Squid3-dev 3.3.10 pkg 2.2.1 & transparent ssl
-
I can't seem to get the SSL filter working. I've installed the package, set up an internal CA, think I have everything set correctly but I keep getting certificate errors.
Am I missing a step? Does squidGuard have to be install as well for this to work? I figured I'd test the proxy first.
-
Forgot to add… I also installed the CA on the local machine.
-
Test squid first, then squidguard
A great way to test squid is squid -v or squid -k parse on console.
-
I still get a untrusted connection even though I've installed the firewall as a CA.
squid -v Squid Cache: Version 3.3.10 configure options: '--with-default-user=squid' '--bindir=/usr/pbi/squid-i386/sbin' '--sbindir=/usr/pbi/squid-i386/sbin' '--datadir=/usr/pbi/squid-i386/etc/squid' '--libexecdir=/usr/pbi/squid-i386/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/pbi/squid-i386/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache/squid' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam LDAP NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=diskd rock ufs aufs' '--enable-disk-io=AIO Blocking DiskDaemon IpcIo Mmapped DiskThreads' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-delay-pools' '--enable-ssl' '--with-openssl=/usr' '--enable-ssl-crtd' '--enable-icmp' '--enable-htcp' '--disable-forw-via-db' '--enable-cache-digests' '--enable-wccp' '--enable-wccpv2' '--enable-eui' '--disable-ipfw-transparent' '--enable-pf-transparent' '--disable-ipf-transparent' '--enable-follow-x-forwarded-for' '--disable-ecap' '--enable-icap-client' '--disable-esi' '--enable-kqueue' '--with-large-files' '--prefix=/usr/pbi/squid-i386' '--mandir=/usr/pbi/squid-i386/man' '--infodir=/usr/pbi/squid-i386/info/' '--build=i386-portbld-freebsd8.3' 'build_alias=i386-portbld-freebsd8.3' 'CC=cc' 'CFLAGS=-O2 -pipe -I/usr/pbi/squid-i386/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/pbi/squid-i386/lib -pthread -Wl,-rpath=/usr/lib:/usr/pbi/squid-i386/lib -L/usr/lib' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/pbi/squid-i386/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'CPP=cpp' --enable-ltdl-convenience
squid -k parse 2014/03/21 09:11:21| Startup: Initializing Authentication Schemes ... 2014/03/21 09:11:21| Startup: Initialized Authentication Scheme 'basic' 2014/03/21 09:11:21| Startup: Initialized Authentication Scheme 'digest' 2014/03/21 09:11:21| Startup: Initialized Authentication Scheme 'negotiate' 2014/03/21 09:11:21| Startup: Initialized Authentication Scheme 'ntlm' 2014/03/21 09:11:21| Startup: Initialized Authentication. 2014/03/21 09:11:21| Processing Configuration File: /usr/pbi/squid-i386/etc/squid/squid.conf (depth 0) 2014/03/21 09:11:21| Processing: http_port 192.168.1.254:3128 2014/03/21 09:11:21| Processing: http_port 127.0.0.1:3128 intercept 2014/03/21 09:11:21| Starting Authentication on port 127.0.0.1:3128 2014/03/21 09:11:21| Disabling Authentication on port 127.0.0.1:3128 (interception enabled) 2014/03/21 09:11:21| Disabling IPv6 on port 127.0.0.1:3128 (interception enabled) 2014/03/21 09:11:21| Processing: icp_port 7 2014/03/21 09:11:21| Processing: dns_v4_first on 2014/03/21 09:11:21| Processing: pid_filename /var/run/squid.pid 2014/03/21 09:11:21| Processing: cache_effective_user proxy 2014/03/21 09:11:21| Processing: cache_effective_group proxy 2014/03/21 09:11:21| Processing: error_default_language en 2014/03/21 09:11:21| Processing: icon_directory /usr/pbi/squid-i386/etc/squid/icons 2014/03/21 09:11:21| Processing: visible_hostname pfsense 2014/03/21 09:11:21| Processing: cache_mgr admin@localhost 2014/03/21 09:11:21| Processing: access_log /var/squid/logs/access.log 2014/03/21 09:11:21| Processing: cache_log /var/squid/logs/cache.log 2014/03/21 09:11:21| Processing: cache_store_log none 2014/03/21 09:11:21| Processing: logfile_rotate 0 2014/03/21 09:11:21| Processing: shutdown_lifetime 3 seconds 2014/03/21 09:11:21| Processing: acl localnet src 192.168.1.0/24 2014/03/21 09:11:21| Processing: uri_whitespace strip 2014/03/21 09:11:21| Processing: acl dynamic urlpath_regex cgi-bin \? 2014/03/21 09:11:21| Processing: cache deny dynamic 2014/03/21 09:11:21| Processing: cache_mem 8 MB 2014/03/21 09:11:21| Processing: maximum_object_size_in_memory 32 KB 2014/03/21 09:11:21| Processing: memory_replacement_policy heap GDSF 2014/03/21 09:11:21| Processing: cache_replacement_policy heap LFUDA 2014/03/21 09:11:21| Processing: minimum_object_size 0 KB 2014/03/21 09:11:21| Processing: maximum_object_size 10 KB 2014/03/21 09:11:21| Processing: offline_mode off 2014/03/21 09:11:21| Processing: cache allow all 2014/03/21 09:11:21| Processing: acl allsrc src all 2014/03/21 09:11:21| Processing: acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535 2014/03/21 09:11:21| Processing: acl sslports port 443 563 2014/03/21 09:11:21| Processing: acl purge method PURGE 2014/03/21 09:11:21| Processing: acl connect method CONNECT 2014/03/21 09:11:21| Processing: acl HTTP proto HTTP 2014/03/21 09:11:21| Processing: acl HTTPS proto HTTPS 2014/03/21 09:11:21| Processing: http_access allow manager localhost 2014/03/21 09:11:21| Processing: http_access deny manager 2014/03/21 09:11:21| Processing: http_access allow purge localhost 2014/03/21 09:11:21| Processing: http_access deny purge 2014/03/21 09:11:21| Processing: http_access deny !safeports 2014/03/21 09:11:21| Processing: http_access deny CONNECT !sslports 2014/03/21 09:11:21| Processing: request_body_max_size 0 KB 2014/03/21 09:11:21| Processing: delay_pools 1 2014/03/21 09:11:21| Processing: delay_class 1 2 2014/03/21 09:11:21| Processing: delay_parameters 1 -1/-1 -1/-1 2014/03/21 09:11:21| Processing: delay_initial_bucket_level 100 2014/03/21 09:11:21| Processing: delay_access 1 allow allsrc 2014/03/21 09:11:21| Processing: http_access allow localnet 2014/03/21 09:11:21| Processing: http_access deny allsrc 2014/03/21 09:11:21| Initializing https proxy context
-
Try to unselect option Certificate adapt
I'm implementing squid3-devel. I have a test installation without this option.
-
Try to unselect option Certificate adapt
I'm implementing squid3-devel. I have a test installation without this option.
Bam, that did it. Thank you.
-
Ok, but now it seems that the error pages are all coming up as HTTPS and the IP of my FW.
How do I make the error pages show up as http or to use the FQDN of the firewal which is secured with a legit SSL cert?
-
I looked at squid.conf and it's using only error_default_language directive.
I found only another squid directive for error pages:
http://www.squid-cache.org/Doc/config/error_directory/
But it doesn't help to solve the problem that you told us.
I think the only solution is to modify the files at /usr/local/etc/squid/errors/en/ (en, if you use English) and put a redirect code to an alternative URL. Example:
This will show http://www.yourdomain.tld/access_denied.html to the user.