13.04.2017 22:57, Olly Lennox пишет: > Hi There, > > I've been battling for the last few days on a little project to setup a > Raspberry PI device as a small parental blocking server. I've managed to > configure the device to work as a transparent proxy using squid which is > assigned as the default gateway via DHCP and after a lot of messing about > I've finally got to the point where it's routing traffic correctly, proxying > and blocking unwanted websites over HTTP. > > The problem I have is that for the life of me I cannot get things to work > over HTTPS. It's working over the older, insecure web browsers where anything > goes but the more modern browsers will not accept the SSL certificates and > fail with insecure messages. I've tried various ways of generating a cert and > also generating a CA cert and signing my other cert with it to no avail. I've > had a mixture of errors back from the browser from WEAK_ALGORITHM to > BAD_AUTHORITY to INVALID_CERT. > > I've been using openssl to generate self-signed certificates and create a der > file. Below is a recent attempt but I've tried lots of different approaches: > > ------------ > openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout > squid.key -out squid.crt > openssl req -new -x509 -key squid.key -out squid.pem > openssl x509 -in squid.pem -inform pem -out squid.der -outform der > ------------ > > > Then my config in Squid is like this, the dhparams file I generated as per > instructions in the squid wiki: First of all: what's Squid's version? > > ------------ > http_port 3128 intercept > https_port 3129 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt > key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 > dhparams=/etc/squid3/ssl_cert/dhparam.pem You squid's built with interception support? show squid -v output. > > ssl_bump server-first all This ^^^^^^^^^^^^^^^^^^^^^ option valid only up to Squid 3.4. If you using 3.5.x, you should use new peek-n-splice rules. > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Don't do this. Never. This force squid to ignore (and hide) all security issues with SSL from user and from you. > sslproxy_cipher > EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS > > > ------------ > > The only routing rules I'm using are to forward port 80/443 to 3128/2129 > respectively and also a POST_ROUTING "masquerade" rule which I got from a > guide (and I'm not sure I 100% understand!) 80/443 should be NATed to squid's box on squid's box. > > > Can anyone tell me where I'm going wrong? This is only for use on very small > networks (home router + 2 or 3 trusted devices and users) so security between > the rPI and the client is not a major concern - I just want it to work in the > most simple and foolproof way possible. You doing wrong only one: you not give any important to resolve issue information. At least squid's version and build options. > > Any advice would be very welcome. > > Thanks, > > Olly > oli...@lennox-it.uk > lennox-it.uk > tel: 07900 648 252 > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users
-- Bugs to the Future
0x613DEC46.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
