Hi,
I'm using squid 3.5.19 on RHEL6 and have configured SSL bump, which for the
most part is working great.
The issue I have is I need to install some additional CA certs that are not
provided by the ca-certificates-2015 RPM in the /etc/pki/tls/cert.pem file
(symlinked to /etc/pki/tls/certs/ca-bun
Ah after reading your reply that makes perfect sense.
Thanks so much Amos, you nailed it.
On Thu, Jun 30, 2016 at 12:17 AM, Amos Jeffries
wrote:
> On 29/06/2016 10:01 p.m., Bruce Rosenberg wrote:
> > Hi,
> >
> > I'm using squid 3.5.19 on RHEL6 and have configured
It looks like you are missing the Verisign Class 3 Public Primary Root cert.
Notice the certificate chain list below.
Yahoo correctly send back all intermediate certificates in the TLS
handshake so the only certificate you need to make sure squid trusts (via
openssl) is the Verisign root.
You shou
> missing. However, our Smoothwall Express OS has all the standard root CAs
> package found in /usr/ssl/certs. Do I need to tell squid where to find
> those certs? If so, what config directive would I use for that?
>
> Thanks!
>
> On Wed, Aug 3, 2016 at 8:05 PM, Bruce Rosenberg
The cafile option specifies the "chain" file squid should send back to the
client along with the cert, exactly as you would normally do with Apache
httpd or Nginx.
In the example the generated server cert is depth 0, CA2 is depth 1 and CA1
is depth 2.
If the client has CA1 installed as a trust anch
Hi Eliezer,
We are running a couple of Squid proxies (the real servers) in front of a
pair of LVS servers with keepalived and it works flawlessly.
The 2 x Squid proxies are active / active and the LVS servers are active /
passive.
If a Squid proxy dies the remaining proxy takes all the traffic.
If
Hi Amos,
Sure, please add it.
Always nice to contribute a little bit :)
Cheers,
Bruce
On Thu, Aug 27, 2020 at 8:30 PM Amos Jeffries wrote:
> Nice writeup. Do you mind if I add this to the Squid wiki as an example
> for high-performance proxying?
>
>
> Amos
>
>
>
>
You could run unbound on the squid host (or elsewhere) and use this config
to drop all requests.
It utilises unbound's ability to include custom python scripts.
https://github.com/berstend/unbound-no-
Configure unbound to forward all other DNS requests to your existing
nameservers and re