Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] squid3-dev (3.3.10 pkg 2.2) + Clamav Antivirus won't start

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    23 Posts 6 Posters 43.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • belleraB
      bellera
      last edited by

      My system is 32 bit…

      Differences in squid.conf when applying for transparent SSL mode:

      diff squid.conf_transparent.txt squid.conf_transparent_ssl.txt 
4,5c4,6
< http_port 192.168.1.1:3128
< http_port 127.0.0.1:3128 intercept
---
> http_port 192.168.1.1:3128 
> http_port 127.0.0.1:3128 intercept 
> https_port 127.0.0.1:3129 intercept 
87a89,90
> always_direct allow all
> ssl_bump server-first all
      1 Reply Last reply Reply Quote 0
      • belleraB
        bellera
        last edited by

        Working, but…

        Must I create my own CA?

        Can I use an "official" CA or not?

        diff squid.conf_transparent_ssl.txt squid.conf_transparent_ssl_myself.txt 
4,6c4,9
< http_port 192.168.1.1:3128 
< http_port 127.0.0.1:3128 intercept 
< https_port 127.0.0.1:3129 intercept 
---
> http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/
> 
> http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/
> 
> https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/
> 
18a22,25
> sslcrtd_program /usr/pbi/squid-i386/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
> sslcrtd_children 5
> sslproxy_capath /usr/pbi/squid-i386/share/certs/
> sslproxy_cert_adapt setCommonName all

        I will like not do do this:

        Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection.

        Could be, in fact, impossible. A lot of BYOD (http://en.wikipedia.org/wiki/Bring_your_own_device)…

        1 Reply Last reply Reply Quote 0
        • O
          Oliver_
          last edited by

          Yes you must create your own ca! I think it is not possible to use an "official" CA, because you are using a Man-In-The-Middle Attack to fetch and control https traffic.
          Of course every https filter will use a MITM-attack so the client must have a trusted wildcard cert of the controling unit.

          A Solution can be to have a non transparent SSL-Proxy and only devices that are under your control are forced to use Proxy.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.