[SOLVED] squid3-dev (3.3.10 pkg 2.2) + Clamav Antivirus won't start
-
My system is 32 bit…
Differences in squid.conf when applying for transparent SSL mode:
diff squid.conf_transparent.txt squid.conf_transparent_ssl.txt 4,5c4,6 < http_port 192.168.1.1:3128 < http_port 127.0.0.1:3128 intercept --- > http_port 192.168.1.1:3128 > http_port 127.0.0.1:3128 intercept > https_port 127.0.0.1:3129 intercept 87a89,90 > always_direct allow all > ssl_bump server-first all
-
Working, but…
Must I create my own CA?
Can I use an "official" CA or not?
diff squid.conf_transparent_ssl.txt squid.conf_transparent_ssl_myself.txt 4,6c4,9 < http_port 192.168.1.1:3128 < http_port 127.0.0.1:3128 intercept < https_port 127.0.0.1:3129 intercept --- > http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/ > > http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/ > > https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/ > 18a22,25 > sslcrtd_program /usr/pbi/squid-i386/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048 > sslcrtd_children 5 > sslproxy_capath /usr/pbi/squid-i386/share/certs/ > sslproxy_cert_adapt setCommonName all
I will like not do do this:
Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection.
Could be, in fact, impossible. A lot of BYOD (http://en.wikipedia.org/wiki/Bring_your_own_device)…
-
Yes you must create your own ca! I think it is not possible to use an "official" CA, because you are using a Man-In-The-Middle Attack to fetch and control https traffic.
Of course every https filter will use a MITM-attack so the client must have a trusted wildcard cert of the controling unit.A Solution can be to have a non transparent SSL-Proxy and only devices that are under your control are forced to use Proxy.