Hey There, I think it would be better asked at squid-users list: - http://www.squid-cache.org/Support/mailing-lists.html#squid-users - squid-users at lists.squid-cache.org Eliezer Croitoru On 04/02/2016 15:24, C. L. Martinez wrote: > Hi all, > > I am trying to configure squid as a interception HTTPS proxy under CentOS 7. At every https request, I am receiving a certificate error. > > My current config for squid is: > > # My localnet > acl localnet src 172.22.55.0/28 > acl localnet src 172.22.58.0/29 > > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > > # > # Recommended minimum Access Permission configuration: > # > # Deny requests to certain unsafe ports > http_access deny !Safe_ports > > # Deny CONNECT to other than secure SSL ports > http_access deny CONNECT !SSL_ports > > # Only allow cachemgr access from localhost > http_access allow localhost manager > http_access deny manager > > # We strongly recommend the following be uncommented to protect innocent > # web applications running on the proxy server who think the only > # one who can access services on "localhost" is a local user > #http_access deny to_localhost > > # > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > # > > # Example rule allowing access from your local networks. > # Adapt localnet in the ACL section to list your (internal) IP networks > # from where browsing should be allowed > http_access allow localnet > http_access allow localhost > > # And finally deny all other access to this proxy > http_access deny all > > # Squid normally listens to port 3128 > #http_port 3128 > > # Uncomment and adjust the following to add a disk cache directory. > #cache_dir ufs /var/spool/squid 100 16 256 > > # Leave coredumps in the first cache dir > coredump_dir /var/spool/squid > > # > # Add any of your own refresh_pattern entries above these. > # > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > # My custom configuration > http_port 8079 > http_port 8080 intercept > https_port 8081 ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid/custom.private cert=/etc/squid/custom.cert > > # Anonymous proxy > forwarded_for off > request_header_access Allow allow all > request_header_access Authorization allow all > request_header_access WWW-Authenticate allow all > request_header_access Proxy-Authorization allow all > request_header_access Proxy-Authenticate allow all > request_header_access Cache-Control allow all > request_header_access Content-Encoding allow all > request_header_access Content-Length allow all > request_header_access Content-Type allow all > request_header_access Date allow all > request_header_access Expires allow all > request_header_access Host allow all > request_header_access If-Modified-Since allow all > request_header_access Last-Modified allow all > request_header_access Location allow all > request_header_access Pragma allow all > request_header_access Accept allow all > request_header_access Accept-Charset allow all > request_header_access Accept-Encoding allow all > request_header_access Accept-Language allow all > request_header_access Content-Language allow all > request_header_access Mime-Version allow all > request_header_access Retry-After allow all > request_header_access Title allow all > request_header_access Connection allow all > request_header_access Proxy-Connection allow all > request_header_access User-Agent allow all > request_header_access Cookie allow all > request_header_access All deny all > > # SSL Bump Config > always_direct allow all > ssl_bump server-first all > sslproxy_cert_error deny all > sslproxy_flags DONT_VERIFY_PEER > > I have tried disabling "sslproxy_cert_error" and "sslproxy_flags" directives, without luck. > > Any ideas about what am I doing wrong? > > Thanks. >