02.02.2017 2:58, angelv пишет: > Hi, > > I need your advice. > > I have a transparent proxy running with the self generated > certificates 'myCA.pem', as it is not signed by a valid entity then I > have to import the 'myCA.der' certificate in all web browsers ... > > I want to know where I can buy a valid certificate that work in Squid. Nowhere. Due to CA's CPS. > > PD: > The proxy is working great > > > ---------------------------------------------------------------------------------------------- > Important information for clarity (FreeBSD, squid-3.5.23 and PF): > > Create self-signed certificate for Squid server > > # openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509 > -extensions v3_ca -keyout myCA.pem -out > /usr/local/etc/squid/ssl_cert/myCA.pem -config > /usr/local/etc/squid/ssl_cert/openssl.cnf > > # openssl dhparam -outform PEM -out > /usr/local/etc/squid/ssl_cert/dhparam.pem 2048 > > Create a DER-encoded certificate to import into users' browsers > > # openssl x509 -in /usr/local/etc/squid/ssl_cert/myCA.pem -outform DER > -out /usr/local/etc/squid/ssl_cert/myCA.der > > > # edit /usr/local/etc/squid/squid.conf > ... > # Squid normally listens to port 3128 > http_port 3128 > > # Intercept HTTPS CONNECT messages with SSL-Bump > # > http_port 3129 ssl-bump intercept \ > cert=/usr/local/etc/squid/ssl_cert/myCA.pem \ > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \ > dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem > # > https_port 3130 ssl-bump intercept \ > cert=/usr/local/etc/squid/ssl_cert/myCA.pem \ > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \ > dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem > # > sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s > /usr/local/etc/squid/ssl_db -M 4MB > # > acl step1 at_step SslBump1 > # > ssl_bump peek step1 > ssl_bump stare all > ssl_bump bump all > always_direct allow all > # > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER > ... > > PF redirect the traffic to the Squid > > # edit /etc/pf.conf > ... > # Intercept HTTPS CONNECT messages with SSL-Bump > rdr pass on $int_if inet proto tcp from any to port https \ > -> 127.0.0.1 port 3130 > rdr pass on $int_if inet6 proto tcp from any to port https \ > -> ::1 port 3130 > ... > ---------------------------------------------------------------------------------------------- > -- > Ángel Villa G. > US +1 (786) 233-9240 | CO +57 (300) 283-6546 > ange...@gmail.com <mailto:ange...@gmail.com> > https://google.com/+AngelVillaG > https://angelcontents.blogspot.com > > "We are all atheists about most of the gods that societies have ever > believed in. Some of us just go one god further" - Richard Dawkins > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users
-- Bugs to the Future
0x613DEC46.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
