Squid3 ssl with public CA



  • Hi

    I tested https squid filtering with self signed CA and it's ok.

    But that way I need to install "mycert" on all clients.

    When I try an external CA (Like StarSSL) then stop working.

    May someone guide me on the right way.

    Thanks.





  • If you using Windows Clients in an Active Directory you could create an Group Policy and Push your own CA Certificate to the clients.

    I think WPAD isnt what you need.

    Edit:

    What you mean with "then stop working", squid is crashing ? If yes please increase Debug level and look what is displayed in debug.log .

    I think if you would like to use an external CA to generate the Certs you need the private key from these CA too.



  • I think WPAD isnt what you need.

    I disagree.  WPAD works in all environments with most clients.  Installing client certs is bullshit, and you can't just assume that he's running AD.



  • Hi,

    I try WPAD, but it not works on mobiles.

    Also If I setup Proxy or Certificates via GPO, it not affect mobiles and costumers that go on premises and need access to the Internet.

    I try that: http://www.itnotes.eu/?p=3218

    But Squid don't start. And I found that on logs:

    php-fpm[66398]: /pkg_edit.php: The command '/usr/pbi/squid-amd64/sbin/squid -k reconfigure -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf' returned exit code '1', the output was '2015/08/14 10:50:08| FATAL: tproxy/intercept on https_port requires ssl-bump which is missing. FATAL: Bungled /usr/pbi/squid-amd64/local/etc/squid/squid.conf line 6: https_port 127.0.0.1:3129 intercept Squid Cache (Version 3.4.10): Terminated abnormally. CPU Usage: 0.011 seconds = 0.011 user + 0.000 sys Maximum Resident Size: 42752 KB Page faults with physical i/o: 0'

    How are the correct way to use a public CA on pfSense + Squid.

    Thanks.



  • but it not works on mobiles.

    Works fine on iPhone and WinPhone, but not Android, and you can blame Google for not supporting an auto-detect standard that's been around for at least a decade now.  You can always go to your Advanced Options on your phone and manually set the proxy address.

    I suspect your squid install is trashed beyond repair.  I would remove it all and then reinstall everything.

    How are the correct way to use a public CA on pfSense + Squid.

    The correct way is to either use WPAD or AD policy, depending on your scenario.  However, it isn't perfect and there will always be cases where someone needs to manually configure it.



  • @KOM:

    I suspect your squid install is trashed beyond repair.  I would remove it all and then reinstall everything.

    It's not the case, If I change to pfSense SelfSigned CA it works again.



  • Hi, I have exactly same problem. How fix it?