Hello,
Iam trying to configure SSLbump so that I can use squid in transparent
mode and redirect with iptables/pf port 443 and 80 to squid.
When using https_port (based on some mailing lists) it says that isnt
recognized.
I also tried to use
http_port 3129 transparent sslBump
cert=/usr/local/squid/etc/server.crt
key=cert=/usr/local/squid/etc/server.key
and
http_port 3129 sslBump cert=/usr/local/squid/etc/server.crt
key=cert=/usr/local/squid/etc/server.key
But then I recieve this error:
FATAL: Bungled squid.conf line 38: http_port 3129 transparent sslBump
cert=/usr/local/squid/etc/server.crt
key=cert=/usr/local/squid/etc/server.key
Below is the copy of my config:
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
##Rules
http_access allow localnet
http_access deny all
#Custom size, port, IP
reply_body_max_size 1 MB
https_port 3129 transparent sslBump
cert=/usr/local/squid/etc/server.crt
key=cert=/usr/local/squid/etc/server.key
# Bumped requests have relative URLs so Squid has to use reverse proxy
# or accelerator code. By default, that code denies direct forwarding.
# The need for this option may disappear in the future.
always_direct allow all
#Custom paths
#cache_dir ufs /dev/null 100 16 256
access_log /var/log/squid/access_instance0.log squid
cache_log /var/log/squid/cache_instance0.log
pid_filename /var/log/squid/instance0.pid
#Default
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
hierarchy_stoplist cgi-bin ?
#Custom - Hides www.whatismyipaddress.com proxy detection message
via off
#acl apache rep_header Server ^Apache
#broken_vary_encoding allow apache
#header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
#Customs
visible_hostname instance0
half_closed_clients off
forwarded_for off
icp_port 0
coredump_dir /var/log/squid/cache_instance0
-----------------------------------------------------------------------------------
This is what i used to create the key and crt.
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out /tmp/server.csr
openssl x509 -req -days 1825 -in /tmp/server.csr -signkey server.key
-out server.crt
Please advise. Thanks
Andres
Received on Mon Feb 15 2010 - 00:30:54 MST
This archive was generated by hypermail 2.2.0 : Wed Feb 17 2010 - 12:00:04 MST