Oh, an a tiny little detail :) # squid -v
Squid Cache: Version 4.0.13 Service Name: squid configure options: '--with-openssl' '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' On Wed, Aug 24, 2016 at 4:37 PM, Diogenes S. Jesus <spl...@gmail.com> wrote: > This configuration here covers the use case described by the OP: > https://gist.githubusercontent.com/splashx/758ff0c59ea291f32edafc516fdaad > 73/raw/8050fa054821657812961050332b38a56e7e3e68/ > > If everything works well, you'll notice you won't support HTTP proxy at > all, but users can reach both HTTP and HTTPS target websites via your > HTTPS proxy. > > # netstat -nltp > > Active Internet connections (only servers) > > Proto Recv-Q Send-Q Local Address Foreign Address State > PID/Program name > > tcp 0 0 0.0.0.0:22 0.0.0.0:* > LISTEN 32109/sshd > > tcp6 0 0 :::80 :::* > LISTEN 26627/apache2 > > tcp6 0 0 :::3443 :::* > LISTEN 7303/(squid-1) > > tcp6 0 0 :::22 :::* > LISTEN 32109/sshd > > > The user connects to the proxy ONLY via HTTPS Proxy on port 3443 > > All traffic between the OP and the proxy is encrypted using TLS. > A) If the user enters http://target.example.com, between the proxy and > the target you'll see HTTP. > B) If the user enters https://target.example.com, between the proxy and > the target you'll see HTTPS. > > If you sniff the traffic between the client and the proxy, you'll see TLS. > > Tested with: > > $ /Applications/Firefox\ 2.app/Contents/MacOS/firefox -v > > Mozilla Firefox 48.0 > > Firefox set up to use PAC: Preferences > Advanced > Network > Settings: > "Automatic Proxy Configuration": http://squid.example.com/proxy.pac > > The downside here of course is the limited amount of clients supporting > HTTPS Proxy settings. > > Dio > > > On Wed, Aug 24, 2016 at 3:46 PM, Amos Jeffries <squ...@treenet.co.nz> > wrote: > >> Just to rewind this conversation to the actual problem ... >> >> On 24/08/2016 11:42 p.m., Samuraiii wrote: >> > On 24.8.2016 13:18, Antony Stone wrote: >> >> Unfortunately it's not Squid that's the challenge - it's the browser. >> >> >> >> If you're using Firefox and/or Chrome, you should be okay. >> >> >> >> See "Encrypted browser-Squid connection" at the bottom of >> >> http://wiki.squid-cache.org/Features/HTTPS >> >> >> >> >> >> Antony. >> >> >> > I have seen that, it is the cause of my subscription to this list. >> > I haven't been able to find any usable hints. >> > My config attempt fails >> > >> >> <snip> >> > >> > https_port 8443 \ >> > cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \ >> > key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \ >> > cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \ >> > tls-dh=/etc/ssl/certs/dhparam.pem \ >> > sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \ >> > cipher=HIGH >> >> >> As Dio mentioned the cleintca= (or rather clientca=) is for >> authenticating clients ceritficates. Don't use that unless you are >> requiring client certs in TLS. >> >> The rest of your config looks reasonable to me. I suspect you have found >> a bug introduced during all the SSL-Bump code changes. Please make a >> bugzilla report and include your exact Squid version (found with the >> 'squid -v' command), the https_port line(s) and the exact error message >> produced on startup. >> >> Amos >> >> _______________________________________________ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> > > > > -- > > -------- > > Diogenes S. de Jesus > -- -------- Diogenes S. de Jesus
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
