I have compiled and installed SQUID_4.11-3 with SSL, CRTD on debian10 and here is my configuration -
##### SQUID.CONF SNAPSHOT (START) ###### # Manual connection on 3128 http_port 3128 # Standard intercept http_port 3129 intercept # intercept & bump SSL connections https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/squid-ca-cert-key.pem dhparams=/usr/local/etc/squid/certs/dhparam.pem sslcrtd_children 5 tls_outgoing_options cafile=/etc/ssl/certs/ca-certificates.crt tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT on_unsupported_protocol tunnel foreignProtocol on_unsupported_protocol tunnel serverTalksFirstProtocol on_unsupported_protocol tunnel all acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 #acl noBumpSites ssl::server_name_regex -i "/etc/squid/url.nobump" acl noBumpSites ssl::server_name .app.seesaw.me .schoology.com .dropbox.com ssl_bump peek step1 all ssl_bump peek step2 noBumpSites ssl_bump splice step3 noBumpSites ssl_bump stare step2 ssl_bump bump step3 ##### CONFIG SNAPSHOT (END) ###### I created the certificates by doing the following - openssl dhparam -outform PEM -out dhparam.pem 2048 openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squid-ca-key.pem -out squid-ca-cert.pem cat squid-ca-cert.pem squid-ca-key.pem >> squid-ca-cert-key.pem chown proxy:proxy /etc/squid/ssl/dhparam.pem chown proxy:proxy /etc/squid/ssl/squid-ca-key.pem chmod 400 dhparam.pem chmod 400 squid-ca-key.pem /usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB chown -R proxy:proxy /etc/squid/ssl chown -R proxy:proxy /var/spool/squid/ssl_db openssl x509 -hash -fingerprint -noout -in /etc/ssl/certs/ca-certificates.crt ### for my firewall, I issued this iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -s 192.168.10.0/24 -j ACCEPT iptables -A INPUT -j ACCEPT -p tcp --dport 3128 -m comment --comment "squid http proxy" iptables -A INPUT -j ACCEPT -p tcp --dport 3129 -m comment --comment "squid http proxy (intercept)" iptables -A INPUT -j ACCEPT -p tcp --dport 3130 -m comment --comment "squid https proxy (intercept" iptables -t nat -A PREROUTING -m iprange --src-range 192.168.10.8-192.168.10.30 -p tcp --dport 80 -m comment --comment "transparent http proxy" -j DNAT --to-destination 192.168.10.8:3129 iptables -t nat -A PREROUTING -m iprange --src-range 192.168.10.8-192.168.10.30 -p tcp --dport 443 -m comment --comment "transparent https proxy" -j DNAT --to-destination 192.168.10.8:3130 ### I can browse https on laptops BUT when I used IOS devices or android, I get errors with this - 1589083941.053 1 192.168.10.15 NONE_ABORTED/200 0 CONNECT 157.240.18.35:443 - HIER_NONE/- - 1589083941.072 4 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.224.113:443 - HIER_NONE/- - 1589083941.205 5 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.224.113:443 - HIER_NONE/- - 1589083941.860 32 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.232.0:443 - HIER_NONE/- - 1589083941.862 4 192.168.10.10 NONE_ABORTED/200 0 CONNECT 54.239.27.116:443 - HIER_NONE/- - 1589083941.864 38 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.224.113:443 - HIER_NONE/- - 1589083941.983 5 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.224.113:443 - HIER_NONE/- - 1589083942.642 20 192.168.10.10 NONE_ABORTED/200 0 CONNECT 54.239.27.116:443 - HIER_NONE/- - 1589083942.645 48 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.224.113:443 - HIER_NONE/- - What am I doing it wrong? I read everything about ssl bump, etc. with these links - https://wiki.squid-cache.org/Features/SslPeekAndSplice - https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit - http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-6-Transparent-HTTP-amp-HTTPS-Proxy-td4687578.html If anyone can point to me what's wrong with my squid.conf configuration or can provide me with a working squid.conf for ssl_bump, I will be indebted to you. Thanks. Jeremy
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
