Squid cache and https

**NethServer Version:7
**Module:3
How is the squid configuration, it accepts dynamic caching in http and https?

Hi Saluto,
i think you can’t configure Squid to accept caching https in manual mode, only in transparent mode.
Please tell us more about your configuration, so we can try to help you to configure it.

No, if enabled, squid cache is active and working in every mode.

1 Like

Ok, thanks for your correction.
Can you explain how it works at manual mode? I thought squid don’t know the content of the files which are received over https.

You are right about https, caching is impossible, regardless of proxy settings.

Oh yes, you are right, you can only do it in Nethserver 6.8 in transparent mode, because at 6.8 you work with MITM and decrypt the whole traffic.

Is it possible to enable https caching in 7.3 release?
For example changing squid.conf from a previous release or using our own ?
Any working squid.conf?
Squid needs recompiling in order to decrypt https (to enable MITM)?
I guess in this scenario we loose controlling squid from the web-proxy part of the web page
but we earn working cache (right now only 3% hit ratio versus >20% with MITM and a good squid.conf maybe with a rewriter)
Can we use 7rc2 to achieve the same thing?

It would be VERY usefull to have a way to re-enable https decrypting at the last version
even if it requires a little work on our part.

Any help- Howto?
Thank you.

You start reading the configuration from NS 6:

Please note that many other steps are needed.

1 Like
  1. I do not think I can rewrite the template . So maybe I edit directly the squid.conf.
    Under which circumstances the new squid.conf will be re-written by the template?

  2. Do I need to recompile squid ?

Thank you

please, be aware that MITM (even if done at work) and https decryption is illegal in many countries…

1 Like

Every time you do a modification inside the web interface.
If you want your modifications to persist, use a template-custom.

No :wink:

The squid.conf is re-written every time I do a modification at the “web proxy” part of the web interface
OR at any place of the web interface?

I thing I may need a url re-writter…

Also when you edit the web filter page.

Maybe I’m missing some case, it’s quicker to assume that the web interface can replace the configuration anytime from any page :smiley:

Why do you think you can’t do it with a template?
Perhaps I can help you.

2 Likes

Thank you for the help offer.
I tried first to do manual modifications and if I make it work maybe I try to change the template also.

  1. My 1st stop was that I could not find the ssl_crtd programm
    I think it is normally installed when compiling-installing squid?
    Do I need to recompile squid to have it?

  2. Can I use the already made certs? (NSVRT.crt or something) ? Or I need to make new certificates?

Thank you

At this site they say it should be a part of squid-helpers.rpm
Please have a look here how to get the package.

For SSL-Bump you have to generate dynamic certificates with your root certificate. For that you must have the private key. If you have it, you can use it.

ssl_crtd is included in the standard squid package: /usr/lib64/squid/ssl_crtd
No need to download or compile anything else.

Here you’ll find a working configuration:

1 Like

Thanks for the help

Edited /etc/e-smith/templates/etc/squid/squid.conf/40ports with the “new” version (after backing up the original one) and changed something (i.e. cache size ) at the web proxy page in order to re-write the squid.conf.

After that I run :
/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db (else squid would error out)

Then I need to get /etc/pki/tls/certs/NSRV.crt certificate
Unfortunately download does not work from the server control page

I had to enable shared folders in order to get the certificate to my local machine
The mount point is :
/var/lib/nethserver/ibay/“shared name”

Please make a copy of
/etc/e-smith/templates/etc/squid/squid.conf/40ports
in
/etc/e-smith/templates-custom/etc/squid/squid.conf/40ports
and edit this one.

You can use a SCP-Program too. For Windows Clients Win-SCP for example.

1 Like

the whole purpose of SSL become void.