kAtzqX2bbBt3Nnz+xXQWZmwZ
tEO9CsLN4fTSUGILLQG2Bv5ZyT0tAFvhxzCBoz8hpBO+NcIPkm5OgkzpGe32/NA=
=A9CF
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Amos Jeffries]

Just to rewind this conversation to the actual problem ...

On 24/08/2016 11:42 p.m., Samuraiii wrote:
> On 24.8.2016 13:18, Antony Stone wrote:
>> Unfortunately it's not Squid that's the challenge - it's the browser.
>>
>> If you're using Firefox and/or Chrome, you should be okay.
>>
>> See "Encrypted browser-Squid connection" at the bottom of
>> http://wiki.squid-cache.org/Features/HTTPS
>>
>>
>> Antony.
>>
> I have seen that, it is the cause of my subscription to this list.
> I haven't been able to find any usable hints.
> My config attempt fails
> 


> 
> https_port 8443 \
> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> tls-dh=/etc/ssl/certs/dhparam.pem \
> sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> cipher=HIGH


As Dio mentioned the cleintca= (or rather clientca=) is for
authenticating clients ceritficates. Don't use that unless you are
requiring client certs in TLS.

The rest of your config looks reasonable to me. I suspect you have found
a bug introduced during all the SSL-Bump code changes. Please make a
bugzilla report and include your exact Squid version (found with the
'squid -v' command), the https_port line(s) and the exact error message
produced on startup.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Diogenes S. Jesus]

This configuration here covers the use case described by the OP:
https://gist.githubusercontent.com/splashx/758ff0c59ea291f32edafc516fdaad73/raw/8050fa054821657812961050332b38a56e7e3e68/

If everything works well, you'll notice you won't support HTTP proxy at
all, but users can reach  both HTTP and HTTPS target websites via your
HTTPS proxy.

# netstat -nltp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address   Foreign Address State
PID/Program name

tcp0  0 0.0.0.0:22  0.0.0.0:*   LISTEN
32109/sshd

tcp6   0  0 :::80   :::*LISTEN
26627/apache2

tcp6   0  0 :::3443 :::*LISTEN
7303/(squid-1)

tcp6   0  0 :::22   :::*LISTEN
32109/sshd


The user connects to the proxy ONLY via HTTPS Proxy on port 3443

All traffic between the OP and the proxy is encrypted using TLS.
A) If the user enters http://target.example.com, between the proxy and the
target you'll see HTTP.
B) If the user enters https://target.example.com, between the proxy and the
target you'll see HTTPS.

If you sniff the traffic between the client and the proxy, you'll see TLS.

Tested with:

$ /Applications/Firefox\ 2.app/Contents/MacOS/firefox -v

Mozilla Firefox 48.0

Firefox set up to use PAC: Preferences > Advanced > Network > Settings:
"Automatic Proxy Configuration": http://squid.example.com/proxy.pac

The downside here of course is the limited amount of clients supporting
HTTPS Proxy settings.

Dio


On Wed, Aug 24, 2016 at 3:46 PM, Amos Jeffries  wrote:

> Just to rewind this conversation to the actual problem ...
>
> On 24/08/2016 11:42 p.m., Samuraiii wrote:
> > On 24.8.2016 13:18, Antony Stone wrote:
> >> Unfortunately it's not Squid that's the challenge - it's the browser.
> >>
> >> If you're using Firefox and/or Chrome, you should be okay.
> >>
> >> See "Encrypted browser-Squid connection" at the bottom of
> >> http://wiki.squid-cache.org/Features/HTTPS
> >>
> >>
> >> Antony.
> >>
> > I have seen that, it is the cause of my subscription to this list.
> > I haven't been able to find any usable hints.
> > My config attempt fails
> >
>
> 
> >
> > https_port 8443 \
> > cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> > key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> > cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> > tls-dh=/etc/ssl/certs/dhparam.pem \
> > sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> > cipher=HIGH
>
>
> As Dio mentioned the cleintca= (or rather clientca=) is for
> authenticating clients ceritficates. Don't use that unless you are
> requiring client certs in TLS.
>
> The rest of your config looks reasonable to me. I suspect you have found
> a bug introduced during all the SSL-Bump code changes. Please make a
> bugzilla report and include your exact Squid version (found with the
> 'squid -v' command), the https_port line(s) and the exact error message
> produced on startup.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 



Diogenes S. de Jesus
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Diogenes S. Jesus]

Oh, an a tiny little detail :)

# squid -v

Squid Cache: Version 4.0.13

Service Name: squid

configure options:  '--with-openssl' '--prefix=/usr' '--localstatedir=/var'
'--libexecdir=/lib/squid' '--datadir=/share/squid'
'--sysconfdir=/etc/squid' '--with-default-user=proxy'
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'


On Wed, Aug 24, 2016 at 4:37 PM, Diogenes S. Jesus  wrote:

> This configuration here covers the use case described by the OP:
> https://gist.githubusercontent.com/splashx/758ff0c59ea291f32edafc516fdaad
> 73/raw/8050fa054821657812961050332b38a56e7e3e68/
>
> If everything works well, you'll notice you won't support HTTP proxy at
> all, but users can reach  both HTTP and HTTPS target websites via your
> HTTPS proxy.
>
> # netstat -nltp
>
> Active Internet connections (only servers)
>
> Proto Recv-Q Send-Q Local Address   Foreign Address State
>   PID/Program name
>
> tcp0  0 0.0.0.0:22  0.0.0.0:*
> LISTEN  32109/sshd
>
> tcp6   0  0 :::80   :::*
> LISTEN  26627/apache2
>
> tcp6   0  0 :::3443 :::*
> LISTEN  7303/(squid-1)
>
> tcp6   0  0 :::22   :::*
> LISTEN  32109/sshd
>
>
> The user connects to the proxy ONLY via HTTPS Proxy on port 3443
>
> All traffic between the OP and the proxy is encrypted using TLS.
> A) If the user enters http://target.example.com, between the proxy and
> the target you'll see HTTP.
> B) If the user enters https://target.example.com, between the proxy and
> the target you'll see HTTPS.
>
> If you sniff the traffic between the client and the proxy, you'll see TLS.
>
> Tested with:
>
> $ /Applications/Firefox\ 2.app/Contents/MacOS/firefox -v
>
> Mozilla Firefox 48.0
>
> Firefox set up to use PAC: Preferences > Advanced > Network > Settings:
> "Automatic Proxy Configuration": http://squid.example.com/proxy.pac
>
> The downside here of course is the limited amount of clients supporting
> HTTPS Proxy settings.
>
> Dio
>
>
> On Wed, Aug 24, 2016 at 3:46 PM, Amos Jeffries 
> wrote:
>
>> Just to rewind this conversation to the actual problem ...
>>
>> On 24/08/2016 11:42 p.m., Samuraiii wrote:
>> > On 24.8.2016 13:18, Antony Stone wrote:
>> >> Unfortunately it's not Squid that's the challenge - it's the browser.
>> >>
>> >> If you're using Firefox and/or Chrome, you should be okay.
>> >>
>> >> See "Encrypted browser-Squid connection" at the bottom of
>> >> http://wiki.squid-cache.org/Features/HTTPS
>> >>
>> >>
>> >> Antony.
>> >>
>> > I have seen that, it is the cause of my subscription to this list.
>> > I haven't been able to find any usable hints.
>> > My config attempt fails
>> >
>>
>> 
>> >
>> > https_port 8443 \
>> > cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
>> > key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
>> > cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
>> > tls-dh=/etc/ssl/certs/dhparam.pem \
>> > sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
>> > cipher=HIGH
>>
>>
>> As Dio mentioned the cleintca= (or rather clientca=) is for
>> authenticating clients ceritficates. Don't use that unless you are
>> requiring client certs in TLS.
>>
>> The rest of your config looks reasonable to me. I suspect you have found
>> a bug introduced during all the SSL-Bump code changes. Please make a
>> bugzilla report and include your exact Squid version (found with the
>> 'squid -v' command), the https_port line(s) and the exact error message
>> produced on startup.
>>
>> Amos
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>
> --
>
> 
>
> Diogenes S. de Jesus
>



-- 



Diogenes S. de Jesus
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Alex Rousskov]

On 08/24/2016 06:36 AM, Yuri Voinov wrote:
> 24.08.2016 18:32, Antony Stone пишет:
>> He wants to configure his browser to connect to the proxy over an SSL
>> connection, and then inside this secure connection send standard HTTP and
>> HTTPS requests

> Yeah, I get it. It seems to me, is absolutely crazy and insecure idea.

No, you do not get it. If you were getting it, you would not call it
"crazy" or "insecure". Please do not scare folks away from the
configuration that makes a lot of sense and is actually used in highly
secure environments.

If you would like to understand why this configuration makes sense,
please carefully study available documentation, resist the urge to post
one-sentence knee-jerk responses, and think about what gets encrypted
between the client and Squid (hint: There are two layers of encryption
in case of HTTPS) and between Squid and the server. If, after all that
effort, you still think that this is "crazy" or "insecure", then
consider carefully itemizing a few specific reasons behind that
[incorrect] conclusion so that others can correct your mistake.


Thank you,

Alex.

>> See "Encrypted browser-Squid connection" at the bottom of
>> http://wiki.squid-cache.org/Features/HTTPS
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Samuraiii]

On 24.8.2016 16:39, Diogenes S. Jesus wrote:
> Oh, an a tiny little detail :) 
>
> # squid -v
>
> Squid Cache: Version 4.0.13
>
> Service Name: squid
>
> configure options:  '--with-openssl' '--prefix=/usr'
> '--localstatedir=/var' '--libexecdir=/lib/squid'
> '--datadir=/share/squid' '--sysconfdir=/etc/squid'
> '--with-default-user=proxy' '--with-logdir=/var/log/squid'
> '--with-pidfile=/var/run/squid.pid'
>
>
Hi,
Thank you for your nice reply.
Is is possible to bend this config for squid 3.5.19?
My distro (Gentoo) doesn't offer v4 squid... Latest "testing" is 3.5.20.
I have no problem with compiling code,
the thing I am concerned of is maintaining system in as much effortless
way as possible,
that is why I want to avoid non-distro sw.

squid -v output is on the end of mail.
with thanks
S

squid -v
Squid Cache: Version 3.5.19
Service Name: squid
configure options:  '--prefix=/usr' '--build=x86_64-pc-linux-gnu'
'--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc'
'--localstatedir=/var/lib' '--disable-dependency-tracking'
'--disable-silent-rules' '--docdir=/usr/share/doc/squid-3.5.19'
'--htmldir=/usr/share/doc/squid-3.5.19/html' '--libdir=/usr/lib64'
'--sysconfdir=/etc/squid' '--libexecdir=/usr/libexec/squid'
'--localstatedir=/var' '--with-pidfile=/run/squid.pid'
'--datadir=/usr/share/squid' '--with-logdir=/var/log/squid'
'--with-default-user=squid' '--enable-removal-policies=lru,heap'
'--enable-storeio=aufs,diskd,rock,ufs' '--enable-disk-io'
'--enable-auth-basic=MSNT-multi-domain,NCSA,POP3,getpwnam,SMB,PAM'
'--enable-auth-digest=file' '--enable-auth-ntlm=smb_lm'
'--enable-auth-negotiate=none'
'--enable-external-acl-helpers=file_userip,session,unix_group,wbinfo_group'
'--enable-log-daemon-helpers' '--enable-url-rewrite-helpers'
'--enable-cache-digests' '--enable-delay-pools' '--enable-eui'
'--enable-icmp' '--enable-follow-x-forwarded-for' '--with-large-files'
'--disable-strict-error-checking' '--disable-arch-native'
'--with-ltdl-includedir=/usr/include' '--with-ltdl-libdir=/usr/lib64'
'--without-libcap' '--enable-ipv6' '--disable-snmp' '--with-openssl'
'--with-nettle' '--with-gnutls' '--disable-ssl-crtd' '--disable-ecap'
'--disable-esi' '--enable-htcp' '--enable-wccp' '--enable-wccpv2'
'--enable-linux-netfilter' '--without-mit-krb5' '--without-heimdal-krb5'
'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu'
'CC=x86_64-pc-linux-gnu-gcc' 'CFLAGS=[too long...redacted]''
'LDFLAGS=-Wl,-O1 -Wl,--as-needed' 'CXXFLAGS=[too long...redacted]'
'PKG_CONFIG_PATH=/usr/lib64/pkgconfig'
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Diogenes Jesus]

Hi there.

The config should work - I noticed only that you're using "--with-gnutls", but 
that shouldn't be an issue. Try it out and let us know how that worked for you. 

Dio

Sent from my iPhone

> On Aug 25, 2016, at 11:17 AM, Samuraiii  wrote:
> 
>> On 24.8.2016 16:39, Diogenes S. Jesus wrote:
>> Oh, an a tiny little detail :) 
>> 
>> # squid -v
>> Squid Cache: Version 4.0.13
>> Service Name: squid
>> configure options:  '--with-openssl' '--prefix=/usr' '--localstatedir=/var' 
>> '--libexecdir=/lib/squid' '--datadir=/share/squid' '--sysconfdir=/etc/squid' 
>> '--with-default-user=proxy' '--with-logdir=/var/log/squid' 
>> '--with-pidfile=/var/run/squid.pid'
>> 
> Hi,
> Thank you for your nice reply.
> Is is possible to bend this config for squid 3.5.19?
> My distro (Gentoo) doesn't offer v4 squid... Latest "testing" is 3.5.20.
> I have no problem with compiling code, 
> the thing I am concerned of is maintaining system in as much effortless way 
> as possible, 
> that is why I want to avoid non-distro sw.
> 
> squid -v output is on the end of mail.
> with thanks 
> S
> 
> squid -v
> Squid Cache: Version 3.5.19
> Service Name: squid
> configure options:  '--prefix=/usr' '--build=x86_64-pc-linux-gnu' 
> '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' 
> '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' 
> '--localstatedir=/var/lib' '--disable-dependency-tracking' 
> '--disable-silent-rules' '--docdir=/usr/share/doc/squid-3.5.19' 
> '--htmldir=/usr/share/doc/squid-3.5.19/html' '--libdir=/usr/lib64' 
> '--sysconfdir=/etc/squid' '--libexecdir=/usr/libexec/squid' 
> '--localstatedir=/var' '--with-pidfile=/run/squid.pid' 
> '--datadir=/usr/share/squid' '--with-logdir=/var/log/squid' 
> '--with-default-user=squid' '--enable-removal-policies=lru,heap' 
> '--enable-storeio=aufs,diskd,rock,ufs' '--enable-disk-io'   
> '--enable-auth-basic=MSNT-multi-domain,NCSA,POP3,getpwnam,SMB,PAM' 
> '--enable-auth-digest=file' '--enable-auth-ntlm=smb_lm' 
> '--enable-auth-negotiate=none' 
> '--enable-external-acl-helpers=file_userip,session,unix_group,wbinfo_group' 
> '--enable-log-daemon-helpers' '--enable-url-rewrite-helpers' 
> '--enable-cache-digests' '--enable-delay-pools' '--enable-eui' 
> '--enable-icmp' '--enable-follow-x-forwarded-for' '--with-large-files' 
> '--disable-strict-error-checking' '--disable-arch-native' 
> '--with-ltdl-includedir=/usr/include' '--with-ltdl-libdir=/usr/lib64' 
> '--without-libcap' '--enable-ipv6' '--disable-snmp' '--with-openssl' 
> '--with-nettle' '--with-gnutls' '--disable-ssl-crtd' '--disable-ecap' 
> '--disable-esi' '--enable-htcp' '--enable-wccp' '--enable-wccpv2' 
> '--enable-linux-netfilter' '--without-mit-krb5' '--without-heimdal-krb5' 
> 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 
> 'CC=x86_64-pc-linux-gnu-gcc' 'CFLAGS=[too long...redacted]'' 'LDFLAGS=-Wl,-O1 
> -Wl,--as-needed' 'CXXFLAGS=[too long...redacted]' 
> 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig'
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Samuraiii]

On 25.8.2016 13:24, Diogenes Jesus wrote:
> Hi there.
>
> The config should work - I noticed only that you're using
> "--with-gnutls", but that shouldn't be an issue. Try it out and let us
> know how that worked for you. 
>
> Dio
>
> Sent from my iPhone
>
Hello again,
still same error...
Comlete debug output of "squid -X" is here:
https://gist.github.com/samuraiii/839151ae083872d3fd2be650df004e0c

These flagsare from my distro, I cant influence it directly, only
through few "use flags", which represent some functionality I can trigger:

htcp ipv6 pam samba ssl wccp wccpv2 -caps -ecap -esi -ipf-transparent
-kerberos -kqueue -ldap -logrotate -mysql -nis -pf-transparent -postgres
-qos -radius -sasl -selinux -snmp -sqlite -ssl-crtd -test -tproxy

That which is prepended withc dash is diabled.
I append this just for reference, I do not see much of use in this for
non-gentooists.
S
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

[Amos Jeffries]

On 26/08/2016 1:24 a.m., Samuraiii wrote:
> On 25.8.2016 13:24, Diogenes Jesus wrote:
>> Hi there.
>>
>> The config should work - I noticed only that you're using
>> "--with-gnutls", but that shouldn't be an issue. Try it out and let us
>> know how that worked for you. 
>>
>> Dio
>>
>> Sent from my iPhone
>>
> Hello again,
> still same error...
> Comlete debug output of "squid -X" is here:
> https://gist.github.com/samuraiii/839151ae083872d3fd2be650df004e0c
> 
> These flagsare from my distro, I cant influence it directly, only
> through few "use flags", which represent some functionality I can trigger:
> 
> htcp ipv6 pam samba ssl wccp wccpv2 -caps -ecap -esi -ipf-transparent
> -kerberos -kqueue -ldap -logrotate -mysql -nis -pf-transparent -postgres
> -qos -radius -sasl -selinux -snmp -sqlite -ssl-crtd -test -tproxy
> 
> That which is prepended withc dash is diabled.
> I append this just for reference, I do not see much of use in this for
> non-gentooists.

Like I said the other day, please open a bug report with the details. I
don't have the time to look into it and the dev who might be interested
don't follow this list closely.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port Listen on different IP

[Alex Rousskov]

On 10/19/2018 01:10 AM, houheming wrote:

> Configure squid to be a https tproxy proxy

Terminology clarification: You are configuring an transparent proxy for
intercepting TLS/HTTPS traffic, not an (explicit) HTTPS proxy.


> configure squid to send the client browser certificates which signed by X

This phrase can be (mis)interpreted many ways:

1. Configure Squid to automatically generate origin server certificates
(signed by a configured CA X) and send them to browsers/clients that go
to those origin servers.

2. Configure Squid to use a configured client certificate (signed by
some CA X) and send it to origin servers that request client certificates.

Does any of the above match what you want to do?


> https_port 443 ...
> https_port 180.97.33.107:443 ...
> https_port 180.97.33.108:443 ...

I am not sure, but perhaps the first https_port line (the one without an
explicit IP address) should come _last_ so that Squid can listen on the
addresses that remain after 180.97.33.107 and 180.97.33.108 are taken by
the other two ports?

Also, if your Squid, when started without "-k parse", reports any
warnings or errors, please share them.

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port Listen on different IP

[Amos Jeffries]

On 20/10/18 6:04 AM, Alex Rousskov wrote:
> On 10/19/2018 01:10 AM, houheming wrote:
>> https_port 443 ...
>> https_port 180.97.33.107:443 ...
>> https_port 180.97.33.108:443 ...
> 
> I am not sure, but perhaps the first https_port line (the one without an
> explicit IP address) should come _last_ so that Squid can listen on the
> addresses that remain after 180.97.33.107 and 180.97.33.108 are taken by
> the other two ports?

I think that is what was meant by "If I switch line1 with line2 and
line3 ..., then only line2 and line3 will get its chance to work, line1
will not work. "

The problem is that TCP does not permit any IP:port combination to have
two simultaneous listening sockets with different parameters. These
configuration lines differ in both address and protocol they are receiving.


houheming:
 you have to use different ports to receive the traffic into Squid.

Since you are using TPROXY there is no requirement for the proxy
listening port to be 443. Squid can listen on any port you want.

This problem should disappear if you set the wildcard port to another
number and update the TPROXY rule which is sending traffic to it.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port Listen on different IP

[houheming]

Hi Alex & Amos,

Thanks for your replies, sorry for my poor English, I will add more information.

 

#1

1. Configure Squid to automatically generate origin server certificates

(signed by a configured CA X) and send them to browsers/clients that go

to those origin servers.

 

This is my situation.

 

#2

If I configure squid like the following:

https_port 443 ...

https_port 180.97.33.107:443 ...

https_port 180.97.33.108:443 ...

 

when I reconfigure squid, no errors come out, but when I check the tcp port 
listening using "netstat -tln", the line2 and line3 with specific IP do not 
work:



 

#3

If I configure squid like:

https_port 180.97.33.107:443 ...

https_port 180.97.33.108:443

https_port 443

 

when I use “squid –k reconfigure” to reconfigure squid, no error message. But 
when I check the tcp ports listening:



 

 

#4

I also tried to specific a different port for IP 0.0.0.0, like this:

https_port 180.97.33.107:443 ...

https_port 180.97.33.108:443

https_port 4433   #here specify a different port from above

 

and it works.



 

https_port 0.0.0.0:443

https_port 1.1.1.1:443

I was just curious that the above two types of rules cannot exist together, 
whichever you put the first in squid.conf, it will overwrite the second one.

 

Using a different port for wildcard, it is a good solution in this case, it is 
just that ,if I could use the same tcp port for IP-0.0.0.0, it will be easier 
for my situation.

In my case, the destination server IP and root CA are dynamically send to me by 
anther configure server, so I choose to use default https port 443 to receive 
all https traffic.

If I have to use different ports for IP-0.0.0.0, I think I have to write one 
iptables rule for one https server IP, in normal case this is ok, in my case I 
have to do it dynamically, in another way of saying, whenever I receive a 
configure rule, I have to write an iptables rule for it. Anyway, that is my 
problem, thank you guys!

 

 

Heming Hou

-邮件原件-
发件人: Amos Jeffries [mailto:squ...@treenet.co.nz] 
发送时间: 2018年10月20日 12:10
收件人: squid-users@lists.squid-cache.org
主题: Re: [squid-users] https_port Listen on different IP

 

On 20/10/18 6:04 AM, Alex Rousskov wrote:

> On 10/19/2018 01:10 AM, houheming wrote:

>> https_port 443 ...

>> https_port 180.97.33.107:443 ...

>> https_port 180.97.33.108:443 ...

> 

> I am not sure, but perhaps the first https_port line (the one without an

> explicit IP address) should come _last_ so that Squid can listen on the

> addresses that remain after 180.97.33.107 and 180.97.33.108 are taken by

> the other two ports?

 

I think that is what was meant by "If I switch line1 with line2 and

line3 ..., then only line2 and line3 will get its chance to work, line1

will not work. "

 

The problem is that TCP does not permit any IP:port combination to have

two simultaneous listening sockets with different parameters. These

configuration lines differ in both address and protocol they are receiving.

 

 

houheming:

you have to use different ports to receive the traffic into Squid.

 

Since you are using TPROXY there is no requirement for the proxy

listening port to be 443. Squid can listen on any port you want.

 

This problem should disappear if you set the wildcard port to another

number and update the TPROXY rule which is sending traffic to it.

 

Amos

___

squid-users mailing list

squid-users@lists.squid-cache.org

http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port Listen on different IP

[Alex Rousskov]

On 10/20/18 7:47 AM, houheming wrote:
> 1. Configure Squid to automatically generate origin server certificates
> (signed by a configured CA X) and send them to browsers/clients that go
> to those origin servers.
  
OK.


> If I configure squid like:
> 
> https_port 180.97.33.107:443 ...
> https_port 180.97.33.108:443
> https_port 443

> when I use “squid –k reconfigure” to reconfigure squid, no error message.

In general, avoid using "-k anything" as the primary configuration test.
It just complicates matters by introducing a different error checking
context. Use a clean start. I am _not_ saying that a clean start would
have solved your problem in this particular case.


> But when I check the tcp ports listening:

[image showing the first two out of three configured :443 ports]

If Squid did not complain about anything but did not start listening on
one of the configured ports, then there is a Squid error reporting bug
somewhere. Feel free to report it to Squid bugzilla.

My suggestion to reorder those https_port lines was wrong. The wildcard
bind(INADDR_ANY) system call does not bind to "any available" address.
It binds to "all" addresses and, hence, fails if one of the addresses is
not available.

As Amos said and you have confirmed, using a different port for the
third https_port avoids these problems. Using a different/specific IP
address for the third https_port is another option.


> I was just curious that the above two types of rules cannot exist
> together, whichever you put the first in squid.conf, it will overwrite
> the second one.

https_port lines do not overwrite each other. The ports are independent,
but since they all consume a common resource (system IPs and ports),
they may conflict with each other. Use unique IPs and/or unique ports to
avoid conflicts.


Cheers,

Alex.


> -邮件原件-
> 发件人: Amos Jeffries [mailto:squ...@treenet.co.nz]
> 发送时间: 2018年10月20日12:10
> 收件人: squid-users@lists.squid-cache.org
> 主题: Re: [squid-users] https_port Listen on different IP
> 
>  
> 
> On 20/10/18 6:04 AM, Alex Rousskov wrote:
> 
>> On 10/19/2018 01:10 AM, houheming wrote:
> 
>>> https_port 443 ...
> 
>>> https_port 180.97.33.107:443 ...
> 
>>> https_port 180.97.33.108:443 ...
> 
>> 
> 
>> I am not sure, but perhaps the first https_port line (the one without an
> 
>> explicit IP address) should come _last_ so that Squid can listen on the
> 
>> addresses that remain after 180.97.33.107 and 180.97.33.108 are taken by
> 
>> the other two ports?
> 
>  
> 
> I think that is what was meant by "If I switch line1 with line2 and
> 
> line3 ..., then only line2 and line3 will get its chance to work, line1
> 
> will not work. "
> 
>  
> 
> The problem is that TCP does not permit any IP:port combination to have
> 
> two simultaneous listening sockets with different parameters. These
> 
> configuration lines differ in both address and protocol they are receiving.
> 
>  
> 
>  
> 
> houheming:
> 
> you have to use different ports to receive the traffic into Squid.
> 
>  
> 
> Since you are using TPROXY there is no requirement for the proxy
> 
> listening port to be 443. Squid can listen on any port you want.
> 
>  
> 
> This problem should disappear if you set the wildcard port to another
> 
> number and update the TPROXY rule which is sending traffic to it.
> 
>  
> 
> Amos
> 
> ___
> 
> squid-users mailing list
> 
> squid-users@lists.squid-cache.org
> 
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port Listen on different IP

[Amos Jeffries]

On 21/10/18 6:12 AM, Alex Rousskov wrote:
> On 10/20/18 7:47 AM, houheming wrote:
>> 1. Configure Squid to automatically generate origin server certificates
>> (signed by a configured CA X) and send them to browsers/clients that go
>> to those origin servers.
>   
> OK.
> 
> 
>> If I configure squid like:
>>
>> https_port 180.97.33.107:443 ...
>> https_port 180.97.33.108:443
>> https_port 443
> 
>> when I use “squid –k reconfigure” to reconfigure squid, no error message.
> 
> In general, avoid using "-k anything" as the primary configuration test.
> It just complicates matters by introducing a different error checking
> context. Use a clean start. I am _not_ saying that a clean start would
> have solved your problem in this particular case.
> 
> 
>> But when I check the tcp ports listening:
> 
> [image showing the first two out of three configured :443 ports]
> 
> If Squid did not complain about anything but did not start listening on
> one of the configured ports, then there is a Squid error reporting bug
> somewhere. Feel free to report it to Squid bugzilla.
> 
> My suggestion to reorder those https_port lines was wrong. The wildcard
> bind(INADDR_ANY) system call does not bind to "any available" address.
> It binds to "all" addresses and, hence, fails if one of the addresses is
> not available.

Aye.

Just double-checked, Squid does report this problem:

 "2018/10/21 19:12:30 kid1| ERROR: listen( FD 21, [::] [ job2], 256):
(98) Address already in use"

... but only only for -k start / restart / reconfigure.
The -k parse does not check it.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] https_port not correctly sending ssl cert information?

[Dan Steen]

Hi!,

I've recently been trying to update my version of squid from 4.0.20 to 
something more modern (4.13), but I'm having issues with my TLS enabled proxy 
not returning certificates correctly (it seems).   Specifically, when I try and 
run the following curl (url replaced to protect the innocent):
 
curl -vvI  --proxy https://test.example.com:5000 
 
https://google.com

I get the following result:

*   Trying 167.99.53.100:5000...
* Connected to test.example.com port 5000
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate

This is different then what I get for my old 4.0.20 server:

* Connected to test.example.com port 3128 (#0)
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Proxy certificate:
*  subject: CN=*.example.com
*  start date: Apr  5 21:02:06 2021 GMT
*  expire date: May  7 21:02:06 2022 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
*  SSL certificate verify ok.

But the config and certs are exactly the same!  I've pasted the config, output 
of squid -v, and cert information here:  
https://gist.github.com/dansteen/c28343fd025c713bcfba8368ce2b728b

One difference between the two that I noticed is that the old version is 
compiled with --with-openssl and --enable-ssl and -enable-ssl-crtd, and the new 
version only has --with-gnutls.  Would that be the issue?  I appreciate the 
help!

Thanks!
Dan Steen

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] https_port Connection reset by peer; http_port works

[chiasa.men]

Hello folks

I tried to encrypt the connection between client and squid. Therefore I 
generated certificates which are accepted by the clients and configured squid 
as followed:

Squid.conf
  https_port 10.0.13.10:8443 cert=/cert.pem key=/cert.key
  http_port 10.0.13.10:8080
  http_access allow all

My following tests show that I can use the http port for internet access but 
the https port wont work. 
  openssl s_client -connect proxy:8443 
  # Verify return code: 0 (ok)

  export https_proxy="proxy:8443"
  export http_proxy="proxy:8080" 
  curl https://www.google.de
  # curl: (56) Recv failure: Connection reset by peer
  curl http://www.google.de
  # works
  
  export https_proxy="proxy:8443"
  export http_proxy="$https_proxy" 
  curl https://www.google.de
  # curl: (56) Recv failure: Connection reset by peer
  curl http://www.google.de
  # curl: (56) Recv failure: Connection reset by peer
  
  export http_proxy="proxy:8080" 
  export https_proxy="$http_proxy" 
  curl https://www.google.de
  # works
  curl http://www.google.de
  # works

What did I wrong? Do I misunderstand something regarding the configuration 
options?

Regards Chia
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port not correctly sending ssl cert information?

[‪Amos Jeffries‬]

The main issue you are having is that the old version had no TLS/1.3 support. The newer squid have some, but not enough for what you are doing.Switching the build from GnuTLS to OpenSSL may work a little better. But without details of your config it is hard to be certain.Amos Original message From: Dan Steen Date: Wed, 12 May 2021, 10:06To: squid-users@lists.squid-cache.orgSubject: [squid-users] https_port not correctly sending ssl cert information?Hi!,I've recently been trying to update my version of squid from 4.0.20 to something more modern (4.13), but I'm having issues with my TLS enabled proxy not returning certificates correctly (it seems).   Specifically, when I try and run the following curl (url replaced to protect the innocent): curl -vvI  --proxy https://test.example.com:5000 https://google.comI get the following result:*   Trying 167.99.53.100:5000...* Connected to test.example.com port 5000* ALPN, offering http/1.1* successfully set certificate verify locations:*  CAfile: /etc/ssl/certs/ca-certificates.crt*  CApath: none* TLSv1.3 (OUT), TLS handshake, Client hello (1):* TLSv1.3 (IN), TLS handshake, Server hello (2):* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):* TLSv1.3 (IN), TLS handshake, Certificate (11):* TLSv1.3 (OUT), TLS alert, unknown CA (560):* SSL certificate problem: unable to get local issuer certificate* Closing connection 0curl: (60) SSL certificate problem: unable to get local issuer certificateThis is different then what I get for my old 4.0.20 server:* Connected to test.example.com port 3128 (#0)* successfully set certificate verify locations:*  CAfile: /etc/ssl/certs/ca-certificates.crt*  CApath: none* TLSv1.3 (OUT), TLS handshake, Client hello (1):* TLSv1.3 (IN), TLS handshake, Server hello (2):* TLSv1.2 (IN), TLS handshake, Certificate (11):* TLSv1.2 (IN), TLS handshake, Server key exchange (12):* TLSv1.2 (IN), TLS handshake, Server finished (14):* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):* TLSv1.2 (OUT), TLS handshake, Finished (20):* TLSv1.2 (IN), TLS handshake, Finished (20):* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384* Proxy certificate:*  subject: CN=*.example.com*  start date: Apr  5 21:02:06 2021 GMT*  expire date: May  7 21:02:06 2022 GMT*  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2*  SSL certificate verify ok.But the config and certs are exactly the same!  I've pasted the config, output of squid -v, and cert information here:  https://gist.github.com/dansteen/c28343fd025c713bcfba8368ce2b728bOne difference between the two that I noticed is that the old version is compiled with --with-openssl and --enable-ssl and -enable-ssl-crtd, and the new version only has --with-gnutls.  Would that be the issue?  I appreciate the help!Thanks!Dan Steen___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port not correctly sending ssl cert information?

[Dan Steen]

Hi Amos!

Thanks for the response!  I put my full config in that gist 
(https://gist.github.com/dansteen/c28343fd025c713bcfba8368ce2b728b) if that 
helps.  Is there something else that would be helpuful to see?  

Thanks!

On Tue, May 11, 2021, at 9:16 PM, ‪Amos Jeffries‬ wrote:
> The main issue you are having is that the old version had no TLS/1.3 support. 
> The newer squid have some, but not enough for what you are doing.
> 
> Switching the build from GnuTLS to OpenSSL may work a little better. But 
> without details of your config it is hard to be certain.
> 
> Amos
> 
> 
>  Original message 
> From: Dan Steen 
> Date: Wed, 12 May 2021, 10:06
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] https_port not correctly sending ssl cert information?
>> Hi!,
>> 
>> I've recently been trying to update my version of squid from 4.0.20 to 
>> something more modern (4.13), but I'm having issues with my TLS enabled 
>> proxy not returning certificates correctly (it seems).   Specifically, when 
>> I try and run the following curl (url replaced to protect the innocent):
>>  
>> curl -vvI  --proxy https://test.example.com:5000 
>> <https://vvnncqvnjkclsuu3ctvdp5k4ck72-uupfpbnf.mirageid.com:5000/> 
>> https://google.com
>> 
>> 
>> I get the following result:
>> 
>> *   Trying 167.99.53.100:5000...
>> * Connected to test.example.com port 5000
>> * ALPN, offering http/1.1
>> * successfully set certificate verify locations:
>> *  CAfile: /etc/ssl/certs/ca-certificates.crt
>> *  CApath: none
>> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
>> * TLSv1.3 (IN), TLS handshake, Server hello (2):
>> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
>> * TLSv1.3 (IN), TLS handshake, Certificate (11):
>> * TLSv1.3 (OUT), TLS alert, unknown CA (560):
>> * SSL certificate problem: unable to get local issuer certificate
>> * Closing connection 0
>> curl: (60) SSL certificate problem: unable to get local issuer certificate
>> 
>> This is different then what I get for my old 4.0.20 server:
>> 
>> * Connected to test.example.com port 3128 (#0)
>> * successfully set certificate verify locations:
>> *  CAfile: /etc/ssl/certs/ca-certificates.crt
>> *  CApath: none
>> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
>> * TLSv1.3 (IN), TLS handshake, Server hello (2):
>> * TLSv1.2 (IN), TLS handshake, Certificate (11):
>> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
>> * TLSv1.2 (IN), TLS handshake, Server finished (14):
>> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
>> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
>> * TLSv1.2 (OUT), TLS handshake, Finished (20):
>> * TLSv1.2 (IN), TLS handshake, Finished (20):
>> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
>> * Proxy certificate:
>> *  subject: CN=*.example.com
>> *  start date: Apr  5 21:02:06 2021 GMT
>> *  expire date: May  7 21:02:06 2022 GMT
>> *  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
>> *  SSL certificate verify ok.
>> 
>> 
>> But the config and certs are exactly the same!  I've pasted the config, 
>> output of squid -v, and cert information here:  
>> https://gist.github.com/dansteen/c28343fd025c713bcfba8368ce2b728b
>> 
>> One difference between the two that I noticed is that the old version is 
>> compiled with --with-openssl and --enable-ssl and -enable-ssl-crtd, and the 
>> new version only has --with-gnutls.  Would that be the issue?  I appreciate 
>> the help!
>> 
>> Thanks!
>> Dan Steen
>> 
>> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org <mailto:squid-users%40lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users
> 

Dan Steen
Founder, CTO
*MirageID*
_...@mirageid.com <mailto:est...@mirageid.com>_
443-204-9478
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port not correctly sending ssl cert information?

[squid3]

Oh, I see. With that simple config the issue has to be lack of cert 
chain support in GnuTLS. Simply rebuilding using --with-openssl should 
resolve it.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port not correctly sending ssl cert information?

[Dan Steen]

great!  i'll give it a try and report back.  thanks so much!

On Tue, May 11, 2021, at 10:03 PM, squ...@treenet.co.nz 
 wrote:
> Oh, I see. With that simple config the issue has to be lack of cert 
> chain support in GnuTLS. Simply rebuilding using --with-openssl should 
> resolve it.
> 
> Amos
> 

Dan Steen

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port not correctly sending ssl cert information?

[Dan Steen]

That looks like it solved the issue!  Switching to an openssl build fixed 
things.   Thanks so much for the responses!


On Tue, May 11, 2021, at 10:08 PM, Dan Steen wrote:
> great!  i'll give it a try and report back.  thanks so much!
> 
> On Tue, May 11, 2021, at 10:03 PM, squ...@treenet.co.nz 
>  wrote:
>> Oh, I see. With that simple config the issue has to be lack of cert 
>> chain support in GnuTLS. Simply rebuilding using --with-openssl should 
>> resolve it.
>> 
>> Amos
>> 
> 
> Dan Steen
> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org 
> http://lists.squid-cache.org/listinfo/squid-users
> 

Dan Steen

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port Connection reset by peer; http_port works

[Amos Jeffries]

On 23/04/17 04:32, chiasa.men wrote:

Hello folks

I tried to encrypt the connection between client and squid. Therefore I
generated certificates which are accepted by the clients and configured squid
as followed:

Squid.conf
   https_port 10.0.13.10:8443 cert=/cert.pem key=/cert.key
   http_port 10.0.13.10:8080
   http_access allow all

My following tests show that I can use the http port for internet access but
the https port wont work.
   openssl s_client -connect proxy:8443
   # Verify return code: 0 (ok)

   export https_proxy="proxy:8443"
   export http_proxy="proxy:8080"
   curl https://www.google.de
   # curl: (56) Recv failure: Connection reset by peer
   curl http://www.google.de
   # works
   
   export https_proxy="proxy:8443"

   export http_proxy="$https_proxy"
   curl https://www.google.de
   # curl: (56) Recv failure: Connection reset by peer
   curl http://www.google.de
   # curl: (56) Recv failure: Connection reset by peer
   
   export http_proxy="proxy:8080"

   export https_proxy="$http_proxy"
   curl https://www.google.de
   # works
   curl http://www.google.de
   # works

What did I wrong? Do I misunderstand something regarding the configuration
options?


You appear not to be using curl correctly.

Test #1 and #3 show that curl is probably sending the https:// requests 
through port 8080 on your proxy as a CONNECT request. Check that in your 
Squid log to confirm.


Test #2 is misconfigured. port 8443 on your proxy is not able to accept 
plain-text traffic.



AFAIK the "https_proxy" environment variable is a custom things invented 
by Google in part of their insistence not to allow users to configure 
TLS to a proxy via the Chrome GUI. It is not part of the normal POSIX 
environment like http_proxy is. So you cannot rely on non-Browser tools 
like curl supporting it.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port Connection reset by peer; http_port works

[chiasa.men]

Am Sonntag, 23. April 2017, 18:03:25 CEST schrieb Amos Jeffries:
> You appear not to be using curl correctly.
> 

> Test #1 and #3 show that curl is probably sending the https:// requests
> through port 8080 on your proxy as a CONNECT request. Check that in your
> Squid log to confirm.

I wasn't aware of that thx, but nevertheless the problem still exists


curl -x 'proxy:8443'  https://www.google.de
  curl: (56) Recv failure: Connection reset by peer
# no log entry
curl -x 'proxy:8443'  http://www.google.de  


  
  curl: (56) Recv failure: Connection reset by peer
# no log entry

curl -x 'proxy:8080'  http://www.google.de
  # no output
[23/Apr/2017:19:28:53 +] "GET http://www.google.de/ HTTP/1.1" 301 206 "-" 
"curl/7.47.0" TCP_DENIED:HIER_NONE

curl -x 'proxy:8080'  https://www.google.de
  # works
[23/Apr/2017:19:29:27 +] "CONNECT www.google.de:443 HTTP/1.1" 200 15157 
"-" "curl/7.47.0" TCP_TUNNEL:HIER_DIRECT


The corresponding tcpdumps are here to be found: https://nopaste.me/view/
1e07d687

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https_port Connection reset by peer; http_port works

[Alex Rousskov]

On 04/23/2017 10:03 AM, Amos Jeffries wrote:

> you cannot rely on non-Browser tools like curl supporting [https_proxy 
> environment variable].

... and to tell curl to use an HTTPS proxy (instead of an HTTP proxy),
use "https://"; as the proxy scheme (instead of "http://"; or no scheme at
all): https://daniel.haxx.se/blog/2016/11/26/https-proxy-with-curl/

HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] https_port ... tls-cert=... missing the chain in the handshake

[HoverHell]

Trying to set up a non-transparent forward proxy with TLS,
using squid 4.10-1ubuntu1.5 (ubuntu 20.04)
config line
`https_port 12345 tls-cert=/etc/letsencrypt/.../fullchain.pem
tls-key=/etc/letsencrypt/.../privkey.pem`
When establishing a TLS connection to that port, squid seems to return only
the domain certificate from the certificate chain:

$ openssl s_client -showcerts -connect hostname:12345 | grep -v
'^[A-Za-z0-9]'
depth=0 CN = ...
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = ...
verify error:num=21:unable to verify the first certificate
verify return:1
---
0 s:CN = ...
  i:C = US, O = Let's Encrypt, CN = R3
-BEGIN CERTIFICATE-
-END CERTIFICATE-

While nginx, using the same pair of files, works correctly:

$ openssl s_client -showcerts -connect hostname:443 | grep -v
'^[A-Za-z0-9]'
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = ...
verify return:1
---
0 s:CN = ...
  i:C = US, O = Let's Encrypt, CN = R3
-BEGIN CERTIFICATE-
-END CERTIFICATE-
1 s:C = US, O = Let's Encrypt, CN = R3
  i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-BEGIN CERTIFICATE-
-END CERTIFICATE-
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
  i:O = Digital Signature Trust Co., CN = DST Root CA X3
-BEGIN CERTIFICATE-
-END CERTIFICATE-

Am I missing some configuration option, or is this a squid4 bug?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users