http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
http://i.imgur.com/A153C7A.png 19.07.2017 21:34, Cherukuri, Naresh пишет: > > Hi All, > > > > I installed Squid version 3.5.20 on RHEL 7 and generated self-signed > CA certificates, My users are complaining about certificate errors. > When I looked at cache.log I see so many error messages like below. > Below is my squid.conf file. Any ideas how to address below errors. > > > > Squid.conf: > > > > max_filedesc 4096 > > visible_hostname pctysqd2prod > > logfile_rotate 10 > > > > access_log stdio:/var/log/squid/access.log squid > > > > acl localnet src 172.16.0.0/16 > > acl backoffice_users src 10.136.0.0/13 > > acl hcity_backoffice_users src 10.142.0.0/15 > > acl register_users src 10.128.0.0/13 > > acl hcity_register_users src 10.134.0.0/15 > > acl partycity url_regex partycity > > > > acl SSL_ports port 443 > > acl Safe_ports port 80 # http > > #acl Safe_ports port 21 # ftp > > acl Safe_ports port 443 # https > > #acl Safe_ports port 70 # gopher > > #acl Safe_ports port 210 # wais > > #acl Safe_ports port 1025-65535 # unregistered ports > > #acl Safe_ports port 280 # http-mgmt > > #acl Safe_ports port 488 # gss-http > > #acl Safe_ports port 591 # filemaker > > #acl Safe_ports port 777 # multiling http > > acl CONNECT method CONNECT > > #acl allowed_sites {dst|dstdomain|dstdom_regex|url_regex) "/path/to/file" > > acl backoffice_allowed_sites url_regex > "/etc/squid/backoffice_allowed_sites" > > acl hcity_backoffice_allowed_sites url_regex > "/etc/squid/backoffice_allowed_sites" > > acl backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist" > > acl hcity_backoffice_blocked_sites url_regex > "/etc/squid/backoffice_blocklist" > > acl register_allowed_sites url_regex "/etc/squid/register_allowed_sites" > > acl hcity_register_allowed_sites url_regex > "/etc/squid/hcity_register_allowed_sites" > > > > http_access allow localnet register_allowed_sites > > http_access deny backoffice_users backoffice_blocked_sites > > http_access deny hcity_backoffice_users backoffice_blocked_sites > > http_access allow backoffice_users backoffice_allowed_sites > > http_access allow hcity_backoffice_users backoffice_allowed_sites > > http_access allow register_users register_allowed_sites > > http_access allow hcity_register_users hcity_register_allowed_sites > > no_cache deny partycity > > http_access deny all > > > > #http_access allow manager localhost > > #http_access deny manager > > > > # Deny requests to certain unsafe ports > > http_access deny !Safe_ports > > > > # Deny CONNECT to other than secure SSL ports > > #http_access deny CONNECT !SSL_ports > > http_access allow CONNECT SSL_ports > > # We strongly recommend the following be uncommented to protect innocent > > # web applications running on the proxy server who think the only > > # one who can access services on "localhost" is a local user > > http_access deny to_localhost > > > > > > # Example rule allowing access from your local networks. > > # Adapt localnet in the ACL section to list your (internal) IP networks > > # from where browsing should be allowed > > #http_access allow localnet > > http_access allow localhost > > > > # And finally deny all other access to this proxy > > http_access deny all > > > > # Squid normally listens to port 3128 > > http_port 3128 ssl-bump \ > > key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \ > > cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \ > > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > > > acl step1 at_step SslBump1 > > ssl_bump peek step1 > > ssl_bump bump all > > > > sslproxy_cert_error allow all > > always_direct allow all > > sslproxy_flags DONT_VERIFY_PEER > > > > sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB > sslcrtd_children 8 startup=1 idle=1 > > > > # Uncomment and adjust the following to add a disk cache directory. > > #cache_dir ufs /cache/squid 10000 16 256 > > > > # Leave coredumps in the first cache dir > > #rdescoredump_dir /var/spool/squid > > coredump_dir /var/log/squid/squid > > > > # Add any of your own refresh_pattern entries above these. > > refresh_pattern ^ftp: 1440 20% 10080 > > refresh_pattern ^gopher: 1440 0% 1440 > > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > > refresh_pattern . 0 20% 4320 > > > > #url_rewrite_access allow all > > #url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf > > > > Cache.log > > > > 2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown (1/0) > > 2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown (1/0) > > 2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown (1/0) > > 2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown (1/0) > > 2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown (1/0) > > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
