Can't connect to HTTPS websites via squid proxy

Solution 1:

For my purpose it doesn't need to use sslbump so I have deleted it and solved it by adding this line in squid.conf dns_v4_first on

Solution 2:

You log has the following line:

 (ssl_crtd): Failed to initialize /var/lib/ssl_db/index.txt file for writing

Which means that you got mistakes in your sslbump configuration.

The problem with your configuration is that you can't have /var/lib/ssl_db as your sslbump storage, since you won't be able to initialize it with a following command /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db. The ssl_db dir shoudn't exist before you issue the command or it will fail. But squid user can't create the directory in /var/lib because of permissions. So you need to change that directory to /var/lib/squid/ssl_db by doing the following commands (start as as root!):

  1. sudo su (or any other mean to get root shell)
  2. mkdir /var/lib/squid/
  3. chown -R squid:squid /var/lib/squid/
  4. su -l squid -s /bin/bash (next command should be run as squid user, so this step is important)
  5. /usr/lib64/squid/ssl_crtd -c -s /var/lib/squid/ssl_db

If you are successful, the output should display:

 Initialization SSL db...
 Done

Now you change your squid.conf to the new ssl_db directory:

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB

And this directive should go from a new line, you got a mistake in your config file:

sslcrtd_children 8 startup=1 idle=1

I hope this will help (unless you are doing some censorship, then I hope it won't :))!

P.S. This is not your case, but I'll add nevertheless:

Different distros place ssl_crtd command into different directories, but people got a tendency to copy config files without checking its existence first. Launching /usr/lib64/squid/ssl_crtd as squid user should display:

Uninitialized SSL certificate database directory: . To initialize, run "ssl_crtd -c -s ".

If it says that command not found, then ssl_crtd might be actually located in /usr/libexec/squid/ssl_crtd

P.P.S. After a two-hour skype session trying to fix the unfixable the solution was found - disabling ipv6, incorrectly configured by the hosting provider :)

Who would have thought, that it all will breakdown to the following commands:

 sysctl -w net.ipv6.conf.all.disable_ipv6=1
 sysctl -w net.ipv6.conf.default.disable_ipv6=1
 sysctl -w net.ipv6.conf.lo.disable_ipv6=1

And adding:

 dns_v4_first on

into squid.conf

Tags:

Squid

Centos7

Recent Posts