Squid3-dev 3.3.10 pkg 2.2.1 & transparent ssl



  • I can't seem to get the SSL filter working.  I've installed the package, set up an internal CA, think I have everything set correctly but I keep getting certificate errors.

    Am I missing a step?  Does squidGuard have to be install as well for this to work?  I figured I'd test the proxy first.



  • Forgot to add… I also installed the CA on the local machine.



  • Test squid first, then squidguard

    A great way to test squid is squid -v or squid -k parse on console.



  • I still get a untrusted connection even though I've installed the firewall as a CA.

     squid -v
    Squid Cache: Version 3.3.10
    configure options:  '--with-default-user=squid' '--bindir=/usr/pbi/squid-i386/sbin' '--sbindir=/usr/pbi/squid-i386/sbin' '--datadir=/usr/pbi/squid-i386/etc/squid' '--libexecdir=/usr/pbi/squid-i386/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/pbi/squid-i386/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache/squid' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS  fake getpwnam LDAP NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=diskd rock ufs aufs' '--enable-disk-io=AIO Blocking DiskDaemon IpcIo Mmapped DiskThreads' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-delay-pools' '--enable-ssl' '--with-openssl=/usr' '--enable-ssl-crtd' '--enable-icmp' '--enable-htcp' '--disable-forw-via-db' '--enable-cache-digests' '--enable-wccp' '--enable-wccpv2' '--enable-eui' '--disable-ipfw-transparent' '--enable-pf-transparent' '--disable-ipf-transparent' '--enable-follow-x-forwarded-for' '--disable-ecap' '--enable-icap-client' '--disable-esi' '--enable-kqueue' '--with-large-files' '--prefix=/usr/pbi/squid-i386' '--mandir=/usr/pbi/squid-i386/man' '--infodir=/usr/pbi/squid-i386/info/' '--build=i386-portbld-freebsd8.3' 'build_alias=i386-portbld-freebsd8.3' 'CC=cc' 'CFLAGS=-O2 -pipe -I/usr/pbi/squid-i386/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/pbi/squid-i386/lib -pthread -Wl,-rpath=/usr/lib:/usr/pbi/squid-i386/lib -L/usr/lib' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/pbi/squid-i386/include -I/usr/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'CPP=cpp' --enable-ltdl-convenience
    
    
    squid -k parse
    2014/03/21 09:11:21| Startup: Initializing Authentication Schemes ...
    2014/03/21 09:11:21| Startup: Initialized Authentication Scheme 'basic'
    2014/03/21 09:11:21| Startup: Initialized Authentication Scheme 'digest'
    2014/03/21 09:11:21| Startup: Initialized Authentication Scheme 'negotiate'
    2014/03/21 09:11:21| Startup: Initialized Authentication Scheme 'ntlm'
    2014/03/21 09:11:21| Startup: Initialized Authentication.
    2014/03/21 09:11:21| Processing Configuration File: /usr/pbi/squid-i386/etc/squid/squid.conf (depth 0)
    2014/03/21 09:11:21| Processing: http_port 192.168.1.254:3128
    2014/03/21 09:11:21| Processing: http_port 127.0.0.1:3128 intercept
    2014/03/21 09:11:21| Starting Authentication on port 127.0.0.1:3128
    2014/03/21 09:11:21| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
    2014/03/21 09:11:21| Disabling IPv6 on port 127.0.0.1:3128 (interception enabled)
    2014/03/21 09:11:21| Processing: icp_port 7
    2014/03/21 09:11:21| Processing: dns_v4_first on
    2014/03/21 09:11:21| Processing: pid_filename /var/run/squid.pid
    2014/03/21 09:11:21| Processing: cache_effective_user proxy
    2014/03/21 09:11:21| Processing: cache_effective_group proxy
    2014/03/21 09:11:21| Processing: error_default_language en
    2014/03/21 09:11:21| Processing: icon_directory /usr/pbi/squid-i386/etc/squid/icons
    2014/03/21 09:11:21| Processing: visible_hostname pfsense
    2014/03/21 09:11:21| Processing: cache_mgr admin@localhost
    2014/03/21 09:11:21| Processing: access_log /var/squid/logs/access.log
    2014/03/21 09:11:21| Processing: cache_log /var/squid/logs/cache.log
    2014/03/21 09:11:21| Processing: cache_store_log none
    2014/03/21 09:11:21| Processing: logfile_rotate 0
    2014/03/21 09:11:21| Processing: shutdown_lifetime 3 seconds
    2014/03/21 09:11:21| Processing: acl localnet src  192.168.1.0/24
    2014/03/21 09:11:21| Processing: uri_whitespace strip
    2014/03/21 09:11:21| Processing: acl dynamic urlpath_regex cgi-bin \?
    2014/03/21 09:11:21| Processing: cache deny dynamic
    2014/03/21 09:11:21| Processing: cache_mem 8 MB
    2014/03/21 09:11:21| Processing: maximum_object_size_in_memory 32 KB
    2014/03/21 09:11:21| Processing: memory_replacement_policy heap GDSF
    2014/03/21 09:11:21| Processing: cache_replacement_policy heap LFUDA
    2014/03/21 09:11:21| Processing: minimum_object_size 0 KB
    2014/03/21 09:11:21| Processing: maximum_object_size 10 KB
    2014/03/21 09:11:21| Processing: offline_mode off
    2014/03/21 09:11:21| Processing: cache allow all
    2014/03/21 09:11:21| Processing: acl allsrc src all
    2014/03/21 09:11:21| Processing: acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535
    2014/03/21 09:11:21| Processing: acl sslports port 443 563
    2014/03/21 09:11:21| Processing: acl purge method PURGE
    2014/03/21 09:11:21| Processing: acl connect method CONNECT
    2014/03/21 09:11:21| Processing: acl HTTP proto HTTP
    2014/03/21 09:11:21| Processing: acl HTTPS proto HTTPS
    2014/03/21 09:11:21| Processing: http_access allow manager localhost
    2014/03/21 09:11:21| Processing: http_access deny manager
    2014/03/21 09:11:21| Processing: http_access allow purge localhost
    2014/03/21 09:11:21| Processing: http_access deny purge
    2014/03/21 09:11:21| Processing: http_access deny !safeports
    2014/03/21 09:11:21| Processing: http_access deny CONNECT !sslports
    2014/03/21 09:11:21| Processing: request_body_max_size 0 KB
    2014/03/21 09:11:21| Processing: delay_pools 1
    2014/03/21 09:11:21| Processing: delay_class 1 2
    2014/03/21 09:11:21| Processing: delay_parameters 1 -1/-1 -1/-1
    2014/03/21 09:11:21| Processing: delay_initial_bucket_level 100
    2014/03/21 09:11:21| Processing: delay_access 1 allow allsrc
    2014/03/21 09:11:21| Processing: http_access allow localnet
    2014/03/21 09:11:21| Processing: http_access deny allsrc
    2014/03/21 09:11:21| Initializing https proxy context
    
    




  • Try to unselect option Certificate adapt

    I'm implementing squid3-devel. I have a test installation without this option.



  • @bellera:

    Try to unselect option Certificate adapt

    I'm implementing squid3-devel. I have a test installation without this option.

    Bam, that did it.  Thank you.



  • Ok, but now it seems that the error pages are all coming up as HTTPS and the IP of my FW.

    How do I make the error pages show up as http or to use the FQDN of the firewal which is secured with a legit SSL cert?



  • I looked at squid.conf and it's using only error_default_language directive.

    I found only another squid directive for error pages:

    http://www.squid-cache.org/Doc/config/error_directory/

    But it doesn't help to solve the problem that you told us.

    I think the only solution is to modify the files at /usr/local/etc/squid/errors/en/ (en, if you use English) and put a redirect code to an alternative URL. Example:

    This will show http://www.yourdomain.tld/access_denied.html to the user.


Log in to reply