Squid 配置指令 sslproxy_cert_sign
可用版本:
此指令在 Squid 的 v8 版本中不可用。
对于 v5 之前的旧版本,请参阅以上链接页面。
配置详情
| 选项名称 | sslproxy_cert_sign |
|---|---|
| 替代 | |
| 要求 | --with-openssl |
| 默认值 | none sslproxy_cert_sign signUntrusted ssl::certUntrusted sslproxy_cert_sign signSelf ssl::certSelfSigned sslproxy_cert_sign signTrusted all |
| 建议配置 |
|
sslproxy_cert_sign <signing algorithm> acl ...
The following certificate signing algorithms are supported:
signTrusted
Sign using the configured CA certificate which is usually
placed in and trusted by end-user browsers. This is the
default for trusted origin server certificates.
signUntrusted
Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
This is the default for untrusted origin server certificates
that are not self-signed (see ssl::certUntrusted).
signSelf
Sign using a self-signed certificate with the right CN to
generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
browser. This is the default for self-signed origin server
certificates (see ssl::certSelfSigned).
This clause only supports fast acl types.
When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
signing algorithm to generate the certificate and ignores all
subsequent sslproxy_cert_sign options (the first match wins). If no
acl(s) match, the default signing algorithm is determined by errors
detected when obtaining and validating the origin server certificate.
WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
CONNECT request that carries a domain name. In all other cases (CONNECT
to an IP address or an intercepted SSL connection), Squid cannot detect
the domain mismatch at certificate generation time when
bump-server-first is used.
|
|