[squid-users] SSLBump, help to configure for 3.1.0.16

From: Andres Salazar <ndrsslzr80_at_gmail.com>
Date: Sun, 14 Feb 2010 18:30:34 -0600

Hello,

Iam trying to configure SSLbump so that I can use squid in transparent
mode and redirect with iptables/pf port 443 and 80 to squid.

When using https_port (based on some mailing lists) it says that isnt
recognized.
I also tried to use

http_port 3129 transparent sslBump
cert=/usr/local/squid/etc/server.crt
key=cert=/usr/local/squid/etc/server.key

and

http_port 3129 sslBump cert=/usr/local/squid/etc/server.crt
key=cert=/usr/local/squid/etc/server.key

But then I recieve this error:

FATAL: Bungled squid.conf line 38: http_port 3129 transparent sslBump
cert=/usr/local/squid/etc/server.crt
key=cert=/usr/local/squid/etc/server.key

Below is the copy of my config:

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

##Rules
http_access allow localnet
http_access deny all

#Custom size, port, IP
reply_body_max_size 1 MB
https_port 3129 transparent sslBump
cert=/usr/local/squid/etc/server.crt
key=cert=/usr/local/squid/etc/server.key

# Bumped requests have relative URLs so Squid has to use reverse proxy
# or accelerator code. By default, that code denies direct forwarding.
# The need for this option may disappear in the future.
always_direct allow all

#Custom paths
#cache_dir ufs /dev/null 100 16 256
access_log /var/log/squid/access_instance0.log squid
cache_log /var/log/squid/cache_instance0.log
pid_filename /var/log/squid/instance0.pid

#Default
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
hierarchy_stoplist cgi-bin ?

#Custom - Hides www.whatismyipaddress.com proxy detection message
via off
#acl apache rep_header Server ^Apache
#broken_vary_encoding allow apache
#header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)

#Customs
visible_hostname instance0
half_closed_clients off
forwarded_for off
icp_port 0
coredump_dir /var/log/squid/cache_instance0

-----------------------------------------------------------------------------------

This is what i used to create the key and crt.

openssl genrsa -out server.key 1024
openssl req -new -key server.key -out /tmp/server.csr
openssl x509 -req -days 1825 -in /tmp/server.csr -signkey server.key
-out server.crt

Please advise. Thanks

Andres
Received on Mon Feb 15 2010 - 00:30:54 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 17 2010 - 12:00:04 MST