aiko/dotTiddlywiki
1
0
Fork 0
mirror of /repos/dotTiddlywiki.git synced 2025-12-30 07:31:33 +01:00
Code Issues Releases Wiki Activity
dotTiddlywiki/mywiki/tiddlers/Squid sslbump.tid
Aiko Mastboom c8270d6eb6 update
2015-12-07 22:16:06 +01:00

42 lines
1.5 KiB
Plaintext
Raw Blame History

created: 20151016154223821
creator: user
modified: 20151026164234090
modifier: user
tags:
title: Squid sslbump
type: text/vnd.tiddlywiki
; Setting up Explicit Squid Proxy
: http://wiki.alpinelinux.org/wiki/Setting_up_Explicit_Squid_Proxy#Behaviour_with_SSL_interception
; Regenerate SSL Certificates for Squid
: http://docs.diladele.com/administrator_guide_4_0/system_configuration/https_filtering/generate_certificates.html
/usr/local/var/etc/squid/squid.conf
```conf
# Squid listening port
# http_port 3128
## Disable SSLv2 because it isn't safe
http_port 3128 ssl-bump cert=/usr/local/var/etc/squid/squid.pem key=/usr/local/var/etc/squid/squid.pem generate-host-certificates=on options=NO_SSLv2 dynamic_cert_mem_cache_size=10MB
## Always complete the server-side handshake before client-side (recommended)
ssl_bump server-first all
## Allow server side certificate errors such as untrusted certificates, otherwise the connection is closed for such errors
sslproxy_cert_error allow all
## Or maybe deny all server side certificate errors according to your company policy
#sslproxy_cert_error deny all
## Accept certificates that fail verification (should only be needed if using 'sslproxy_cert_error allow all')
sslproxy_flags DONT_VERIFY_PEER
```
```bash
$ openssl req -newkey rsa:4096 -x509 -keyout /usr/local/var/etc/squid/squid.pem -out /usr/local/var/etc/squid/squid.pem -days 365 -nodes
$ sudo mkdir /usr/local/var/lib
$ sudo /usr/local/opt/squid/libexec/ssl_crtd -c -s /usr/local/var/lib/ssl_db
$ sudo chown -R nobody /usr/local/var/lib/ssl_db
```
Reference in New Issue View Git Blame Copy Permalink