I am doing R&D to configure Squid as HTTP and HTTPS Transparent proxy.
After some research I have configured squid HTTP and HTTPS transparent proxy and tried to start the squid but my bad luck I am getting Fatal error when squid starts.
Here is more description about my issue,
Issue Description: I have installed and configured squid3.3.4 in Debian machine. To enable squid as HTTPS transparent proxy I used public signed certificate(from Godaddy) and configured the same in squid.conf file. Once the configuration done I have tried to start the squid but while starting the squid I am getting the following error.
Error: FATAL: No valid signing SSL certificate configured for
https_port 0.0.0.0:3129
Squid Cache (Version 3.3.4): Terminated abnormally.
CPU Usage: 0.020 seconds = 0.000 user + 0.020 sys
Maximum Resident Size: 22416 KB
Page faults with physical i/o: 3
failed!
Note: The certificate and private key(which is configured in squid.conf) has been converted from tomcat keystore(Godaddy certificate) file.
Squid version: 3.3.4
Someone please help me with the issue.
Here is HTTPS transparent proxy configuration in squid.conf:
http_port 3127
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/cert/squidtrans.pem
key=/etc/squid3/cert/squidtrans.key
ssl_bump server-first all
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
Thanks in Advance.
Related
I have a OpenVPN server successfully setup on a digital ocean droplet following this amazing tutorial:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04
Then I also made a http proxy server using squid proxy on a different droplet.
When I try to connect to my VPN server, I get 503 Service Unavailable on the logs of the client.
Also when I try to curl my VPN server, still the same result:
curl -I -x myproxy.com:80 http://myvpn.com:1194 or
curl -I -x myproxy.com:80 http://myvpn.com
I turned off the ufw of my OpenVPN server, still the same results.
Where should I fix?
My OpenVPN server? My My OpenVPN server's iptables? My squid proxy conf?
Please help..
I can not access to webmin via squid proxy.
I have squid proxy and webmin set up already.
I have hostname like following.
・squid proxy hostname
dev-proxy.example
・webmin hostname
dev-proxy.example:10000
I addedd following to squid.conf.
# Allow webmin
acl webmin_port port 10000
acl webmin url_regex "/etc/squid/webmin.acl"
http_access allow CONNECT webmin_port localnet
http_access allow CONNECT webmin_port localhost
/etc/squid/webmin.acl has following URL.
https://dev-proxy.example
I can access to webmin without squid proxy.
However, I can not access to webmin if squid proxy is set.
Do you have any suggestion for this?
My environment is as following.
Ubuntu 18.04.4 LTS
SQUID Version 3.5.27
webmin version 1.941
Best regards,
I solve it myself.
I added following.
acl SSL_ports port 10000
I'm trying to setup a Docker registry with Artifactory 5.2.1. It's a virtual repo that includes a docker-remote and docker-local (previously defined in Artifactory). I'd like to use the Port method of mapping and I"m running HAProxy 1.5 as a reverse proxy.
HAProxy has a SSL cert with a long list of SANs.
artifactrepo.company.com points to the main artifactory instance and works fine.
docker.company.com points to same server but HAProxy routes this to a Nexus served registry.
www.docker.company.com we intend to route to this Artifactory registry and
Per the HAProxy docs, I've set the reqirep ^([^\ :]*)\ /v2(.*$) \1\ /artifactory/api/docker/docker/v2\2 to get me to the intended port and path.
I have the "Registry Port" set to the default 6555 yet there is no process listening on that port. Artifactory and HAProxy have been restarted.
netstat -tulpn | grep 6555
gives no results.
Shouldn't Artifactory be listening on the Registry Port?
I figured this out. Turns out it was imagination poisoning from running Nexus repos.
Unlike Nexus, Artifactory doesn't actually listen on any port but the default (8081). The reference to a mapped port for a docker repo is simply to seed the generated reverse-proxy configs they give you. Those configs will have apache listen on 6555 (their default for docker) and then do the path rewrite and port map to 8081. I had intended to do this reverse-proxying using the hostname and had not scrolled all the way through their example to see that they had apache listening on 6555.
Server info
I have a server with nginx 1.12.1 enabled sni and resin 3.1.6 on jdk 1.6.0
The nginx here use 80 port to proxy 8080 and 443 port to proxy 8443 of resin.
First issue
When the nginx is running, I can get access with 80. But access to 443, I will get a 502 error, and in the error log, I got dh key too small.
Second issue
Then I compile the nginx with openssl-0.9.8f,and sni is disabled.This time I got everything to be done.But when I compile the nginx with openssl-0.9.8f and enable the sni.I got a 502 again,and error log is SSL: error:1
40773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message
What I confused
So,the first issue about dh key too small is belong to Weak Diffie-Hellman ? The reason is my jdk is too old?
And the second issue is because nginx send sni information to resin,but resin doesn't support sni,so can't do ssl handshake?
I'm trying to give a remote machine (that I can ssh to) access to the internet through my local machine.
Currently, I've set up a squid server locally, with the intent of using a reverse tunnel a la http://ubuntuforums.org/showthread.php?t=1765935
Unfortunately, I can't seem to get the local proxy to work, on account of ignorance of how proxy-ing works.
Currently:
squid3 proxy running locally port 3128. $nmap localhost confirms: 3128/tcp open squid-http
iptables set to allow access to port 3128 only from localhost: https://serverfault.com/questions/247176/iptables-only-allow-localhost-access
squid conf unaltered.
testing locally: $export http_proxy=localhost:3128
testing locally: $lynx google.com
failure.
Any thoughts?
Try;
Add
$export https_proxy=localhost:3128
$lynx google.com
Google redirect to https