Hi,
I want to enable SSL bumping with Squid.
This function is disabled in Debian version of Squid (Lenny,
Lenny-backports and Squeeze), so I decided to compile Squid from source.
Squid version: 3.1.8
./configure --prefix=/usr/local/squid \
--enable-inline \
--enable-async-io=8 \
--enable-storeio="ufs,aufs,diskd" \
--enable-removal-policies="lru,heap" \
--enable-delay-pools \
--enable-cache-digests \
--enable-icap-client \
--enable-follow-x-forwarded-for \
--enable-auth="basic,digest,ntlm,negotiate" \
--enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM"
\
--enable-ntlm-auth-helpers="smb_lm," \
--enable-digest-auth-helpers="ldap,password" \
--enable-negotiate-auth-helpers="squid_kerb_auth" \
--enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_group"
\
--enable-arp-acl \
--enable-esi \
--disable-translation \
--with-filedescriptors=65536 \
--with-large-files \
--with-ssl \
--with-openssl=/usr \
--with-default-user=proxy \
--disable-ipv6
make all
make install
./squid -v
Squid Cache: Version 3.1.8
configure options: '--prefix=/usr/local/squid'
'--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
'--enable-icap-client' '--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm,'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--enable-arp-acl' '--enable-esi' '--enable-ipv6'
'--disable-translation' '--with-filedescriptors=65536'
'--with-large-files' '--with-ssl' '--with-openssl=/usr'
'--with-default-user=proxy' '--disable-ipv6'
--with-squid=/usr/local/src/squid-3.1.8 --enable-ltdl-convenience
squid.conf (cat squid.conf | grep -v "^#" | grep -v "^$" ):
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm DOMAIN
auth_param basic credentialsttl 2 hours
cache_peer 127.0.0.1 parent 8081 0 no-query login=*:nopassword
acl apache rep_header Server ^Apache
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
acl AuthorizedUsers proxy_auth REQUIRED
external_acl_type ad_group %LOGIN /usr/lib/squid3/wbinfo_group.pl
acl power_download_gebruikers external ad_group InternetUnlimitedDownload
acl internet_kantoor_gebruikers external ad_group ServApplicatiegroep52
acl internet_desktop_gebruikers external ad_group Applicatiegroep55
acl internet_blacklist_gebruikers external ad_group ServApplicatiegroep53
acl ie_browser browser ^Mozilla/4\.0 .compatible; MSIE # die!!
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl terminalservers src 10.2.0.202/32
acl terminalservers src 10.2.0.203/32
acl terminalservers src 10.2.0.204/32
acl terminalservers src 10.2.0.205/32
acl terminalservers src 10.2.0.206/32
acl terminalservers src 10.2.0.207/32
acl desktops src 10.2.150.4/32
acl desktops src 10.1.107.1/32
acl desktops src 10.2.100.88/32
acl vrij_internet_werkplekken src 10.2.100.1/32
acl vrij_internet_werkplekken src 10.2.100.2/32
acl vrij_internet_werkplekken src 10.2.100.3/32
acl vrij_internet_werkplekken src 10.2.100.4/32
acl vrij_internet_werkplekken src 10.2.100.5/32
acl vrij_internet_werkplekken src 10.2.100.6/32
acl vrij_internet_werkplekken src 10.2.100.7/32
acl vrij_internet_werkplekken src 10.2.100.12/32
acl vrij_internet_werkplekken src 10.2.100.88/32
acl vrij_internet_werkplekken src 10.2.176.3/32
acl allow_download_unlimited_from dstdomain
"/etc/squid/download_unlimited_sites"
acl whitelist_kantoor dstdomain "/etc/squid/whitelist_kantoor"
acl whitelist_desktop dstdomain "/etc/squid/whitelist_desktop"
acl whitelist_desktop_IE dstdomain "/etc/squid/whitelist_desktop_IE"
acl whitelist_kantoor_IE dstdomain "/etc/squid/whitelist_kantoor_IE"
redirector_access deny whitelist_kantoor
redirector_access deny whitelist_desktop
redirector_access deny whitelist_desktop_IE
redirector_access deny whitelist_kantoor_IE
acl SSL_ports port 443 # https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow all localhost
http_access allow ie_browser internet_desktop_gebruikers desktops
whitelist_desktop_IE
http_access allow ie_browser internet_kantoor_gebruikers terminalservers
whitelist_kantoor_IE
http_access deny ie_browser
http_access allow all internet_blacklist_gebruikers
vrij_internet_werkplekken
http_access allow internet_desktop_gebruikers desktops whitelist_desktop
http_access allow internet_kantoor_gebruikers terminalservers
whitelist_kantoor
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access allow localnet
icp_access deny all
reply_body_max_size 15 MB all
http_port 8080
https_port 8443 sslBump cert=/etc/ssl/certs/certificate.pem
ssl_bump allow all
http_port 127.0.0.1:3128 intercept
ssl_bump allow all
hierarchy_stoplist cgi-bin
cache_dir ufs /var/spool/squid3 10000 16 256
access_log /var/log/squid3/access.log squid
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
error_default_language nl
redirect_program /usr/bin/squidGuard
redirect_children 20
hosts_file /etc/hosts
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
/usr/local/squid/sbin/squid output:
2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
squid.conf:1155 unrecognized: 'https_port'
2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
squid.conf:1156 unrecognized: 'ssl_bump'
2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
squid.conf:1537 unrecognized: 'ssl_bump'
2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
squid.conf:5625 unrecognized: 'sslproxy_cert_error'
2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
squid.conf:5626 unrecognized: 'sslproxy_flags'
What am I doing wrong?
Regards,
Stephan
Received on Thu Sep 09 2010 - 09:27:19 MDT
This archive was generated by hypermail 2.2.0 : Thu Sep 09 2010 - 12:00:02 MDT