Knowledge Base (Posts about squid)https://bgstack15.ddns.net/blog/enContents © 2022 <a href="mailto:bgstack15@gmail.com">bgstack15</a> <a rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/"> <img alt="Creative Commons License BY-SA" style="border-width:0; margin-bottom:12px;" src="https://bgstack15.ddns.net/.images/l_by-sa_4.0_88x31.png"></a>Sun, 27 Feb 2022 04:05:14 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssSquid add port that passes all traffic throughhttps://bgstack15.ddns.net/blog/posts/2020/12/23/squid-add-port-that-passes-all-traffic-through/bgstack15<p>If you run a squid proxy and want to have an additional port, where it does zero interception, use these configuration entries.</p> <pre class="code literal-block"><span></span><code>http_port 3180 name=port_3180 # no ssl interception at all on this port # allow port 3180 to pass ssl through acl port_3180_acl myportname port_3180 always_direct allow port_3180_acl ssl_bump splice port_3180_acl </code></pre> <p>Be sure the bottom three lines here are used before any other ssl_bump or always_direct directives.</p>proxysquidhttps://bgstack15.ddns.net/blog/posts/2020/12/23/squid-add-port-that-passes-all-traffic-through/Wed, 23 Dec 2020 14:18:05 GMTSquid allow short names for local siteshttps://bgstack15.ddns.net/blog/posts/2020/11/21/squid-allow-short-names-for-local-sites/bgstack15<p>In my <a href="https://bgstack15.ddns.net/blog/posts/2020/10/04/setting-up-a-transparent-proxy-for-internal-network/">transparent web proxy</a>, I wanted to make it so I could still visit http://server2:631 for my local cups instance. Even with the hosts_file configured in squid.conf, squid does not accept short hostnames that can be resolved. But what you can do, is configure squid to append your domain on unqualified domain names, and configure an ACL with all the local host names! Set up squid.conf with these additional entries:</p> <pre class="code literal-block"><span></span><code>apped_domain .ipa.example.com acl localdst dstdomain "/etc/squid/axfr.txt" always_direct allow localdst </code></pre> <p>And you need a command to populate that axfr.txt file. Thankfully, I run my own dns and I left zone transfers on (security considerations notwithstanding). So here's my comments around what is basically a one-liner.</p> <table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span> <span class="normal"> 2</span> <span class="normal"> 3</span> <span class="normal"> 4</span> <span class="normal"> 5</span> <span class="normal"> 6</span> <span class="normal"> 7</span> <span class="normal"> 8</span> <span class="normal"> 9</span> <span class="normal">10</span> <span class="normal">11</span> <span class="normal">12</span> <span class="normal">13</span> <span class="normal">14</span> <span class="normal">15</span> <span class="normal">16</span> <span class="normal">17</span> <span class="normal">18</span> <span class="normal">19</span> <span class="normal">20</span> <span class="normal">21</span> <span class="normal">22</span> <span class="normal">23</span> <span class="normal">24</span> <span class="normal">25</span> <span class="normal">26</span> <span class="normal">27</span> <span class="normal">28</span> <span class="normal">29</span> <span class="normal">30</span> <span class="normal">31</span> <span class="normal">32</span> <span class="normal">33</span></pre></div></td><td class="code"><pre class="code literal-block"><span></span><code><span class="ch">#!/bin/sh</span> <span class="c1"># File: /mnt/public/Support/Systems/server4/usr/local/bin/squid_local_hosts.sh</span> <span class="c1"># License: CC-BY-SA 4.0</span> <span class="c1"># Location: server1</span> <span class="c1"># Author: bgstack15</span> <span class="c1"># Startdate: 2020-11-17 19:30</span> <span class="c1"># Title: Script that Lists Net-Local Hosts</span> <span class="c1"># Purpose: list all net-local hosts without the domain name, for squid on vm4</span> <span class="c1"># Usage:</span> <span class="c1"># in a cron entry, nominally in /etc/cron.d/90_squid_local_hosts.cron</span> <span class="c1"># 0 12 * * * root /mnt/public/Support/Systems/server4/usr/local/bin/squid_local_hosts.sh 2&gt;/dev/null 1&gt;/etc/squid/axfr.txt</span> <span class="c1"># And where axfr.txt was already established with proper mode and context</span> <span class="c1"># Reference:</span> <span class="c1"># Improve:</span> <span class="c1"># Dependencies:</span> <span class="c1"># zone transfers are on in local dns</span> <span class="c1"># Settings in squid.conf:</span> <span class="c1"># append_domain .ipa.example.com</span> <span class="c1"># acl localdst dstdomain "/etc/squid/axfr.txt"</span> <span class="c1"># always_direct allow localdst</span> <span class="nb">test</span> -z <span class="s2">"</span><span class="si">${</span><span class="nv">domain</span><span class="si">}</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> <span class="nb">export</span> <span class="nv">domain</span><span class="o">=</span><span class="s2">"ipa.example.com"</span> get_net_local_hosts<span class="o">()</span> <span class="o">{</span> <span class="c1"># Awk methodology</span> <span class="c1"># exclude the ones that start with underscore, which users will not be looking up for visiting via a web browser.</span> <span class="c1"># print unique ones</span> <span class="c1"># Grep methodology</span> <span class="c1"># exclude blanks and comments</span> dig -t AXFR <span class="s2">"</span><span class="si">${</span><span class="nv">domain</span><span class="si">}</span><span class="s2">"</span> <span class="p">|</span> awk <span class="s2">"{gsub(\".?</span><span class="si">${</span><span class="nv">domain</span><span class="si">}</span><span class="s2">.?\",\"\",\$1);} \$1 !~ /^_/ &amp;&amp; !x[\$1]++{print \$1}"</span> <span class="p">|</span> grep -viE <span class="s1">'^[\s;]*$'</span> <span class="o">}</span> get_net_local_hosts </code></pre> </td></tr></table> <p>And as described, I have a cron entry.</p> <pre class="code literal-block"><span></span><code><span class="mf">0</span> <span class="o">*</span> <span class="o">*</span> <span class="o">*</span> <span class="o">*</span> <span class="n">root</span> <span class="o">/</span><span class="n">mnt</span><span class="o">/</span><span class="n">public</span><span class="o">/</span><span class="n">Support</span><span class="o">/</span><span class="kr">Sys</span><span class="n">tems</span><span class="o">/</span><span class="n">vm4</span><span class="o">/</span><span class="nb">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">squid_local_hosts</span><span class="mf">.</span><span class="n">sh</span> <span class="mf">2</span><span class="o">&gt;/</span><span class="n">dev</span><span class="o">/</span><span class="n">null</span> <span class="mf">1</span><span class="o">&gt;/</span><span class="n">etc</span><span class="o">/</span><span class="n">squid</span><span class="o">/</span><span class="n">axfr</span><span class="mf">.</span><span class="n">txt</span> </code></pre> <p>Now, I haven't been running this long enough and with enough network changes to test things fully, so I don't know if squid will dynamically read the new axfr.txt contents should they change. I seriously doubt it. So one could probably adjust the service script or systemd unit to have a pre-exec hook of running the same contents as the cronjob. And now I can reach my cups instance without having to type in the full hostname, and without setting up client- side exceptions for using the proxy. I realize this whole thing is not very <a href="https://thealaskalinuxuser.wordpress.com/">KISS</a>, but it's fun anyways.</p>dnssquidhttps://bgstack15.ddns.net/blog/posts/2020/11/21/squid-allow-short-names-for-local-sites/Sat, 21 Nov 2020 14:02:36 GMTSetting up a transparent proxy for internal networkhttps://bgstack15.ddns.net/blog/posts/2020/10/04/setting-up-a-transparent-proxy-for-internal-network/bgstack15<h3>Overview</h3> <p>This document explains how to set up a web proxy on the internal network so that it can act as a configured proxy as well as transparent network proxy, including both http and https traffic. Exceptions for sites (destinations) as well as clients can be configured.</p> <h3>Architecture</h3> <p>A <a href="https://dd-wrt.com/">dd-wrt</a> router is the heart of the example network, at 192.168.1.2. Proxy server proxy.ipa.example.com at 192.168.1.82 provides both transparent proxy and configured proxy behavior.</p> <h4>Configuring router for transparent proxy</h4> <p>The router is set up with dd-wrt firmware: DD-WRT v3.0-r43055 big (05/05/20) and contains a firewall start script (<code>nvram get rc_firewall</code>) which forces all World Wide Web traffic (tcp ports 80 and 443) to a transparent proxy.</p> <table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span> <span class="normal"> 2</span> <span class="normal"> 3</span> <span class="normal"> 4</span> <span class="normal"> 5</span> <span class="normal"> 6</span> <span class="normal"> 7</span> <span class="normal"> 8</span> <span class="normal"> 9</span> <span class="normal">10</span> <span class="normal">11</span> <span class="normal">12</span> <span class="normal">13</span></pre></div></td><td class="code"><pre class="code literal-block"><span></span><code><span class="ch">#!/bin/sh</span> <span class="nv">WEB_SERVER</span><span class="o">=</span><span class="m">192</span>.168.1.14 <span class="nv">PROXY_IP</span><span class="o">=</span><span class="m">192</span>.168.1.82 <span class="nv">OBI_IP</span><span class="o">=</span><span class="m">192</span>.168.1.27 <span class="nv">CHROMECAST_IP</span><span class="o">=</span><span class="m">192</span>.168.1.29 iptables -t mangle -I PREROUTING <span class="m">2</span> -p tcp -m multiport --dports <span class="m">80</span>,443 -s <span class="nv">$OBI_IP</span> -j ACCEPT iptables -t mangle -I PREROUTING <span class="m">3</span> -p tcp -m multiport --dports <span class="m">80</span>,443 -s <span class="nv">$CHROMECAST_IP</span> -j ACCEPT iptables -t mangle -I PREROUTING <span class="m">5</span> -p tcp -m multiport --dports <span class="m">80</span>,443 -s <span class="nv">$PROXY_IP</span> -j ACCEPT iptables -t mangle -I PREROUTING <span class="m">6</span> -p tcp -m multiport --dports <span class="m">80</span>,443 ! -s <span class="nv">$PROXY_IP</span> -j MARK --or <span class="m">3</span> iptables -t mangle -I PREROUTING <span class="m">7</span> -p tcp -m multiport --dports <span class="m">80</span>,443 -j CONNMARK --save-mark ip route add <span class="nv">$WEB_SERVER</span> via <span class="nv">$WEB_SERVER</span> dev br0 table <span class="m">2</span> ip route add default via <span class="nv">$PROXY_IP</span> dev br0 table <span class="m">2</span> ip rule add fwmark <span class="m">3</span> table <span class="m">2</span> </code></pre> </td></tr></table> <p>The MARK rule performs a logical OR to set just a few binary flags, so it does not merely "set" all the flags. See <a href="https://wiki.dd-wrt.com/wiki/index.php/Squid_Transparent_Proxy">Weblink 7</a>. The web server steps are there to ensure that incoming web traffic get to the web server. Observe that <code>CHROMECAST_IP</code> is granted ACCEPT in the firewall. The Chromecast device is given a reserved IP address in DHCP which is described later. An attempt was made to perform logging on the router level, and while this provides IP addresses, it was not sufficient for the needs of this project. See <a href="https://nlug.ml1.co.uk/2014/01/the-missing-firewall-logs-of-dd-wrt/4528">weblink 12</a>.</p> <h4>Configuring the proxy server</h4> <p>First, configure the firewall. Set contents of file <code>/etc/firewalld/direct.xml</code>.</p> <pre class="code literal-block"><span></span><code><span class="cp">&lt;?xml version="1.0" encoding="utf-8"?&gt;</span> <span class="nt">&lt;direct&gt;</span> <span class="nt">&lt;rule</span> <span class="na">ipv=</span><span class="s">"ipv4"</span> <span class="na">table=</span><span class="s">"nat"</span> <span class="na">chain=</span><span class="s">"PREROUTING"</span> <span class="na">priority=</span><span class="s">"0"</span><span class="nt">&gt;</span>-i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3130<span class="nt">&lt;/rule&gt;</span> <span class="nt">&lt;rule</span> <span class="na">ipv=</span><span class="s">"ipv4"</span> <span class="na">table=</span><span class="s">"nat"</span> <span class="na">chain=</span><span class="s">"PREROUTING"</span> <span class="na">priority=</span><span class="s">"0"</span><span class="nt">&gt;</span>-i eth0 -p tcp --dport 443 -j REDIRECT --to-ports 3129<span class="nt">&lt;/rule&gt;</span> <span class="nt">&lt;/direct&gt;</span> </code></pre> <p>I was unable to find any other mechanism within firewalld that works for getting the traffic transparently to squid (i.e., that keeps the client IP address). See <a href="https://wiki.dd-wrt.com/wiki/index.php/Squid_Transparent_Proxy">weblink 7</a>. Also allow a few services and additional ports.</p> <pre class="code literal-block"><span></span><code><span class="n">firewall</span><span class="o">-</span><span class="n">cmd</span> <span class="o">--</span><span class="n">permanent</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">service</span><span class="o">=</span><span class="n">http</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">service</span><span class="o">=</span><span class="n">https</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">service</span><span class="o">=</span><span class="n">squid</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">port</span><span class="o">=</span><span class="mi">3129</span><span class="o">/</span><span class="n">tcp</span> <span class="n">firewall</span><span class="o">-</span><span class="n">cmd</span> <span class="o">--</span><span class="n">permanent</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">port</span><span class="o">=</span><span class="mi">3130</span><span class="o">/</span><span class="n">tcp</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">port</span><span class="o">=</span><span class="mi">3129</span><span class="o">/</span><span class="n">tcp</span> <span class="n">firewall</span><span class="o">-</span><span class="n">cmd</span> <span class="o">--</span><span class="n">reload</span> </code></pre> <h5>Configuring squid</h5> <p>Configure squid itself. Fill file <code>/etc/squid/squid.conf</code> with contents.</p> <pre class="code literal-block"><span></span><code><span class="c1"># Research for a log filter includes:</span> <span class="c1"># tail -f /var/log/squid/access.log | grep -iE '200 [0-9]+ GET https?:\/\/[^ ]+'</span> <span class="n">acl</span> <span class="n">localnet</span> <span class="n">src</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.0</span><span class="o">/</span><span class="mi">8</span> <span class="c1"># RFC1918 possible internal network</span> <span class="n">acl</span> <span class="n">localnet</span> <span class="n">src</span> <span class="mf">172.16</span><span class="o">.</span><span class="mf">0.0</span><span class="o">/</span><span class="mi">12</span> <span class="c1"># RFC1918 possible internal network</span> <span class="n">acl</span> <span class="n">localnet</span> <span class="n">src</span> <span class="mf">192.168</span><span class="o">.</span><span class="mf">0.0</span><span class="o">/</span><span class="mi">16</span> <span class="c1"># RFC1918 possible internal network</span> <span class="n">acl</span> <span class="n">localnet</span> <span class="n">src</span> <span class="n">fc00</span><span class="p">::</span><span class="o">/</span><span class="mi">7</span> <span class="c1"># RFC 4193 local private network range</span> <span class="n">acl</span> <span class="n">localnet</span> <span class="n">src</span> <span class="n">fe80</span><span class="p">::</span><span class="o">/</span><span class="mi">10</span> <span class="c1"># RFC 4291 link-local (directly plugged) machines</span> <span class="n">acl</span> <span class="n">SSL_ports</span> <span class="n">port</span> <span class="mi">443</span> <span class="n">acl</span> <span class="n">Safe_ports</span> <span class="n">port</span> <span class="mi">80</span> <span class="c1"># http</span> <span class="n">acl</span> <span class="n">Safe_ports</span> <span class="n">port</span> <span class="mi">21</span> <span class="c1"># ftp</span> <span class="n">acl</span> <span class="n">Safe_ports</span> <span class="n">port</span> <span class="mi">443</span> <span class="c1"># https</span> <span class="n">acl</span> <span class="n">Safe_ports</span> <span class="n">port</span> <span class="mi">70</span> <span class="c1"># gopher</span> <span class="n">acl</span> <span class="n">Safe_ports</span> <span class="n">port</span> <span class="mi">210</span> <span class="c1"># wais</span> <span class="n">acl</span> <span class="n">Safe_ports</span> <span class="n">port</span> <span class="mi">1025</span><span class="o">-</span><span class="mi">65535</span> <span class="c1"># unregistered ports</span> <span class="n">acl</span> <span class="n">Safe_ports</span> <span class="n">port</span> <span class="mi">280</span> <span class="c1"># http-mgmt</span> <span class="n">acl</span> <span class="n">Safe_ports</span> <span class="n">port</span> <span class="mi">488</span> <span class="c1"># gss-http</span> <span class="n">acl</span> <span class="n">Safe_ports</span> <span class="n">port</span> <span class="mi">591</span> <span class="c1"># filemaker</span> <span class="n">acl</span> <span class="n">Safe_ports</span> <span class="n">port</span> <span class="mi">777</span> <span class="c1"># multiling http</span> <span class="n">acl</span> <span class="n">CONNECT</span> <span class="n">method</span> <span class="n">CONNECT</span> <span class="n">http_access</span> <span class="n">deny</span> <span class="o">!</span><span class="n">Safe_ports</span> <span class="n">http_access</span> <span class="n">deny</span> <span class="n">CONNECT</span> <span class="o">!</span><span class="n">SSL_ports</span> <span class="n">http_access</span> <span class="n">allow</span> <span class="n">localhost</span> <span class="n">manager</span> <span class="n">http_access</span> <span class="n">deny</span> <span class="n">manager</span> <span class="n">http_access</span> <span class="n">allow</span> <span class="n">localnet</span> <span class="n">http_access</span> <span class="n">allow</span> <span class="n">localhost</span> <span class="n">http_access</span> <span class="n">deny</span> <span class="n">all</span> <span class="n">http_port</span> <span class="mi">3128</span> <span class="n">ssl</span><span class="o">-</span><span class="n">bump</span> \ <span class="n">cert</span><span class="o">=/</span><span class="n">etc</span><span class="o">/</span><span class="n">pki</span><span class="o">/</span><span class="n">tls</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">proxy</span><span class="o">.</span><span class="n">ipa</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">pem</span> \ <span class="n">key</span><span class="o">=/</span><span class="n">etc</span><span class="o">/</span><span class="n">pki</span><span class="o">/</span><span class="n">tls</span><span class="o">/</span><span class="n">private</span><span class="o">/</span><span class="n">proxy</span><span class="o">.</span><span class="n">ipa</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">-</span><span class="n">nopw</span><span class="o">.</span><span class="n">key</span> \ <span class="n">cafile</span><span class="o">=/</span><span class="n">etc</span><span class="o">/</span><span class="n">pki</span><span class="o">/</span><span class="n">tls</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">ca</span><span class="o">-</span><span class="n">ipa</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">crt</span> \ <span class="n">generate</span><span class="o">-</span><span class="n">host</span><span class="o">-</span><span class="n">certificates</span><span class="o">=</span><span class="n">on</span> <span class="n">dynamic_cert_mem_cache_size</span><span class="o">=</span><span class="mi">4</span><span class="n">MB</span> <span class="n">https_port</span> <span class="mi">3129</span> <span class="n">intercept</span> <span class="n">ssl</span><span class="o">-</span><span class="n">bump</span> \ <span class="n">cert</span><span class="o">=/</span><span class="n">etc</span><span class="o">/</span><span class="n">pki</span><span class="o">/</span><span class="n">tls</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">proxy</span><span class="o">.</span><span class="n">ipa</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">pem</span> \ <span class="n">key</span><span class="o">=/</span><span class="n">etc</span><span class="o">/</span><span class="n">pki</span><span class="o">/</span><span class="n">tls</span><span class="o">/</span><span class="n">private</span><span class="o">/</span><span class="n">proxy</span><span class="o">.</span><span class="n">ipa</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">-</span><span class="n">nopw</span><span class="o">.</span><span class="n">key</span> \ <span class="n">cafile</span><span class="o">=/</span><span class="n">etc</span><span class="o">/</span><span class="n">pki</span><span class="o">/</span><span class="n">tls</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">ca</span><span class="o">-</span><span class="n">ipa</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">crt</span> \ <span class="n">generate</span><span class="o">-</span><span class="n">host</span><span class="o">-</span><span class="n">certificates</span><span class="o">=</span><span class="n">on</span> <span class="n">dynamic_cert_mem_cache_size</span><span class="o">=</span><span class="mi">4</span><span class="n">MB</span> <span class="n">http_port</span> <span class="mi">3130</span> <span class="n">intercept</span> <span class="n">ssl</span><span class="o">-</span><span class="n">bump</span> \ <span class="n">cert</span><span class="o">=/</span><span class="n">etc</span><span class="o">/</span><span class="n">pki</span><span class="o">/</span><span class="n">tls</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">proxy</span><span class="o">.</span><span class="n">ipa</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">pem</span> \ <span class="n">key</span><span class="o">=/</span><span class="n">etc</span><span class="o">/</span><span class="n">pki</span><span class="o">/</span><span class="n">tls</span><span class="o">/</span><span class="n">private</span><span class="o">/</span><span class="n">proxy</span><span class="o">.</span><span class="n">ipa</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">-</span><span class="n">nopw</span><span class="o">.</span><span class="n">key</span> \ <span class="n">generate</span><span class="o">-</span><span class="n">host</span><span class="o">-</span><span class="n">certificates</span><span class="o">=</span><span class="n">on</span> <span class="n">dynamic_cert_mem_cache_size</span><span class="o">=</span><span class="mi">4</span><span class="n">MB</span> <span class="n">sslcrtd_program</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">lib64</span><span class="o">/</span><span class="n">squid</span><span class="o">/</span><span class="n">ssl_crtd</span> <span class="o">-</span><span class="n">s</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">ssl_db</span> <span class="o">-</span><span class="n">M</span> <span class="mi">4</span><span class="n">MB</span> <span class="n">sslproxy_cert_error</span> <span class="n">allow</span> <span class="n">all</span> <span class="n">sslproxy_flags</span> <span class="n">DONT_VERIFY_PEER</span> <span class="n">acl</span> <span class="n">step1</span> <span class="n">at_step</span> <span class="n">SslBump1</span> <span class="n">acl</span> <span class="n">SAFE_sites</span> <span class="n">ssl</span><span class="p">::</span><span class="n">server_name</span> <span class="o">.</span><span class="n">telephony</span><span class="o">.</span><span class="n">goog</span> <span class="o">.</span><span class="n">discord</span><span class="o">.</span><span class="n">gg</span> <span class="n">acl</span> <span class="n">DIRECT_sites_name</span> <span class="n">dstdomain</span> <span class="o">.</span><span class="n">youtube</span><span class="o">.</span><span class="n">com</span> <span class="c1"># DIRECT_sites_ip is primarily for youtube; not from nslookup; only from examining squid logs</span> <span class="n">acl</span> <span class="n">DIRECT_sites_ip</span> <span class="n">dst</span> <span class="mf">172.217</span><span class="o">.</span><span class="mf">164.74</span> <span class="mf">64.233</span><span class="o">.</span><span class="mf">177.106</span> <span class="mf">173.194</span><span class="o">.</span><span class="mf">219.95</span> <span class="mf">64.233</span><span class="o">.</span><span class="mf">177.99</span> <span class="mf">31.13</span><span class="o">.</span><span class="mf">65.1</span> <span class="mf">31.13</span><span class="o">.</span><span class="mf">65.36</span> <span class="mf">74.125</span><span class="o">.</span><span class="mf">138.95</span> <span class="mf">64.233</span><span class="o">.</span><span class="mf">185.139</span> <span class="mf">64.233</span><span class="o">.</span><span class="mf">185.91</span> <span class="mf">172.217</span><span class="o">.</span><span class="mf">164.78</span> <span class="n">acl</span> <span class="n">DIRECT_sites</span> <span class="n">any</span><span class="o">-</span><span class="n">of</span> <span class="n">DIRECT_sites_name</span> <span class="n">DIRECT_sites_ip</span> <span class="n">acl</span> <span class="n">DIRECT_site_clients</span> <span class="n">srcdomain</span> <span class="n">tab1</span><span class="o">.</span><span class="n">ipa</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> <span class="n">acl</span> <span class="n">WORK_clients</span> <span class="n">srcdomain</span> <span class="n">device1</span><span class="o">.</span><span class="n">ipa</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> <span class="n">always_direct</span> <span class="n">allow</span> <span class="n">DIRECT_sites</span> <span class="n">DIRECT_site_clients</span> <span class="n">ssl_bump</span> <span class="n">splice</span> <span class="n">DIRECT_sites</span> <span class="n">DIRECT_site_clients</span> <span class="n">ssl_bump</span> <span class="n">splice</span> <span class="n">SAFE_sites</span> <span class="n">ssl_bump</span> <span class="n">splice</span> <span class="n">WORK_clients</span> <span class="n">ssl_bump</span> <span class="n">peek</span> <span class="n">step1</span> <span class="n">ssl_bump</span> <span class="n">bump</span> <span class="n">all</span> <span class="c1"># needed for youtube somehow</span> <span class="n">coredump_dir</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">spool</span><span class="o">/</span><span class="n">squid</span> <span class="n">refresh_pattern</span> <span class="o">^</span><span class="n">ftp</span><span class="p">:</span> <span class="mi">1440</span> <span class="mi">20</span><span class="o">%</span> <span class="mi">10080</span> <span class="n">refresh_pattern</span> <span class="o">^</span><span class="n">gopher</span><span class="p">:</span> <span class="mi">1440</span> <span class="mi">0</span><span class="o">%</span> <span class="mi">1440</span> <span class="n">refresh_pattern</span> <span class="o">-</span><span class="n">i</span> <span class="p">(</span><span class="o">/</span><span class="n">cgi</span><span class="o">-</span><span class="n">bin</span><span class="o">/|</span>\<span class="err">?</span><span class="p">)</span> <span class="mi">0</span> <span class="mi">0</span><span class="o">%</span> <span class="mi">0</span> <span class="n">refresh_pattern</span> <span class="o">.</span> <span class="mi">0</span> <span class="mi">20</span><span class="o">%</span> <span class="mi">4320</span> <span class="n">strip_query_terms</span> <span class="n">off</span> <span class="c1">#This will allow checking which youtube URLs were visited by user</span> <span class="n">visible_hostname</span> <span class="n">proxy</span><span class="o">.</span><span class="n">ipa</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> <span class="n">logformat</span> <span class="n">squid</span> <span class="o">%</span><span class="n">ts</span><span class="o">.%</span><span class="mi">03</span><span class="n">tu</span> <span class="o">%&gt;</span><span class="n">a</span> <span class="o">%&gt;</span><span class="n">A</span> <span class="o">%</span><span class="mi">03</span><span class="o">&gt;</span><span class="n">Hs</span> <span class="o">%</span><span class="n">rm</span> <span class="o">%&gt;</span><span class="n">ru</span> <span class="o">%</span><span class="p">[</span><span class="n">un</span> <span class="o">%&lt;</span><span class="n">a</span> <span class="o">%</span><span class="n">mt</span> </code></pre> <p>The order of these entries matters. Additionally, the Chromecast materials may be out of date, but Youtube it still important. An important consideration is to keep the work computer's vpn uninterrupted. Several comments in this file demonstrate which lines are important to that end. The certificate used here is described in a few steps. The cafile used is the root CA cert for the entire FreeIPA infrastructure in the example network. Without this configuration, it is possible that clients who trust the root CA would still not trust the web traffic because squid would have an incomplete cert chain.</p> <h5>Initializing squid</h5> <p>The dynamic ssl certificate database needs to be initialized outside of squid itself. This only needs to be run once.</p> <pre class="code literal-block"><span></span><code><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">lib64</span><span class="o">/</span><span class="n">squid</span><span class="o">/</span><span class="n">ssl_crtd</span> <span class="o">-</span><span class="n">c</span> <span class="o">-</span><span class="n">s</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">ssl_db</span> <span class="n">chown</span> <span class="o">-</span><span class="n">R</span> <span class="n">squid</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">ssl_db</span> <span class="n">restorecon</span> <span class="o">-</span><span class="n">Rv</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">ssl_db</span> </code></pre> <p>Without this step, squid could fail to start, or it could fail with an error about crashing too rapidly after so long. See <a href="https://serverfault.com/questions/624879/ssl-crtd-helpers-are-crashing-too-rapidly-in-squid">weblink 3</a>.</p> <h5>Getting a valid ssl certificate for squid</h5> <p>See post <a href="https://bgstack15.ddns.net/blog/posts/2020/09/30/getting-a-valid-subca-certificate-for-squid-from-freeipa/">Getting a valid subCA certificate for squid from FreeIPA</a></p> <h3>Operations</h3> <p>It is probable that in the future I will want to make changes. A few possible changes are described below.</p> <h4>Disabling transparent proxy at router</h4> <p>If the proxy server is offline, then all outbound www traffic will fail. The best way to disable the transparent proxy setting entirely is to disable the ip rule on the router. Ssh in to the router or visit the web portal. Run command:</p> <pre class="code literal-block"><span></span><code>ip rule del fwmark 0x3 </code></pre> <p>To re-enable, run the one ip rule command from the <strong>rc_firewall</strong> startup script.</p> <pre class="code literal-block"><span></span><code>ip rule add fwmark 3 table 2 </code></pre> <h4>Adding a new exclusion for a client on router</h4> <p>To allow a single client unmonitored access to the www, you can add a new rule to the router. This can be achieved by running a single command, or by updating the <strong>rc_firewall</strong> script.</p> <pre class="code literal-block"><span></span><code>iptables -t mangle -I PREROUTING 1 -p tcp -m multiport --dports 80,443 -s 192.168.1.300 -j ACCEPT </code></pre> <p>Where the IP address here is the target client. To remove a specific rule, run</p> <pre class="code literal-block"><span></span><code>iptables -t mangle -D PREROUTING 1 </code></pre> <p>But ensure that the rule it will remove is not the main one that allows outbound www traffic from the proxy server.</p> <h4>Adding new sites and clients in squid</h4> <p>To exclude the ssl decryption of a site in squid, add it to the <strong>SAFE_sites</strong> entry in squid.conf and restart squid. You can confirm the syntax is valid without affecting the running daemon by running the following command.</p> <pre class="code literal-block"><span></span><code>squid -k parse ; echo $? </code></pre> <p>To exclude a combination of site and client, you can add a site or client to their respesctive lists uner attributes</p> <ul> <li>DIRECT_sites_name</li> <li>DIRECT_sites_ip</li> <li>DIRECT_site_clients</li> </ul> <h4>Using the proxy by choice</h4> <p>If for some reason you want to manually configure a proxy, you can set the exact following values.</p> <pre class="code literal-block"><span></span><code><span class="k">export</span> <span class="n">http_proxy</span><span class="o">=</span><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">proxy</span><span class="p">:</span><span class="mi">3128</span> <span class="k">export</span> <span class="n">https_proxy</span><span class="o">=</span><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">proxy</span><span class="p">:</span><span class="mi">3128</span> </code></pre> <p>It is worth noting that squid has to act differently when being used as a "transparent proxy" so those ports are 3129 (https) and 3130 (http). But port 3128 can be used explicitly for both protocols. Manually choosing to use the proxy can make troubleshooting easier. For example, mobile devices' applications rarely use the host proxy settings, but it can be easier to whitelist requests.</p> <h4>Assign a reserved IP address in dhcp</h4> <p>The internal network uses ISC dhcpd for assigning IP addresses to clients. To add a host to have a specific reservation, you have to edit the dhcpd.conf through the local mechanism dhcpd-control on host <strong>dns1</strong>.</p> <pre class="code literal-block"><span></span><code>sudo dhcpd-control --edit </code></pre> <p>This will open a cached copy of the <code>dhcpd.conf.combined</code> which will get replicated to host dns2 if any changes are made. The changes must be made between headings:</p> <ul> <li> <ul> <li>BEGIN POOLS FOR SYNC</li> <li>END POOLS FOR SYNC</li> </ul> </li> </ul> <p>Add an entry using the MAC address of the client and the desired reserved IP address.</p> <pre class="code literal-block"><span></span><code><span class="nt">host</span> <span class="nt">Obi200</span> <span class="p">{</span> <span class="err">hardware</span> <span class="err">ethernet</span> <span class="err">9</span><span class="n">c</span><span class="p">:</span><span class="mi">7</span><span class="n">e</span><span class="o">:</span><span class="n">fe</span><span class="o">:</span><span class="mi">60</span><span class="o">:</span><span class="mi">64</span><span class="o">:</span><span class="n">f3</span><span class="p">;</span> <span class="err">fixed-address</span> <span class="err">192.168.1.27</span><span class="p">;</span> <span class="p">}</span> </code></pre> <h3>Improvements</h3> <p>Need to discover how to get android to think it has Internet access.</p> <h2>References</h2> <h3>Man pages</h3> <p>/usr/share/doc/squid-3.5.20/squid.conf.documented</p> <h3>Weblinks</h3> <ol> <li><a href="http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate-certificate-authority-in-freeipa/">http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate-certificate-authority-in-freeipa/</a></li> <li> </li><li><a href="https://serverfault.com/questions/624879/ssl-crtd-helpers-are-crashing-too-rapidly-in-squid">https://serverfault.com/questions/624879/ssl-crtd-helpers-are-crashing-too-rapidly-in-squid</a></li> <li><a href="https://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.txt">https://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.txt</a> General guide for iptables</li> <li><a href="https://www.agix.com.au/minimal-transparent-squid-proxy-with-ssl-interception-bumping-on-centos-7/">https://www.agix.com.au/minimal-transparent-squid-proxy-with-ssl-interception-bumping-on-centos-7/</a> useful examples about <code>ssl_bump</code></li> <li><a href="https://wiki.squid-cache.org/Features/SslPeekAndSplice">https://wiki.squid-cache.org/Features/SslPeekAndSplice</a></li> <li><a href="https://wiki.dd-wrt.com/wiki/index.php/Squid_Transparent_Proxy">https://wiki.dd-wrt.com/wiki/index.php/Squid_Transparent_Proxy</a> "Alternative Solution" to Proxy Server on the LAN Subnet</li> <li><a href="https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1217511#1217511">https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1217511#1217511</a> I opened a thread on dd-wrt forum for help, but it turned out to be squid-side firewall problems.</li> <li><a href="https://docs.mitmproxy.org/stable/howto-transparent/">https://docs.mitmproxy.org/stable/howto-transparent/</a> minor examples of ip rules</li> <li><a href="http://www.silverhawk.net/2016/07/centos-7-squid-and-firewall.html">http://www.silverhawk.net/2016/07/centos-7-squid-and-firewall.html</a> Ultimately unused examples for firewalld and squid acls</li> <li><a href="https://elatov.github.io/2019/01/using-squid-to-proxy-ssl-sites/">https://elatov.github.io/2019/01/using-squid-to-proxy-ssl-sites/</a> Great initial reference for establishing squid <code>ssl_bump</code></li> <li><a href="https://nlug.ml1.co.uk/2014/01/the-missing-firewall-logs-of-dd-wrt/4528">https://nlug.ml1.co.uk/2014/01/the-missing-firewall-logs-of-dd-wrt/4528</a> A modest attempt to log traffic on the router, without regard to www hosts and requests.</li> </ol>networkproxysquidhttps://bgstack15.ddns.net/blog/posts/2020/10/04/setting-up-a-transparent-proxy-for-internal-network/Sun, 04 Oct 2020 12:49:38 GMTGetting a valid subCA certificate for squid from FreeIPAhttps://bgstack15.ddns.net/blog/posts/2020/09/30/getting-a-valid-subca-certificate-for-squid-from-freeipa/bgstack15<p>This post is part of a larger set, and is the first that I felt like publishing.</p> <h5>Getting a valid ssl certificate for squid</h5> <p>In order to do ssl interception, squid needs to use a certificate that includes the basic constraint for signing certificates, i.e., a subordinate Certificate Authority cert. Without such a flag on the certificate used, clients could throw needless errors. Most web clients will not tolerate root or intermediate certificates that do not have the basic constraint of "Is a certificate authority." This document describes how to use FreeIPA to request such a cert. You should think carefully before doing this, because of course, a subordinate CA wields a lot of authority (when your full cert chain is being served, of course!). By default, FreeIPA does not include multiple certificate profiles, but it does <a href="https://www.freeipa.org/page/V4/Certificate_Profiles">include support</a> for them.</p> <h6>Generating private key and csr</h6> <p>Of course, you start with a new private key and then certificate signing request. To request certain attributes, you have to modify the openssl.cnf template. Here is the <code>grep -vE '^.s*(#|$)' openssl.cnf</code> for you.</p> <pre class="code literal-block"><span></span><code><span class="n">HOME</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">.</span><span class="w"></span> <span class="n">RANDFILE</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">$</span><span class="nl">ENV</span><span class="p">:</span><span class="err">:</span><span class="n">HOME</span><span class="o">/</span><span class="p">.</span><span class="n">rnd</span><span class="w"></span> <span class="n">oid_section</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">new_oids</span><span class="w"></span> <span class="o">[</span><span class="n"> new_oids </span><span class="o">]</span><span class="w"></span> <span class="n">tsa_policy1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">1.2.3.4.1</span><span class="w"></span> <span class="n">tsa_policy2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">1.2.3.4.5.6</span><span class="w"></span> <span class="n">tsa_policy3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">1.2.3.4.5.7</span><span class="w"></span> <span class="o">[</span><span class="n"> ca </span><span class="o">]</span><span class="w"></span> <span class="n">default_ca</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">CA_default</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="k">default</span><span class="w"> </span><span class="n">ca</span><span class="w"> </span><span class="k">section</span><span class="w"></span> <span class="o">[</span><span class="n"> CA_default </span><span class="o">]</span><span class="w"></span> <span class="n">dir</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">pki</span><span class="o">/</span><span class="n">CA</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="k">Where</span><span class="w"> </span><span class="n">everything</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">kept</span><span class="w"></span> <span class="n">certs</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">$</span><span class="n">dir</span><span class="o">/</span><span class="n">certs</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="k">Where</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">issued</span><span class="w"> </span><span class="n">certs</span><span class="w"> </span><span class="k">are</span><span class="w"> </span><span class="n">kept</span><span class="w"></span> <span class="n">crl_dir</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">$</span><span class="n">dir</span><span class="o">/</span><span class="n">crl</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="k">Where</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">issued</span><span class="w"> </span><span class="n">crl</span><span class="w"> </span><span class="k">are</span><span class="w"> </span><span class="n">kept</span><span class="w"></span> <span class="k">database</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">$</span><span class="n">dir</span><span class="o">/</span><span class="k">index</span><span class="p">.</span><span class="n">txt</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="k">database</span><span class="w"> </span><span class="k">index</span><span class="w"> </span><span class="k">file</span><span class="p">.</span><span class="w"></span> <span class="n">new_certs_dir</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">$</span><span class="n">dir</span><span class="o">/</span><span class="n">newcerts</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="k">default</span><span class="w"> </span><span class="n">place</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">certs</span><span class="p">.</span><span class="w"></span> <span class="n">certificate</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">$</span><span class="n">dir</span><span class="o">/</span><span class="n">cacert</span><span class="p">.</span><span class="n">pem</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="n">CA</span><span class="w"> </span><span class="n">certificate</span><span class="w"></span> <span class="n">serial</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">$</span><span class="n">dir</span><span class="o">/</span><span class="n">serial</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="k">current</span><span class="w"> </span><span class="n">serial</span><span class="w"> </span><span class="n">number</span><span class="w"></span> <span class="n">crlnumber</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">$</span><span class="n">dir</span><span class="o">/</span><span class="n">crlnumber</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">current</span><span class="w"> </span><span class="n">crl</span><span class="w"> </span><span class="n">number</span><span class="w"></span> <span class="n">crl</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">$</span><span class="n">dir</span><span class="o">/</span><span class="n">crl</span><span class="p">.</span><span class="n">pem</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="k">current</span><span class="w"> </span><span class="n">CRL</span><span class="w"></span> <span class="n">private_key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">$</span><span class="n">dir</span><span class="o">/</span><span class="n">private</span><span class="o">/</span><span class="n">cakey</span><span class="p">.</span><span class="n">pem</span><span class="err">#</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="n">private</span><span class="w"> </span><span class="k">key</span><span class="w"></span> <span class="n">RANDFILE</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">$</span><span class="n">dir</span><span class="o">/</span><span class="n">private</span><span class="o">/</span><span class="p">.</span><span class="nf">rand</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">private</span><span class="w"> </span><span class="n">random</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="k">file</span><span class="w"></span> <span class="n">x509_extensions</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">usr_cert</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="n">extentions</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">cert</span><span class="w"></span> <span class="n">name_opt</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">ca_default</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">Subject</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="n">options</span><span class="w"></span> <span class="n">cert_opt</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">ca_default</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">Certificate</span><span class="w"> </span><span class="n">field</span><span class="w"> </span><span class="n">options</span><span class="w"></span> <span class="n">default_days</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">365</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">how</span><span class="w"> </span><span class="n">long</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">certify</span><span class="w"> </span><span class="k">for</span><span class="w"></span> <span class="n">default_crl_days</span><span class="o">=</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">how</span><span class="w"> </span><span class="n">long</span><span class="w"> </span><span class="k">before</span><span class="w"> </span><span class="k">next</span><span class="w"> </span><span class="n">CRL</span><span class="w"></span> <span class="n">default_md</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">sha256</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="k">use</span><span class="w"> </span><span class="n">SHA</span><span class="o">-</span><span class="mi">256</span><span class="w"> </span><span class="k">by</span><span class="w"> </span><span class="k">default</span><span class="w"></span> <span class="k">preserve</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">no</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">keep</span><span class="w"> </span><span class="n">passed</span><span class="w"> </span><span class="n">DN</span><span class="w"> </span><span class="n">ordering</span><span class="w"></span> <span class="n">policy</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">policy_match</span><span class="w"></span> <span class="o">[</span><span class="n"> policy_match </span><span class="o">]</span><span class="w"></span> <span class="n">countryName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">match</span><span class="w"></span> <span class="n">stateOrProvinceName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">match</span><span class="w"></span> <span class="n">organizationName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">match</span><span class="w"></span> <span class="n">organizationalUnitName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">optional</span><span class="w"></span> <span class="n">commonName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">supplied</span><span class="w"></span> <span class="n">emailAddress</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">optional</span><span class="w"></span> <span class="o">[</span><span class="n"> policy_anything </span><span class="o">]</span><span class="w"></span> <span class="n">countryName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">optional</span><span class="w"></span> <span class="n">stateOrProvinceName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">optional</span><span class="w"></span> <span class="n">localityName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">optional</span><span class="w"></span> <span class="n">organizationName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">optional</span><span class="w"></span> <span class="n">organizationalUnitName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">optional</span><span class="w"></span> <span class="n">commonName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">supplied</span><span class="w"></span> <span class="n">emailAddress</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">optional</span><span class="w"></span> <span class="o">[</span><span class="n"> req </span><span class="o">]</span><span class="w"></span> <span class="n">default_bits</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">2048</span><span class="w"></span> <span class="n">default_md</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">sha256</span><span class="w"></span> <span class="n">default_keyfile</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">privkey</span><span class="p">.</span><span class="n">pem</span><span class="w"></span> <span class="n">distinguished_name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">req_distinguished_name</span><span class="w"></span> <span class="n">attributes</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">req_attributes</span><span class="w"></span> <span class="n">x509_extensions</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">v3_ca</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="n">extentions</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">self</span><span class="w"> </span><span class="n">signed</span><span class="w"> </span><span class="n">cert</span><span class="w"></span> <span class="n">string_mask</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">utf8only</span><span class="w"></span> <span class="n">req_extensions</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">v3_req</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="n">extensions</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">certificate</span><span class="w"> </span><span class="n">request</span><span class="w"></span> <span class="o">[</span><span class="n"> req_distinguished_name </span><span class="o">]</span><span class="w"></span> <span class="n">countryName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Country</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="p">(</span><span class="mi">2</span><span class="w"> </span><span class="n">letter</span><span class="w"> </span><span class="n">code</span><span class="p">)</span><span class="w"></span> <span class="n">countryName_default</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">XX</span><span class="w"></span> <span class="n">countryName_min</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">2</span><span class="w"></span> <span class="n">countryName_max</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">2</span><span class="w"></span> <span class="n">stateOrProvinceName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">State</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="n">Province</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="p">(</span><span class="k">full</span><span class="w"> </span><span class="n">name</span><span class="p">)</span><span class="w"></span> <span class="n">localityName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Locality</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="p">(</span><span class="n">eg</span><span class="p">,</span><span class="w"> </span><span class="n">city</span><span class="p">)</span><span class="w"></span> <span class="n">localityName_default</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">Default</span><span class="w"> </span><span class="n">City</span><span class="w"></span> <span class="mf">0.</span><span class="n">organizationName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Organization</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="p">(</span><span class="n">eg</span><span class="p">,</span><span class="w"> </span><span class="n">company</span><span class="p">)</span><span class="w"></span> <span class="mf">0.</span><span class="n">organizationName_default</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">Default</span><span class="w"> </span><span class="n">Company</span><span class="w"> </span><span class="n">Ltd</span><span class="w"></span> <span class="n">organizationalUnitName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Organizational</span><span class="w"> </span><span class="n">Unit</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="p">(</span><span class="n">eg</span><span class="p">,</span><span class="w"> </span><span class="k">section</span><span class="p">)</span><span class="w"></span> <span class="n">commonName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Common</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="p">(</span><span class="n">eg</span><span class="p">,</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">server</span><span class="err">\'</span><span class="n">s</span><span class="w"> </span><span class="n">hostname</span><span class="p">)</span><span class="w"></span> <span class="n">commonName_max</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">64</span><span class="w"></span> <span class="n">emailAddress</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Email</span><span class="w"> </span><span class="n">Address</span><span class="w"></span> <span class="n">emailAddress_max</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">64</span><span class="w"></span> <span class="o">[</span><span class="n"> req_attributes </span><span class="o">]</span><span class="w"></span> <span class="n">challengePassword</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">A</span><span class="w"> </span><span class="n">challenge</span><span class="w"> </span><span class="n">password</span><span class="w"></span> <span class="n">challengePassword_min</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">4</span><span class="w"></span> <span class="n">challengePassword_max</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">20</span><span class="w"></span> <span class="n">unstructuredName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">An</span><span class="w"> </span><span class="n">optional</span><span class="w"> </span><span class="n">company</span><span class="w"> </span><span class="n">name</span><span class="w"></span> <span class="o">[</span><span class="n"> usr_cert </span><span class="o">]</span><span class="w"></span> <span class="n">basicConstraints</span><span class="o">=</span><span class="nl">CA</span><span class="p">:</span><span class="k">FALSE</span><span class="w"></span> <span class="n">nsComment</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">"OpenSSL Generated Certificate"</span><span class="w"></span> <span class="n">subjectKeyIdentifier</span><span class="o">=</span><span class="n">hash</span><span class="w"></span> <span class="n">authorityKeyIdentifier</span><span class="o">=</span><span class="n">keyid</span><span class="p">,</span><span class="n">issuer</span><span class="w"></span> <span class="o">[</span><span class="n"> v3_req </span><span class="o">]</span><span class="w"></span> <span class="n">basicConstraints</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nl">CA</span><span class="p">:</span><span class="k">TRUE</span><span class="w"></span> <span class="n">keyUsage</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">nonRepudiation</span><span class="p">,</span><span class="w"> </span><span class="n">digitalSignature</span><span class="p">,</span><span class="w"> </span><span class="n">keyEncipherment</span><span class="p">,</span><span class="w"> </span><span class="o">**</span><span class="n">keyCertSign</span><span class="o">**</span><span class="w"></span> <span class="n">subjectAltName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">@alt_names</span><span class="w"></span> <span class="o">[</span><span class="n">alt_names</span><span class="o">]</span><span class="w"></span> <span class="o">**</span><span class="n">DNS</span><span class="mf">.1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">proxy</span><span class="p">.</span><span class="n">ipa</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="w"></span> <span class="n">DNS</span><span class="mf">.2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">proxy</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="w"></span> <span class="n">DNS</span><span class="mf">.3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">webproxy</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="w"></span> <span class="n">DNS</span><span class="mf">.4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">http</span><span class="o">-</span><span class="n">proxy</span><span class="p">.</span><span class="n">ipa</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="w"></span> <span class="n">DNS</span><span class="mf">.5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">https</span><span class="o">-</span><span class="n">proxy</span><span class="p">.</span><span class="n">ipa</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="o">**</span><span class="w"></span> <span class="o">[</span><span class="n"> v3_ca </span><span class="o">]</span><span class="w"></span> <span class="n">subjectKeyIdentifier</span><span class="o">=</span><span class="n">hash</span><span class="w"></span> <span class="n">authorityKeyIdentifier</span><span class="o">=</span><span class="nl">keyid</span><span class="p">:</span><span class="n">always</span><span class="p">,</span><span class="n">issuer</span><span class="w"></span> <span class="n">basicConstraints</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nl">CA</span><span class="p">:</span><span class="k">true</span><span class="w"></span> <span class="o">[</span><span class="n"> crl_ext </span><span class="o">]</span><span class="w"></span> <span class="n">authorityKeyIdentifier</span><span class="o">=</span><span class="nl">keyid</span><span class="p">:</span><span class="n">always</span><span class="w"></span> <span class="o">[</span><span class="n"> proxy_cert_ext </span><span class="o">]</span><span class="w"></span> <span class="n">basicConstraints</span><span class="o">=</span><span class="nl">CA</span><span class="p">:</span><span class="k">FALSE</span><span class="w"></span> <span class="n">nsComment</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">"OpenSSL Generated Certificate"</span><span class="w"></span> <span class="n">subjectKeyIdentifier</span><span class="o">=</span><span class="n">hash</span><span class="w"></span> <span class="n">authorityKeyIdentifier</span><span class="o">=</span><span class="n">keyid</span><span class="p">,</span><span class="n">issuer</span><span class="w"></span> <span class="n">proxyCertInfo</span><span class="o">=</span><span class="n">critical</span><span class="p">,</span><span class="k">language</span><span class="err">:</span><span class="n">id</span><span class="o">-</span><span class="n">ppl</span><span class="o">-</span><span class="n">anyLanguage</span><span class="p">,</span><span class="nl">pathlen</span><span class="p">:</span><span class="mi">3</span><span class="p">,</span><span class="nl">policy</span><span class="p">:</span><span class="n">foo</span><span class="w"></span> <span class="o">[</span><span class="n"> tsa </span><span class="o">]</span><span class="w"></span> <span class="n">default_tsa</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">tsa_config1</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">default</span><span class="w"> </span><span class="n">TSA</span><span class="w"> </span><span class="k">section</span><span class="w"></span> <span class="o">[</span><span class="n"> tsa_config1 </span><span class="o">]</span><span class="w"></span> <span class="n">dir</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">.</span><span class="o">/</span><span class="n">demoCA</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">TSA</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="n">directory</span><span class="w"></span> <span class="n">serial</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">$</span><span class="n">dir</span><span class="o">/</span><span class="n">tsaserial</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="k">current</span><span class="w"> </span><span class="n">serial</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="p">(</span><span class="n">mandatory</span><span class="p">)</span><span class="w"></span> <span class="n">crypto_device</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">builtin</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">OpenSSL</span><span class="w"> </span><span class="n">engine</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">use</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">signing</span><span class="w"></span> <span class="n">signer_cert</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">$</span><span class="n">dir</span><span class="o">/</span><span class="n">tsacert</span><span class="p">.</span><span class="n">pem</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="n">TSA</span><span class="w"> </span><span class="n">signing</span><span class="w"> </span><span class="n">certificate</span><span class="w"></span> <span class="n">certs</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">$</span><span class="n">dir</span><span class="o">/</span><span class="n">cacert</span><span class="p">.</span><span class="n">pem</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">Certificate</span><span class="w"> </span><span class="n">chain</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">include</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">reply</span><span class="w"></span> <span class="n">signer_key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">$</span><span class="n">dir</span><span class="o">/</span><span class="n">private</span><span class="o">/</span><span class="n">tsakey</span><span class="p">.</span><span class="n">pem</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="n">TSA</span><span class="w"> </span><span class="n">private</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="p">(</span><span class="n">optional</span><span class="p">)</span><span class="w"></span> <span class="n">default_policy</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">tsa_policy1</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">Policy</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">request</span><span class="w"> </span><span class="n">did</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">specify</span><span class="w"> </span><span class="n">it</span><span class="w"></span> <span class="n">other_policies</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">tsa_policy2</span><span class="p">,</span><span class="w"> </span><span class="n">tsa_policy3</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">acceptable</span><span class="w"> </span><span class="n">policies</span><span class="w"> </span><span class="p">(</span><span class="n">optional</span><span class="p">)</span><span class="w"></span> <span class="n">digests</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">sha1</span><span class="p">,</span><span class="w"> </span><span class="n">sha256</span><span class="p">,</span><span class="w"> </span><span class="n">sha384</span><span class="p">,</span><span class="w"> </span><span class="n">sha512</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">Acceptable</span><span class="w"> </span><span class="n">message</span><span class="w"> </span><span class="n">digests</span><span class="w"> </span><span class="p">(</span><span class="n">mandatory</span><span class="p">)</span><span class="w"></span> <span class="n">accuracy</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nl">secs</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">millisecs</span><span class="p">:</span><span class="mi">500</span><span class="p">,</span><span class="w"> </span><span class="nl">microsecs</span><span class="p">:</span><span class="mi">100</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="p">(</span><span class="n">optional</span><span class="p">)</span><span class="w"></span> <span class="n">clock_precision_digits</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">digits</span><span class="w"> </span><span class="k">after</span><span class="w"> </span><span class="n">dot</span><span class="p">.</span><span class="w"> </span><span class="p">(</span><span class="n">optional</span><span class="p">)</span><span class="w"></span> <span class="n">ordering</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">yes</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="k">Is</span><span class="w"> </span><span class="n">ordering</span><span class="w"> </span><span class="n">defined</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">timestamps</span><span class="vm">?</span><span class="w"></span> <span class="n">tsa_name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">yes</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">Must</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">TSA</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">included</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">reply</span><span class="vm">?</span><span class="w"></span> <span class="n">ess_cert_id_chain</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">no</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">Must</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">ESS</span><span class="w"> </span><span class="n">cert</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="n">chain</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">included</span><span class="vm">?</span><span class="w"></span> </code></pre> <p>The important parts are the SANs, which I've <a href="https://bgstack15.ddns.net/blog/posts/2017/05/21/generate-certificate-with-subjectaltname-attributes-in-freeipa/">described before</a>, and the keyCertSign. So with the prepared config file, make a key and then the csr.</p> <pre class="code literal-block"><span></span><code>openssl genrsa -aes256 -out /etc/pki/tls/private/proxy.ipa.example.com.key 2048 </code></pre> <p>At this point I normally remove the passphrase because I'm working on in a single-user lab environment.</p> <pre class="code literal-block"><span></span><code>openssl rsa -in /etc/pki/tls/private/proxy.ipa.example.com.key -out /etc/pki/tls/private/proxy.ipa.example.com-nopw.key </code></pre> <p>And then formulate the request.</p> <pre class="code literal-block"><span></span><code>openssl req -config /root/openssl.cnf -key /etc/pki/tls/private/proxy.ipa.example.com-nopw.key -out /etc/pki/tls/private/proxy.ipa.example.com.csr </code></pre> <p>Follow the prompts of course, unless you hardcoded the config file. Save the contents of the csr to a FreeIPA system, preferably one of the ipa servers so the process can happen more efficiently.</p> <h6>Fulfilling CSR in FreeIPA</h6> <p>As mentioned earlier, FreeIPA starting with version 4.2.0 supports additional certificate profiles beyond the basic one that is already built in. You need to add a subordinate CA certificate profile that we will use to sign the csr for squid. Set up a file that stores the template that we will import as a new certificate profile. This is lifted entirely from <a href="http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate-certificate-authority-in-freeipa/">Weblink 1</a>.</p> <pre class="code literal-block"><span></span><code><span class="n">desc</span><span class="o">=</span><span class="n">This</span> <span class="n">certificate</span> <span class="n">profile</span> <span class="k">is</span> <span class="k">for</span> <span class="n">enrolling</span> <span class="n">Subordinate</span> <span class="n">Certificate</span> <span class="n">Authority</span> <span class="n">certificates</span><span class="o">.</span> <span class="n">visible</span><span class="o">=</span><span class="bp">true</span> <span class="n">enable</span><span class="o">=</span><span class="bp">true</span> <span class="n">auth</span><span class="o">.</span><span class="n">instance_id</span><span class="o">=</span><span class="n">raCertAuth</span> <span class="n">classId</span><span class="o">=</span><span class="n">caEnrollImpl</span> <span class="n">enableBy</span><span class="o">=</span><span class="n">ipara</span> <span class="n">name</span><span class="o">=</span><span class="n">Manual</span> <span class="n">Certificate</span> <span class="n">Manager</span> <span class="n">Subordinate</span> <span class="n">Signing</span> <span class="n">Certificate</span> <span class="n">Enrollment</span> <span class="n">input</span><span class="o">.</span><span class="n">list</span><span class="o">=</span><span class="n">i1</span><span class="p">,</span><span class="n">i2</span> <span class="n">input</span><span class="o">.</span><span class="n">i1</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">certReqInputImpl</span> <span class="n">input</span><span class="o">.</span><span class="n">i2</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">submitterInfoInputImpl</span> <span class="n">output</span><span class="o">.</span><span class="n">list</span><span class="o">=</span><span class="n">o1</span> <span class="n">output</span><span class="o">.</span><span class="n">o1</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">certOutputImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">list</span><span class="o">=</span><span class="n">caSubCertSet</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="n">list</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,</span><span class="mi">5</span><span class="p">,</span><span class="mi">6</span><span class="p">,</span><span class="mi">8</span><span class="p">,</span><span class="mi">9</span><span class="p">,</span><span class="mi">10</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">1.</span><span class="n">constraint</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">subjectNameConstraintImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">1.</span><span class="n">constraint</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">Subject</span> <span class="n">Name</span> <span class="n">Constraint</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">1.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">pattern</span><span class="o">=.*</span><span class="n">CN</span><span class="o">=.+</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">1.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">accept</span><span class="o">=</span><span class="bp">true</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">1.</span><span class="n">default</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">userSubjectNameDefaultImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">1.</span><span class="n">default</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">Subject</span> <span class="n">Name</span> <span class="n">Default</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">1.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">name</span><span class="o">=</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">2.</span><span class="n">constraint</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">validityConstraintImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">2.</span><span class="n">constraint</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">Validity</span> <span class="n">Constraint</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">2.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">range</span><span class="o">=</span><span class="mi">7305</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">2.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">notBeforeCheck</span><span class="o">=</span><span class="bp">false</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">2.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">notAfterCheck</span><span class="o">=</span><span class="bp">false</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">2.</span><span class="n">default</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">caValidityDefaultImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">2.</span><span class="n">default</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">CA</span> <span class="n">Certificate</span> <span class="n">Validity</span> <span class="n">Default</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">2.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">range</span><span class="o">=</span><span class="mi">7305</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">2.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">startTime</span><span class="o">=</span><span class="mi">0</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">3.</span><span class="n">constraint</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">keyConstraintImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">3.</span><span class="n">constraint</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">Key</span> <span class="n">Constraint</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">3.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyType</span><span class="o">=-</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">3.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyParameters</span><span class="o">=</span><span class="mi">1024</span><span class="p">,</span><span class="mi">2048</span><span class="p">,</span><span class="mi">3072</span><span class="p">,</span><span class="mi">4096</span><span class="p">,</span><span class="n">nistp256</span><span class="p">,</span><span class="n">nistp384</span><span class="p">,</span><span class="n">nistp521</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">3.</span><span class="n">default</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">userKeyDefaultImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">3.</span><span class="n">default</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">Key</span> <span class="n">Default</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">4.</span><span class="n">constraint</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">noConstraintImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">4.</span><span class="n">constraint</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">No</span> <span class="n">Constraint</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">4.</span><span class="n">default</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">authorityKeyIdentifierExtDefaultImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">4.</span><span class="n">default</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">Authority</span> <span class="n">Key</span> <span class="n">Identifier</span> <span class="n">Default</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">5.</span><span class="n">constraint</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">basicConstraintsExtConstraintImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">5.</span><span class="n">constraint</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">Basic</span> <span class="n">Constraint</span> <span class="n">Extension</span> <span class="n">Constraint</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">5.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">basicConstraintsCritical</span><span class="o">=</span><span class="bp">true</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">5.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">basicConstraintsIsCA</span><span class="o">=</span><span class="bp">true</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">5.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">basicConstraintsMinPathLen</span><span class="o">=</span><span class="mi">0</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">5.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">basicConstraintsMaxPathLen</span><span class="o">=</span><span class="mi">0</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">5.</span><span class="n">default</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">basicConstraintsExtDefaultImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">5.</span><span class="n">default</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">Basic</span> <span class="n">Constraints</span> <span class="n">Extension</span> <span class="n">Default</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">5.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">basicConstraintsCritical</span><span class="o">=</span><span class="bp">true</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">5.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">basicConstraintsIsCA</span><span class="o">=</span><span class="bp">true</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">5.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">basicConstraintsPathLen</span><span class="o">=</span><span class="mi">0</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">constraint</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">keyUsageExtConstraintImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">constraint</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">Key</span> <span class="n">Usage</span> <span class="n">Extension</span> <span class="n">Constraint</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageCritical</span><span class="o">=</span><span class="bp">true</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageDigitalSignature</span><span class="o">=</span><span class="bp">true</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageNonRepudiation</span><span class="o">=</span><span class="bp">true</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageDataEncipherment</span><span class="o">=</span><span class="bp">false</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageKeyEncipherment</span><span class="o">=</span><span class="bp">false</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageKeyAgreement</span><span class="o">=</span><span class="bp">false</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageKeyCertSign</span><span class="o">=</span><span class="bp">true</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageCrlSign</span><span class="o">=</span><span class="bp">true</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageEncipherOnly</span><span class="o">=</span><span class="bp">false</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageDecipherOnly</span><span class="o">=</span><span class="bp">false</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">default</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">keyUsageExtDefaultImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">default</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">Key</span> <span class="n">Usage</span> <span class="n">Default</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageCritical</span><span class="o">=</span><span class="bp">true</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageDigitalSignature</span><span class="o">=</span><span class="bp">true</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageNonRepudiation</span><span class="o">=</span><span class="bp">true</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageDataEncipherment</span><span class="o">=</span><span class="bp">false</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageKeyEncipherment</span><span class="o">=</span><span class="bp">false</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageKeyAgreement</span><span class="o">=</span><span class="bp">false</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageKeyCertSign</span><span class="o">=</span><span class="bp">true</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageCrlSign</span><span class="o">=</span><span class="bp">true</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageEncipherOnly</span><span class="o">=</span><span class="bp">false</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">6.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">keyUsageDecipherOnly</span><span class="o">=</span><span class="bp">false</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">8.</span><span class="n">constraint</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">noConstraintImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">8.</span><span class="n">constraint</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">No</span> <span class="n">Constraint</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">8.</span><span class="n">default</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">subjectKeyIdentifierExtDefaultImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">8.</span><span class="n">default</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">Subject</span> <span class="n">Key</span> <span class="n">Identifier</span> <span class="n">Extension</span> <span class="n">Default</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">8.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">critical</span><span class="o">=</span><span class="bp">false</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">constraint</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">signingAlgConstraintImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">constraint</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">No</span> <span class="n">Constraint</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">constraint</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">signingAlgsAllowed</span><span class="o">=</span><span class="n">SHA1withRSA</span><span class="p">,</span><span class="n">SHA256withRSA</span><span class="p">,</span><span class="n">SHA512withRSA</span><span class="p">,</span><span class="n">SHA1withDSA</span><span class="p">,</span><span class="n">SHA1withEC</span><span class="p">,</span><span class="n">SHA256withEC</span><span class="p">,</span><span class="n">SHA384withEC</span><span class="p">,</span><span class="n">SHA512withEC</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">default</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">signingAlgDefaultImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">default</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">Signing</span> <span class="n">Alg</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">signingAlg</span><span class="o">=-</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">constraint</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">noConstraintImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">constraint</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">No</span> <span class="n">Constraint</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">default</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">crlDistributionPointsExtDefaultImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">default</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">CRL</span> <span class="n">Distribution</span> <span class="n">Points</span> <span class="n">Extension</span> <span class="n">Default</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">crlDistPointsCritical</span><span class="o">=</span><span class="bp">false</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">crlDistPointsEnable_0</span><span class="o">=</span><span class="bp">true</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">crlDistPointsIssuerName_0</span><span class="o">=</span><span class="n">CN</span><span class="o">=</span><span class="n">Certificate</span> <span class="n">Authority</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">ipaca</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">crlDistPointsIssuerType_0</span><span class="o">=</span><span class="n">DirectoryName</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">crlDistPointsNum</span><span class="o">=</span><span class="mi">1</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">crlDistPointsPointName_0</span><span class="o">=</span> <span class="o">**</span><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">ipa</span><span class="o">-</span><span class="n">ca</span><span class="o">.</span><span class="n">ipa</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ipa</span><span class="o">/</span><span class="n">crl</span><span class="o">/</span><span class="n">MasterCRL</span><span class="o">.</span><span class="n">bin</span><span class="o">**</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">crlDistPointsPointType_0</span><span class="o">=</span><span class="n">MasterCRL</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">9.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">crlDistPointsReasons_0</span><span class="o">=</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">10.</span><span class="n">constraint</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">noConstraintImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">10.</span><span class="n">constraint</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">No</span> <span class="n">Constraint</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">10.</span><span class="n">default</span><span class="o">.</span><span class="n">class_id</span><span class="o">=</span><span class="n">authInfoAccessExtDefaultImpl</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">10.</span><span class="n">default</span><span class="o">.</span><span class="n">name</span><span class="o">=</span><span class="n">AIA</span> <span class="n">Extension</span> <span class="n">Default</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">10.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">authInfoAccessADEnable_0</span><span class="o">=</span><span class="bp">true</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">10.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">authInfoAccessADLocationType_0</span><span class="o">=</span><span class="n">URIName</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">10.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">authInfoAccessADLocation_0</span><span class="o">=</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">10.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">authInfoAccessADMethod_0</span><span class="o">=</span><span class="mf">1.3</span><span class="o">.</span><span class="mf">6.1</span><span class="o">.</span><span class="mf">5.5</span><span class="o">.</span><span class="mf">7.48</span><span class="o">.</span><span class="mi">1</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">10.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">authInfoAccessCritical</span><span class="o">=</span><span class="bp">false</span> <span class="n">policyset</span><span class="o">.</span><span class="n">caSubCertSet</span><span class="o">.</span><span class="mf">10.</span><span class="n">default</span><span class="o">.</span><span class="n">params</span><span class="o">.</span><span class="n">authInfoAccessNumADs</span><span class="o">=</span><span class="mi">1</span> <span class="n">profileId</span><span class="o">=</span><span class="n">SubCA</span> </code></pre> <p>The place I found this included hardcoding in the CRL to the template. So I did the same. If you don't know how to find the CRL for your own root cert, then you probably do not understand this post anyway. Import the certificate profile.</p> <pre class="code literal-block"><span></span><code><span class="n">ipa</span> <span class="n">certprofile</span><span class="o">-</span><span class="kn">import</span> <span class="nn">SubCA</span> <span class="o">--</span><span class="n">store</span><span class="o">=</span><span class="n">true</span> <span class="o">--</span><span class="n">file</span><span class="o">=</span><span class="n">subCA</span><span class="o">.</span><span class="n">cfg</span> <span class="o">--</span><span class="n">desc</span><span class="o">=</span><span class="s2">"Enrolling subordinate certificate authority certificates"</span> </code></pre> <p>We have to pause to make sure we have the relevant services (and hosts for those services.</p> <pre class="code literal-block"><span></span><code>ipa host-add --force proxy.ipa.example.com ipa host-add --force proxy.example.com ipa host-add --force webproxy.ipa.example.com ipa host-add --force http-proxy.ipa.example.com ipa host-add --force https-proxy.ipa.example.com ipa service-add --force HTTP/proxy.ipa.example.com ipa service-add --force HTTP/proxy.example.com ipa service-add --force HTTP/webproxy.ipa.example.com ipa service-add --force HTTP/http-proxy.ipa.example.com ipa service-add --force HTTP/https-proxy.ipa.example.com </code></pre> <p>Fulfill the request.</p> <pre class="code literal-block"><span></span><code>ipa cert-request --profile-id=SubCA --principal=HTTP/proxy.ipa.example.com proxy.ipa.example.com.csr </code></pre> <p>Save down the contents of the cert from that command, or from <code>ipa cert-show 30</code> where 30 is the serial number. The contents, without any form of CRLF or ilk, can be a single line between the "-----BEGIN CERTIFICATE-----" and "----- END CERTIFICATE-----" lines in a .pem file. This is the public certificate to save down on the squid server as <code>/etc/pki/tls/certs/proxy.ipa.example.com.pem</code> Squid can read this format, but openssl might struggle. You can add a <strong>--certificate-out=/path/to/file</strong> to either the csr or cert-show commands, which will insert the correct end-of- line characters for openssl itself. That's it for requesting the subCA cert from FreeIPA.</p> <h2>References</h2> <h3>Weblinks</h3> <p>http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate- certificate-authority-in-freeipa/</p>certificatesfreeipasquidsslhttps://bgstack15.ddns.net/blog/posts/2020/09/30/getting-a-valid-subca-certificate-for-squid-from-freeipa/Wed, 30 Sep 2020 13:09:12 GMTSquid not using /etc/hosts filehttps://bgstack15.ddns.net/blog/posts/2019/09/09/squid-not-using-etc-hosts-file/bgstack15<p>If you need to set some specific hostnames for squid to use, you might use /etc/hosts. However, you still get the error where it cannot resolve the hostname. You need to add this option in the squid.conf:</p> <pre class="code literal-block"><span></span><code>hosts_file /etc/hosts </code></pre> <h2>References</h2> <h3>Weblinks</h3> <p>Derived from the question in <a href="https://serverfault.com/questions/195164/squid-%0Aproxy-server-ignoring-hosts-file">https://serverfault.com/questions/195164/squid- proxy-server-ignoring-hosts-file</a></p>hostnameproxysquidhttps://bgstack15.ddns.net/blog/posts/2019/09/09/squid-not-using-etc-hosts-file/Mon, 09 Sep 2019 12:34:12 GMTQuick script to purge URL from squid proxyhttps://bgstack15.ddns.net/blog/posts/2018/10/08/quick-script-to-purge-url-from-squid-proxy/bgstack15<p>If you have the requisite permissions in squid.conf, you can just use a quick script to purge URLs. I use this for flushing local files I am developing and download to clients with http.</p> <pre class="code literal-block"><span></span><code>tf=/usr/local/bin/purge touch "<span class="cp">${</span><span class="n">tf</span><span class="cp">}</span>" ; chmod 0755 "<span class="cp">${</span><span class="n">tf</span><span class="cp">}</span>" echo <span class="err">&lt;</span><span class="nt">&lt;EOF</span> <span class="nt">&gt;</span> "<span class="cp">${</span><span class="n">tf</span><span class="cp">}</span>" #!/bin/sh for word in <span class="cp">${</span><span class="o">@</span><span class="cp">}</span> ; do squidclient -h localhost -r -p 3128 -m PURGE "<span class="cp">${</span><span class="n">word</span><span class="cp">}</span>" done EOF </code></pre> <p>For squid, I am using a few lines to allow purging:</p> <pre class="code literal-block"><span></span><code>acl PURGE method PURGE http_access allow PURGE localhost </code></pre> <p>Then you can call it:</p> <pre class="code literal-block"><span></span><code>purge http://example.com/url1 http://example.com/url2 http://example.com/url3 </code></pre>proxypurgesquidhttps://bgstack15.ddns.net/blog/posts/2018/10/08/quick-script-to-purge-url-from-squid-proxy/Mon, 08 Oct 2018 13:08:09 GMT