Squid3-dev 3.3.10 pkg 2.2.1 & transparent ssl

drsbaitso

I can't seem to get the SSL filter working. I've installed the package, set up an internal CA, think I have everything set correctly but I keep getting certificate errors.

Am I missing a step? Does squidGuard have to be install as well for this to work? I figured I'd test the proxy first.

drsbaitso

Forgot to add… I also installed the CA on the local machine.

marcelloc

Test squid first, then squidguard

A great way to test squid is squid -v or squid -k parse on console.

drsbaitso

I still get a untrusted connection even though I've installed the firewall as a CA.

 squid -v
Squid Cache: Version 3.3.10
configure options:  '--with-default-user=squid' '--bindir=/usr/pbi/squid-i386/sbin' '--sbindir=/usr/pbi/squid-i386/sbin' '--datadir=/usr/pbi/squid-i386/etc/squid' '--libexecdir=/usr/pbi/squid-i386/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/pbi/squid-i386/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache/squid' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS  fake getpwnam LDAP NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=diskd rock ufs aufs' '--enable-disk-io=AIO Blocking DiskDaemon IpcIo Mmapped DiskThreads' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-delay-pools' '--enable-ssl' '--with-openssl=/usr' '--enable-ssl-crtd' '--enable-icmp' '--enable-htcp' '--disable-forw-via-db' '--enable-cache-digests' '--enable-wccp' '--enable-wccpv2' '--enable-eui' '--disable-ipfw-transparent' '--enable-pf-transparent' '--disable-ipf-transparent' '--enable-follow-x-forwarded-for' '--disable-ecap' '--enable-icap-client' '--disable-esi' '--enable-kqueue' '--with-large-files' '--prefix=/usr/pbi/squid-i386' '--mandir=/usr/pbi/squid-i386/man' '--infodir=/usr/pbi/squid-i386/info/' '--build=i386-portbld-freebsd8.3' 'build_alias=i386-portbld-freebsd8.3' 'CC=cc' 'CFLAGS=-O2 -pipe -I/usr/pbi/squid-i386/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/pbi/squid-i386/lib -pthread -Wl,-rpath=/usr/lib:/usr/pbi/squid-i386/lib -L/usr/lib' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/pbi/squid-i386/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'CPP=cpp' --enable-ltdl-convenience

squid -k parse
2014/03/21 09:11:21| Startup: Initializing Authentication Schemes ...
2014/03/21 09:11:21| Startup: Initialized Authentication Scheme 'basic'
2014/03/21 09:11:21| Startup: Initialized Authentication Scheme 'digest'
2014/03/21 09:11:21| Startup: Initialized Authentication Scheme 'negotiate'
2014/03/21 09:11:21| Startup: Initialized Authentication Scheme 'ntlm'
2014/03/21 09:11:21| Startup: Initialized Authentication.
2014/03/21 09:11:21| Processing Configuration File: /usr/pbi/squid-i386/etc/squid/squid.conf (depth 0)
2014/03/21 09:11:21| Processing: http_port 192.168.1.254:3128
2014/03/21 09:11:21| Processing: http_port 127.0.0.1:3128 intercept
2014/03/21 09:11:21| Starting Authentication on port 127.0.0.1:3128
2014/03/21 09:11:21| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2014/03/21 09:11:21| Disabling IPv6 on port 127.0.0.1:3128 (interception enabled)
2014/03/21 09:11:21| Processing: icp_port 7
2014/03/21 09:11:21| Processing: dns_v4_first on
2014/03/21 09:11:21| Processing: pid_filename /var/run/squid.pid
2014/03/21 09:11:21| Processing: cache_effective_user proxy
2014/03/21 09:11:21| Processing: cache_effective_group proxy
2014/03/21 09:11:21| Processing: error_default_language en
2014/03/21 09:11:21| Processing: icon_directory /usr/pbi/squid-i386/etc/squid/icons
2014/03/21 09:11:21| Processing: visible_hostname pfsense
2014/03/21 09:11:21| Processing: cache_mgr admin@localhost
2014/03/21 09:11:21| Processing: access_log /var/squid/logs/access.log
2014/03/21 09:11:21| Processing: cache_log /var/squid/logs/cache.log
2014/03/21 09:11:21| Processing: cache_store_log none
2014/03/21 09:11:21| Processing: logfile_rotate 0
2014/03/21 09:11:21| Processing: shutdown_lifetime 3 seconds
2014/03/21 09:11:21| Processing: acl localnet src  192.168.1.0/24
2014/03/21 09:11:21| Processing: uri_whitespace strip
2014/03/21 09:11:21| Processing: acl dynamic urlpath_regex cgi-bin \?
2014/03/21 09:11:21| Processing: cache deny dynamic
2014/03/21 09:11:21| Processing: cache_mem 8 MB
2014/03/21 09:11:21| Processing: maximum_object_size_in_memory 32 KB
2014/03/21 09:11:21| Processing: memory_replacement_policy heap GDSF
2014/03/21 09:11:21| Processing: cache_replacement_policy heap LFUDA
2014/03/21 09:11:21| Processing: minimum_object_size 0 KB
2014/03/21 09:11:21| Processing: maximum_object_size 10 KB
2014/03/21 09:11:21| Processing: offline_mode off
2014/03/21 09:11:21| Processing: cache allow all
2014/03/21 09:11:21| Processing: acl allsrc src all
2014/03/21 09:11:21| Processing: acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535
2014/03/21 09:11:21| Processing: acl sslports port 443 563
2014/03/21 09:11:21| Processing: acl purge method PURGE
2014/03/21 09:11:21| Processing: acl connect method CONNECT
2014/03/21 09:11:21| Processing: acl HTTP proto HTTP
2014/03/21 09:11:21| Processing: acl HTTPS proto HTTPS
2014/03/21 09:11:21| Processing: http_access allow manager localhost
2014/03/21 09:11:21| Processing: http_access deny manager
2014/03/21 09:11:21| Processing: http_access allow purge localhost
2014/03/21 09:11:21| Processing: http_access deny purge
2014/03/21 09:11:21| Processing: http_access deny !safeports
2014/03/21 09:11:21| Processing: http_access deny CONNECT !sslports
2014/03/21 09:11:21| Processing: request_body_max_size 0 KB
2014/03/21 09:11:21| Processing: delay_pools 1
2014/03/21 09:11:21| Processing: delay_class 1 2
2014/03/21 09:11:21| Processing: delay_parameters 1 -1/-1 -1/-1
2014/03/21 09:11:21| Processing: delay_initial_bucket_level 100
2014/03/21 09:11:21| Processing: delay_access 1 allow allsrc
2014/03/21 09:11:21| Processing: http_access allow localnet
2014/03/21 09:11:21| Processing: http_access deny allsrc
2014/03/21 09:11:21| Initializing https proxy context

ssl.PNG_thumb

bellera

Try to unselect option Certificate adapt

I'm implementing squid3-devel. I have a test installation without this option.

drsbaitso

@bellera:

Try to unselect option Certificate adapt

I'm implementing squid3-devel. I have a test installation without this option.

Bam, that did it. Thank you.

drsbaitso

Ok, but now it seems that the error pages are all coming up as HTTPS and the IP of my FW.

How do I make the error pages show up as http or to use the FQDN of the firewal which is secured with a legit SSL cert?

bellera

I looked at squid.conf and it's using only error_default_language directive.

I found only another squid directive for error pages:

http://www.squid-cache.org/Doc/config/error_directory/

But it doesn't help to solve the problem that you told us.

I think the only solution is to modify the files at /usr/local/etc/squid/errors/en/ (en, if you use English) and put a redirect code to an alternative URL. Example:

This will show http://www.yourdomain.tld/access_denied.html to the user.