aboutsummaryrefslogtreecommitdiffstats
path: root/config/squid3/33
diff options
context:
space:
mode:
authorMarcello Coutinho <marcellocoutinho@gmail.com>2013-05-16 18:38:21 -0300
committerMarcello Coutinho <marcellocoutinho@gmail.com>2013-05-16 18:38:21 -0300
commitcfd5b4ea97b817685d4f64cb2ca1b0fa1313ba86 (patch)
tree572ef24811ca36db378943c77e6b661e3dd0de74 /config/squid3/33
parent60b11790e713d6b110c662bcd6f864a4e51a0ff4 (diff)
downloadpfsense-packages-cfd5b4ea97b817685d4f64cb2ca1b0fa1313ba86.tar.gz
pfsense-packages-cfd5b4ea97b817685d4f64cb2ca1b0fa1313ba86.tar.bz2
pfsense-packages-cfd5b4ea97b817685d4f64cb2ca1b0fa1313ba86.zip
squid3-dev - change ssl filtering cert combo from server-cert to ca-cert
Diffstat (limited to 'config/squid3/33')
-rwxr-xr-xconfig/squid3/33/squid.inc11
-rw-r--r--config/squid3/33/squid.xml11
2 files changed, 13 insertions, 9 deletions
diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc
index 89a11961..8eb9f2fa 100755
--- a/config/squid3/33/squid.inc
+++ b/config/squid3/33/squid.inc
@@ -824,7 +824,7 @@ function squid_resync_general() {
#Check ssl interception
if (($settings['ssl_proxy'] == 'on')) {
squid_check_ca_hashes();
- $srv_cert = lookup_cert($settings["dcert"]);
+ $srv_cert = lookup_ca($settings["dca"]);
if ($srv_cert != false) {
if(base64_decode($srv_cert['prv'])) {
#check if ssl_db was initilized by squid
@@ -836,13 +836,15 @@ function squid_resync_general() {
}
#force squid user permission on /var/squid/lib/ssl_db/
squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy');
+ # cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext
$crt_pk=SQUID_CONFBASE."/serverkey.pem";
+ $crt_capath=SQUID_LOCALBASE."/share/certs/";
file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt']));
$sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5);
- $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk}\n";
+ $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk} capath={$crt_capath}\n";
$interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n";
$interception_checks .= "sslcrtd_children {$sslcrtd_children}\n";
- $interception_checks .= 'sslproxy_capath '.SQUID_LOCALBASE.'/share/certs'."\n";
+ $interception_checks .= "sslproxy_capath {$crt_capath}\n";
if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"]))
$interception_checks.="sslproxy_cert_error allow all\n";
if (preg_match("/sslproxy_flags/",$settings["interception_checks"]))
@@ -1087,9 +1089,10 @@ EOC;
}
If ($settings['custom_refresh_patterns'] !="")
- $conf .= sq_text_area_decode($settings['custom_refresh_patterns']);
+ $conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n";
$conf .= <<< EOD
+
cache_mem $memory_cache_size MB
maximum_object_size_in_memory {$max_objsize_in_mem} KB
memory_replacement_policy {$memory_policy}
diff --git a/config/squid3/33/squid.xml b/config/squid3/33/squid.xml
index dbaf0895..d64aabb9 100644
--- a/config/squid3/33/squid.xml
+++ b/config/squid3/33/squid.xml
@@ -370,12 +370,13 @@
<default_value>3129</default_value>
</field>
<field>
- <fielddescr>Cert</fielddescr>
- <fieldname>dcert</fieldname>
- <description><![CDATA[Select Certificate to use in SSL interception<br>
- To create a Certificate on pfsense, go to <strong>system -> Cert Manager<strong>]]></description>
+ <fielddescr>CA</fielddescr>
+ <fieldname>dca</fieldname>
+ <description><![CDATA[Select Certificate Authority to use when SSL interception is enabled.<br>
+ To create a CA on pfsense, go to <strong>system -> Cert Manager<strong><br>
+ Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection.]]></description>
<type>select_source</type>
- <source><![CDATA[$config['cert']]]></source>
+ <source><![CDATA[$config['ca']]]></source>
<source_name>descr</source_name>
<source_value>refid</source_value>
</field>