On Thu, Feb 4, 2016 at 5:36 PM, Tris Hoar <trishoar at bgfl.org> wrote: > On 04/02/2016 13:24, C. L. Martinez wrote: >> >> Hi all, >> >> I am trying to configure squid as a interception HTTPS proxy under >> CentOS 7. At every https request, I am receiving a certificate error. >> >> My current config for squid is: >> >> # My localnet >> acl localnet src 172.22.55.0/28 >> acl localnet src 172.22.58.0/29 >> >> acl SSL_ports port 443 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl CONNECT method CONNECT >> >> # >> # Recommended minimum Access Permission configuration: >> # >> # Deny requests to certain unsafe ports >> http_access deny !Safe_ports >> >> # Deny CONNECT to other than secure SSL ports >> http_access deny CONNECT !SSL_ports >> >> # Only allow cachemgr access from localhost >> http_access allow localhost manager >> http_access deny manager >> >> # We strongly recommend the following be uncommented to protect innocent >> # web applications running on the proxy server who think the only >> # one who can access services on "localhost" is a local user >> #http_access deny to_localhost >> >> # >> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS >> # >> >> # Example rule allowing access from your local networks. >> # Adapt localnet in the ACL section to list your (internal) IP networks >> # from where browsing should be allowed >> http_access allow localnet >> http_access allow localhost >> >> # And finally deny all other access to this proxy >> http_access deny all >> >> # Squid normally listens to port 3128 >> #http_port 3128 >> >> # Uncomment and adjust the following to add a disk cache directory. >> #cache_dir ufs /var/spool/squid 100 16 256 >> >> # Leave coredumps in the first cache dir >> coredump_dir /var/spool/squid >> >> # >> # Add any of your own refresh_pattern entries above these. >> # >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> refresh_pattern . 0 20% 4320 >> >> # My custom configuration >> http_port 8079 >> http_port 8080 intercept >> https_port 8081 ssl-bump intercept generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB key=/etc/squid/custom.private >> cert=/etc/squid/custom.cert >> >> # Anonymous proxy >> forwarded_for off >> request_header_access Allow allow all >> request_header_access Authorization allow all >> request_header_access WWW-Authenticate allow all >> request_header_access Proxy-Authorization allow all >> request_header_access Proxy-Authenticate allow all >> request_header_access Cache-Control allow all >> request_header_access Content-Encoding allow all >> request_header_access Content-Length allow all >> request_header_access Content-Type allow all >> request_header_access Date allow all >> request_header_access Expires allow all >> request_header_access Host allow all >> request_header_access If-Modified-Since allow all >> request_header_access Last-Modified allow all >> request_header_access Location allow all >> request_header_access Pragma allow all >> request_header_access Accept allow all >> request_header_access Accept-Charset allow all >> request_header_access Accept-Encoding allow all >> request_header_access Accept-Language allow all >> request_header_access Content-Language allow all >> request_header_access Mime-Version allow all >> request_header_access Retry-After allow all >> request_header_access Title allow all >> request_header_access Connection allow all >> request_header_access Proxy-Connection allow all >> request_header_access User-Agent allow all >> request_header_access Cookie allow all >> request_header_access All deny all >> >> # SSL Bump Config >> always_direct allow all >> ssl_bump server-first all >> sslproxy_cert_error deny all >> sslproxy_flags DONT_VERIFY_PEER >> >> I have tried disabling "sslproxy_cert_error" and "sslproxy_flags" >> directives, without luck. >> >> Any ideas about what am I doing wrong? >> >> Thanks. >> > > Do you have a copy of the Root CA you are using to re-encrypt the SSL stream > installed in the browser? > > Tris > Yes, an every time I am receiving the same error: NET::ERR_CERT_AUTHORITY_INVALID