squid3 ssl与服务器先签署证书

我试图让Squid3.4用服务器优先的方法做SSL Bumping。 我在alpinelinux中遵循了这个指南 。

我正在明确的模式(浏览器configuration转到代理),工作正常。 我生成了我的密钥,我的CSR,以及使用–enable-sel和–enable-sel-crtd选项重build了squid3,当我拿回我的证书时(我select了一个testing,用1个月的时间来完成POC)从COMODDO,我把它放在我的鱿鱼configuration。

然后我得到以下错误:

Dec 08 08:15:12 proxy squid3[2166]: No valid signing SSL certificate configured for http_port 192.168.10.4:3128 Dec 08 08:15:12 proxy squid3[2136]: Starting Squid HTTP Proxy 3.x: squid3FATAL: No valid signing SSL certificate configured for http_port 192.168.10.4:3128 

这里我的squid3configuration

 # Subnet defs in ACL acl wifi_lan src 192.168.11.0/24 acl dmz_lan dst 192.168.10.0/24 0.0.0.0/32 ::1 acl dmz_lan_nas dst 192.168.10.5 acl dmz_lan_proxy dst 192.168.10.4 # Proto defs in ACL acl SSL_ports port 443 acl SSL_ports port 5001 acl SSL_ports port 5006 acl SSL_ports port 8443 acl SSL_ports port 8444 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 5001 # Synology DSM acl Safe_ports port 631 # CUPS acl CONNECT method CONNECT acl netflix dstdomain *.netflix.com acl no_ssl_interception dstdomain .dropbox.com .hotmail.com nas.tourneur.be # HTTP accesses no_cache deny dmz_lan http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow dmz_lan_nas http_access allow dmz_lan_proxy http_access deny dmz_lan http_access allow localhost http_access allow wifi_lan http_access deny all # System section via off forwarded_for off pipeline_prefetch on connect_timeout 20 seconds coredump_dir /var/spool/squid3 cache_mgr [email protected] visible_hostname proxy.example.com access_log syslog:user.warning # Connector sections sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid3/ssldb -M 4MB sslcrtd_children 12 redirector_access deny netflix redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf redirect_children 24 url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf url_rewrite_children 10 startup=0 idle=1 concurrency=0 cache_peer 127.0.0.1 parent 8118 7 no-query no-digest no-netdb-exchange cache_peer_access 127.0.0.1 deny netflix acl ftp proto FTP always_direct allow netflix always_direct allow ftp never_direct allow all request_header_max_size 32 KB reply_header_max_size 32 KB # Cache section cache_mem 256 MB maximum_object_size_in_memory 1 MB cache_dir aufs /var/spool/squid3 16382 16 256 memory_replacement_policy heap LRU cache_replacement_policy heap LRU # ssl config ssl_bump none localhost ssl_bump none no_ssl_interception ssl_bump server-first SSL_ports ## Allow server side certificate errors such as untrusted certificates, otherwise the connection is closed for such errors sslproxy_cert_error allow all ## Accept certificates that fail verification (should only be needed if using 'sslproxy_cert_error allow all') sslproxy_flags DONT_VERIFY_PEER http_port 192.168.10.4:3128 ssl-bump cert=/etc/squid3/keys/squid.crt key=/etc/squid3/keys/squid.key generate-host-certificates=on options=NO_SSLv2 

任何想法我做错了什么?

Thx旅游帮助和欣赏:)

为了执行SSL Bump,您必须使用自签名的根证书文件。 你从Comodo提到的那个将永远不会工作。

当Squid以您的名义联系远程HTTPS服务器时,SSL Bump会对HTTPS连接执行Man-In-The-Middle攻击,然后伪造远程站点证书并使用configuration的自签名根密钥对其进行签名,从而模仿安全连接。 您还必须在所有浏览器中将此自签名根证书安装为可信。

有关生成正确证书的步骤,请参阅http://docs.diladele.com/administrator_guide_4_0/system_configuration/https_filtering/generate_certificates.html