Re: [squid-users] ssl bump intermediate certificate
Hello, Matus, I also found the document. It should be sending the chain, but is not. When I specify cafile option it responds I shoud use tls-cafile. But in either case it is not sending. Walter, if squid has such requirement, then it is unfinished. Every other proxy is able to run its CA as an intermediate and clients install only root CA. The proxy should be responsible to hold the chain. The url Matus sent is the correct way how to do it, but is is not working. At least not in 4.8 vesion. Marek 2019-10-30 10:42 GMT+01:00, Matus UHLAR - fantomas : >>On 30.10.2019 05:59, Marek Greško wrote: >>>I am trying to configure ssl bumping on squid 4.8 but my browser is >>>not able to validate the certificate due to intermediate certificate >>>missing. How could I convince squid to send it? > > On 30.10.19 10:11, Walter H. wrote: >>the ssl-bum certificate is either a root certificate itself which must >>be installed on the clients or an intermediate, where >>the root and all intermediates between must be installed on the clients > > do you mean that squid won't send intermediate certificate? > > this should be: > > https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpWithIntermediateCA > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Honk if you love peace and quiet. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Unsuccessful at using Squid v4 with intercept
On Wednesday 30 October 2019 at 17:11:29, FOUTREL Sébastien wrote: > Hello, I would like to use squid as a transparent proxy for my users. > "Clients" are behind a Debian "Router" which MASQUERADE them (as they use > RFC 1918 ips). > > I have a Squid 4.6 from Debian Buster packages installed on a "Proxy" > server which is outside my network. > > I read a lot of tutorials and examples from squid site... Did that include the links I've given below? > I Applied a DNAT to trafic coming from Clients thru Router to Proxy. > > iptables -tnat -A PREROUTING -i LAN_3500 -p tcp -m tcp --dport 80 -j DNAT > --to-destination :3129 Have you put this rule onto the firewall you mention, or the Squid box itself? https://wiki.squid-cache.org/SquidFaq/InterceptionProxy #Requirements_and_methods_for_Interception_Caching states "NAT configuration will only work when used *on the squid box* ." So, you *must* put that rule on the Squid machine itself, not on the firewall. It goes on to say "To intercept from a gateway machine and direct traffic at a separate squid box use policy routing." with a link to https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute > HTTP is coming to squid successfully but squid logs show a request coming > from proxy himself and a request coming from Router (as Clients are NATed > by Router) Ah, so you *are* doing the NAT on the router :) Don't :) > if I allow in squid.conf the Proxy IP, I end up with a Forward loop... > > > I also tried the tproxy scenario with no success. Well, give us some details of what you tried, how you configured it, what worked, and what didn't work, and we might be able to help, otherwise we can only say "well, tproxy does work if set up properly, so if yours doesn't work, it isn't set up properly", which isn't a very helpful answer... Antony. -- If at first you don't succeed, destroy all the evidence that you tried. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Unsuccessful at using Squid v4 with intercept
Hello, I would like to use squid as a transparent proxy for my users. My platform is pretty simple "Clients" are behind a Debian "Router" which MASQUERADE them (as they use RFC 1918 ips). I have a Squid 4.6 from Debian Buster packages installed on a "Proxy" server which is outside my network. I read a lot of tutorials and examples from squid site... I Applied a DNAT to trafic coming from Clients thru Router to Proxy. iptables -tnat -A PREROUTING -i LAN_3500 -p tcp -m tcp --dport 80 -j DNAT --to-destination :3129 HTTP is coming to squid successfully but squid logs show a request coming from proxy himself and a request coming from Router (as Clients are NATed by Router) if I allow in squid.conf the Proxy IP, I end up with a Forward loop... I also tried the tproxy scenario with no success. I'd really like some help. Thanks ! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl bump intermediate certificate
On 30.10.2019 05:59, Marek Greško wrote: I am trying to configure ssl bumping on squid 4.8 but my browser is not able to validate the certificate due to intermediate certificate missing. How could I convince squid to send it? On 30.10.19 10:11, Walter H. wrote: the ssl-bum certificate is either a root certificate itself which must be installed on the clients or an intermediate, where the root and all intermediates between must be installed on the clients do you mean that squid won't send intermediate certificate? this should be: https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpWithIntermediateCA -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl bump intermediate certificate
On 30.10.2019 05:59, Marek Greško wrote: Hello, I am trying to configure ssl bumping on squid 4.8 but my browser is not able to validate the certificate due to intermediate certificate missing. How could I convince squid to send it? Thanks Marek the ssl-bum certificate is either a root certificate itself which must be installed on the clients or an intermediate, where the root and all intermediates between must be installed on the clients smime.p7s Description: S/MIME Cryptographic Signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users