• 5

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

At the moment I redirect http(443) requests into squid configured https_port. It works as expected. It terminate ssl connection with the ssl certificate installed in Squid. And then proxies traffic.

In this setup, end users get illegal certificate errors, of course.

I want to established a local CA and install public certificate of this local CA into end user client PCs. Squid should get the target domain name, it should create a ssl certificate for that target domain in the local ca on the fly. Because I installed CA public certificate in Trusted Root Certificate Authorities in the client PC, client IE will not give any errors, trust the site certificate and provides real tranparent https proxying.

An open source tool, imspector, does the same setup successfully for another aim.

I try to find a way of implementing such setup with squid and I need your kind comments.

      • 1
    • Are you trying to create an official Man-In-The-Middle in your network (I hope you've warned your users)? Note that normally, an HTTP proxy doesn't interfere with the HTTPS traffic, it uses CONNECT to relay it all.
    • We use squid as https_proxy also. The configuration directive is https_port 8443 ..... The problem is wedo not want squid pucsh a single certificate for each request. We want it to create certificate specific to the target web server, on the fly.

If your users are on an active directory domain you can push the certificate on the proxy out to the workstations using group policy.

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies/Trusted Root Certification Authorities.

Put your .der certificate in there.

  • 1
Reply Report
    • Despite the fact that this question is almost two years old (and flagged has an accepted answer), your suggestion doesn't solve the author's question. They want to dynamically create certificates for proxied sites, not distribute their own Root Cert.
      • 2
    • @Lukas - did you read the squid wiki? For SSL bumping, squid dyn. generates certs for SSL sites. The certs still need a root cert-signature to be valid As a result, all the users of the proxy need to import that common root-cert into their system or browser's trusted cert storage. Certs on websites represent a "chain of trust" where root authorities validate the identity of those operating the website. A cert can only be verified as "valid" if it has a root-signature, so to have dynamically generated certs check as valid, you need to install yourself as a valid root.

Trending Tags