Hi Everyone,
I compiled an configured squid in the way to get a transparent ssl
proxy. With the debug flag an looking into the access.log, no errors
or warnings are shown. When intercepting http traffic, everything
works fine but there is trouble with ssl.
On the Client (ipad) - safari tells me that it cant establish a safe
connection - nothing more. the acces.logs shows:
ext/html
1330094808.367 3 172.20.0.113 NONE/400 3563
%BF%18%C6%CC%D5%CB%B5+%C5Eq - NONE/- text/html
1330094809.922 8 172.20.0.113 NONE/400 3546 NONE
error:invalid-request - NONE/- text/html
1330094811.938 2 172.20.0.113 NONE/400 3546 NONE
error:invalid-request - NONE/- text/html
1330094813.603 3 172.20.0.113 NONE/400 3552 NONE
error:invalid-request - NONE/- text/html
1330094813.673 2 172.20.0.113 NONE/400 3552 NONE
error:invalid-request - NONE/- text/html
1330094813.744 10 172.20.0.113 NONE/400 3546 NONE
error:invalid-request - NONE/- text/html
here is my config and stuff:
ip_forward =1
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp
dpt:www redir ports 3128
REDIRECT tcp -- anywhere anywhere tcp
dpt:https redir ports 3129
Squid Cache: Version 3.1.19
configure options: '--enable-ssl' '--enable-ssl-crtd'
'--enable-linux-netfilter' --with-squid=/root/squid-3.1.19
--enable-ltdl-convenience
and here the squid.conf
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL method CONNECT
ssl_bump allow all
## allow users to webistes attemping to use certs belonging to other domains
acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BadSite
sslproxy_cert_error deny all
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 172.20.0.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost localnet
### MEINE REGELN FÜR TRANSPARENT SSL PROXYING
always_direct allow all
ssl_bump allow all
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# Squid Transparent http listens to port 3128
http_port 172.20.0.79:3128 intercept
http_port 127.0.0.1:3128 intercept
# Squid Transparent SSL https listens to por 3129
http_port 172.20.0.79:3129 intercept ssl-bump
cert=/etc/apache2/ssl/server.crt key=/etc/apache2/ssl/server.key
http_port 127.0.0.1:3129 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
options=ALL cert=/etc/apache2/ssl/apache.pem
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /etc/apache2/ssl2 -M 4MB
sslcrtd_children 50
Hope someone can help me.
Best regards,
Jan
Received on Fri Feb 24 2012 - 15:25:23 MST
This archive was generated by hypermail 2.2.0 : Sat Feb 25 2012 - 12:00:04 MST