Web lists-archives.com

Re: https_port

How to generate the certificate and the key to make a very 
basic  configuration of the https connection.

As basic as possible.
On 08/06/17 03:28, Adiel Plasencia Herrera wrote: > > Hello, > > They would help me with a configuration of my squid that I want to > implement. > > My proxy passes all traffic to a parent proxy and I want clients to > connect to my proxy via https. > > Can you help me how to implement the connection to my proxy via https? > > To better explain what I want attached 2 pictures. The image with > 1.jpg name shows my proxy configuration with type HTTp that connects > well to internet. > > What I want is for the connection to my proxy to be by the form of the > 2.jpg image that uses the HTTPS type. > > Or if it is possible then leave the 2 forms. What operating system are you using, and what applications are you wanting to use this proxy connection? The normal configuration is simply to add an https_port line with cert= parameter to your squid.conf. More details on that below. > > > This is my current configuration: > acl trabajadores src > <snip> > > http_access allow trabajadores > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports You custom http_access rules ("allow trabajadores") should be down here after the basic security checks. > http_access deny all > > > http_port 3128 Date: Thu, 8 Jun 2017 01:04:31 +1200 From: Amos Jeffries <squid3@xxxxxxxxxxxxx> To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: [squid-users] https_port Message-ID: <764ecd5f-6f6c-0eb5-90b4-5591ab5e1920@xxxxxxxxxxxxx > Content-Type: text/plain; charset=utf-8; format=flowed The above port is for receiving plain-text connections to the proxy. Most software supports this, with a few exceptions (usually Java apps). To accept TLS connections to the proxy (not HTTPS *over* the proxy), what you do is add an https_port line here. That https_port line needs a cert= parameter containing the proxy server certificate. You may need other TLS/SSL parameters to fine tune what the TLS does, but just start with getting that basic setup to work. < http://www.squid-cache.org/Doc/config/https_port/> For example: https_port 3129 cert=/etc/squid/proxy.pem (the proxy.pem file here contains both the public server cert and private server key for that cert). Many GUI applications (most notably browsers) do not support this type of connection to a proxy (or not well if they do). Which is where the Q's about your OS and applications come in. You may need to setup environment variables or PAC files to get the applications to work. Note that this is *very* different situation to intercepting port 443 traffic. Much more different than port 3128 vs. intercepted port 80. HTTPS traffic goes through these TLS proxy connections with double-layered encryption, so this setup does *not* magically make the proxy able to see inside HTTPS if that is what you are really after. Amos