[squid-users] cafile and capath not working as expected with SSL bump

Hi, I'm using squid 3.5.19 on RHEL6 and have configured SSL bump, which for the most part is working great. The issue I have is I need to install some additional CA certs that are not provided by the ca-certificates-2015 RPM in the /etc/pki/tls/cert.pem file (symlinked to /etc/pki/tls/certs/ca-bun

Re: [squid-users] cafile and capath not working as expected with SSL bump

Ah after reading your reply that makes perfect sense. Thanks so much Amos, you nailed it. On Thu, Jun 30, 2016 at 12:17 AM, Amos Jeffries wrote: > On 29/06/2016 10:01 p.m., Bruce Rosenberg wrote: > > Hi, > > > > I'm using squid 3.5.19 on RHEL6 and have configured

Re: [squid-users] sslproxyflags DONT_VERIFY_PEER

It looks like you are missing the Verisign Class 3 Public Primary Root cert. Notice the certificate chain list below. Yahoo correctly send back all intermediate certificates in the TLS handshake so the only certificate you need to make sure squid trusts (via openssl) is the Verisign root. You shou

Re: [squid-users] sslproxyflags DONT_VERIFY_PEER

> missing. However, our Smoothwall Express OS has all the standard root CAs > package found in /usr/ssl/certs. Do I need to tell squid where to find > those certs? If so, what config directive would I use for that? > > Thanks! > > On Wed, Aug 3, 2016 at 8:05 PM, Bruce Rosenberg

Re: [squid-users] ssl_bump with intermediate CA

The cafile option specifies the "chain" file squid should send back to the client along with the cert, exactly as you would normally do with Apache httpd or Nginx. In the example the generated server cert is depth 0, CA2 is depth 1 and CA1 is depth 2. If the client has CA1 installed as a trust anch

Re: [squid-users] IPVS/LVS load balancing Squid servers, anyone did it?

Hi Eliezer, We are running a couple of Squid proxies (the real servers) in front of a pair of LVS servers with keepalived and it works flawlessly. The 2 x Squid proxies are active / active and the LVS servers are active / passive. If a Squid proxy dies the remaining proxy takes all the traffic. If

Re: [squid-users] IPVS/LVS load balancing Squid servers, anyone did it?

Hi Amos, Sure, please add it. Always nice to contribute a little bit :) Cheers, Bruce On Thu, Aug 27, 2020 at 8:30 PM Amos Jeffries wrote: > Nice writeup. Do you mind if I add this to the Squid wiki as an example > for high-performance proxying? > > > Amos > > > >

Re: [squid-users] custom DNS resolver scripts? (was: Re: Is it possible to force some dstdomain to ipv4) protocol without define an outgoing ip address ?

You could run unbound on the squid host (or elsewhere) and use this config to drop all requests. It utilises unbound's ability to include custom python scripts. https://github.com/berstend/unbound-no- Configure unbound to forward all other DNS requests to your existing nameservers and re