Hi, I've setup a transparent HTTP+HTTPS proxy on my server running CentOS 7, using Squid. Here's my configuration file. --8<---------------------------------------------------------------- # /etc/squid/squid.conf # Définitions acl localnet src 192.168.2.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Règles d'accès http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all # Ports du proxy http_port 3130 http_port 3128 intercept https_port 3129 intercept ssl-bump \ cert=/etc/squid/ssl_cert/nestor.microlinux.lan.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB # Emplacement de ssl_crtd et du cache des certificats TLS sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 # SSL-Bump acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all # Taille du cache dans la RAM cache_mem 2048 MB # Emplacement et taille du cache sur le disque # cache_dir ufs /var/spool/squid 100 16 256 # Vidage système coredump_dir /var/spool/squid # Durée de vie des fichiers sans date d'expiration refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 --8<---------------------------------------------------------------- First, I tested the configuration in permissive mode, where it works perfectly. After running it a while, I get the following SELinux alert. # sealert -a /var/log/audit/audit.log ***** Plugin catchall (17.1 confidence) suggests ***** If you believe that ssl_crtd should be allowed read access on the index.txt file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ssl_crtd' --raw | audit2allow -M my-sslcrtd # semodule -i my-sslcrtd.pp Unfortunately the suggested solution doesn't work, because the problem reappears, and I get all sorts of errors in /var/log/squid/cache.log, all due to ssl_crtd not being able to access stuff under /var/lib/ssl_db. Any idea how I can solve this problem permanently ? Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr Tél. : 04 66 63 10 32