Re: [squid-users] ssl between squid accellerators

From: mlister <[email protected]>
Date: Thu, 27 Mar 2003 11:52:36 -0500

ok this makes sense with never_direct and both squid servers pointing to the
same webserver.
I put everything in place but I'm getting the (71) protocol error. The hint
from the FAQ that
squid could be blocked lead me to the cache.log where I'm getting errors
with the negotion
of the ssl certificate:

SQUID1 is showing
2003/03/27 16:44:46| TCP connection to 10.10.1.73/443 failed
2003/03/27 16:44:46| SSL unknown certificate error 18 in
/C=US/ST=XX/L=XXXXXX/O=XXXXXX/CN=SQUID2
2003/03/27 16:44:46| fwdNegotiateSSL: Error negotiating SSL connection on FD
13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (1/-1)

SQUID2 is showing
2003/03/27 11:40:00| clientNegotiateSSL: Error negotiating SSL connection on
FD 10: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
(1/0)

the above is duplicate after having recreated the key, cert (on SQUID2)
with:
 "openssl req -new -x509 -nodes -keyout test_key.pem -out test_cert.pem"

do I need to copy anything over to SQUID1 (any keys?) or perhaps set anymore
directives in
regards to SSL on SQUID2 ? (I notice cache_peer has further ssl options for
keys)

Again, Henrick I appreciate your time and patience while I'm newly learning
squid and the ssl world.

----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "mlister" <mailme@triad.rr.com>
Cc: <squid-users@squid-cache.org>
Sent: Wednesday, March 26, 2003 7:19 PM
Subject: Re: [squid-users] ssl between squid accellerators

> mlister wrote:
>
> > Anyways I will compile Squid-3 and start working with it, but I am
curious
> > if you (Henrik, or any of the listers) have any sample configuration
files
> > or could give me cache_peer directive examples to where I have something
to
> > mold.
> >
> > client <---SSL-->SQUID1<---SSL--->SQUID2<---HTTP-->webserver
>
>
> Squid-3:
>
> SQUID1:
>
> https_port 443 cert=... accel defaultsite=www.your.domain
> cache_peer squid2 parent 443 0 ssl no-query originserver
>
> SQUID2:
>
> https_port 443 cert=... accel defaultsite=www.your.domain
> cache_peer webserver parent 80 0 no-query originserver
>
>
> Squid-2.5+ssl update:
>
> SQUID1:
>
> https_port 443 cert=...
> httpd_accel_host www.your.domain
> httpd_accel_port 80
> cache_peer squid2 parent 443 0 ssl no-query
> never_direct allow all
>
> alternatively instead of using cache_peer+never_direct, use a redirector
> which rewrites the requests as https://www.your.domain/ and register
> www.your.domain into /etc/hosts with the address of SQUID2.
>
> SQUID2:
>
> https_port 443 cert=..
> httpd_accel_host www.your.domain
>
> and put www.your.domain into /etc/hosts with the address of the real web
> server.
>
>
>
>
> In all cases you should also configure http_access to only allow access
> to www.your.domain..
>
>
>
>
> Regards
> Henrik
Received on Thu Mar 27 2003 - 09:52:42 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:22 MST