Here is my entries for ssl-bump:
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump connection-auth=off
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
In many cases you will need to recreate the certificates as copying them
over does not always work, or are tied to that specific machine via
encryption.
Also it helps to set the proxy as different ports such as 3128 or 8080
instead of trying to use 80 and 443, as those are for server based
websites, not proxies, and generally causes more problems in the long
run. Most servers see an incoming connection to port 80 or 443 and tries
to respond via Apache.
Mike
On 6/29/2014 1:30 PM, John Gardner wrote:
I wonder if some of you can help me in figuring out an issue. For the
last three years, we've had a Squid Reverse Proxy running on
Oracle Linux 5 (64 bit) with version 2.6 of Squid (which came with the
distro) and it's been a total success and never missed a beat.
Now, I realised that this version is getting old so I thought I would
install a more recent version and get some more features as well,
I installed the 32 bit version of Eliezer's 3.4.3 RPM and managed to
get everything back up an running successfully. However, when
I was testing this environment I noticed that every so often in the
log I got a FATAL: Received Segment Violation...dying. message and
then
Squid just stopped responding. So, I then decided to build a version 6
version of Oracle Linux instance and then install the 64 bit 3.4.3 RPM
on it,
copying over all of the config and certficates.
Now I've got a new problem, although Squid now starts successfully
when I only put http_port into the squid.conf, when I add https_port
entries
I get the following message;
FATAL: No valid signing SSL certificate configured for https_port
10.x.x.95:443 and Squid terminates.
Does anyone know why I'm getting this issue? Would it be because in
moving from OEL 5 to OEL 6 I've also moved from OpenSSL 0.98 to
OpenSSL 1.0
and the certificate formats are now different or is it something else?
All help greatly appreciated.
John
