Re: Re: Re: [squid-users] Squid as SSL ReverseProxy - SSL Gateway or however you wanna call it

From: Henrik Nordstrom <[email protected]>
Date: 27 Mar 2003 18:07:46 +0100

To use self-signed certificates you need to disable the certificate
verification. See the ssl flags settings (sslflags= cache_peer option or
sslproxy_flags squid.conf option depending on which method for
forwarding requests as SSL you are using).

Regards
Henrik

tor 2003-03-27 klockan 15.08 skrev sebastian.nell@bgs-ag.de:
> Hi!
> Applying the SSL Patch worked fine wit the -p1 option and I think I'm a
> step closer
> to where I want to go!
> Now I have problems with the certificate of the localserver I get this
> error Message :
>
> 2003/03/27 15:07:35| SSL unknown certificate error 18 in /O=Test Server/CN=*
> 2003/03/27 15:07:35| fwdNegotiateSSL: Error negotiating SSL connection on FD 18: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed (1/-1)
>
> I don't know where and how to specify the localserver certificate and which certificate do I need or how do I get Squid to handshake with the
> localserver?
>
> I really apreciate your help!
> THX
> Sebastian
>
>
> *******************************************
> Beratungsgesellschaft Software Systemplanung AG
> Gesch�ftssitz Mainz
> Niederlassung Rhein/Main
> Robert-Koch-Stra�e 41
> 55129 Mainz
> Phone: 06131 914-0 (-166), Fax -400
> E-Mail: Sebastian.Nell@bgs-ag.de
> web: www.bgs-ag.de
> ********************************************
>
>
>
>
>
> Henrik Nordstrom <hno@squid-cache.org> am 26.03.2003 18:02:56
>
> An: sebastian.nell@bgs-ag.de
> Kopie: Squid Users <squid-users@squid-cache.org>
> Thema: Re: Re: [squid-users] Squid as SSL ReverseProxy - SSL Gateway or
> however you wanna call it
>
>
> The 2.5 version of the ssl update patch is currently for 2.5.STABLE2.
>
> None of the development patches are included in 2.5.STABLE2, only the
> bugfixes listed on http://www.squid-cache.org/Versions/v2/2.5/bugs/
>
> Regards
> Henrik
>
>
> ons 2003-03-26 klockan 15.46 skrev sebastian.nell@bgs-ag.de:
> > Hi!
> > Thanks so far, I couldn't applie the ssl_update to 2.5 Stable1 but I
> useed
> > Squid 2.5 Stable2 cause somewhere
> > it said that all Patches for Stable1 are included there!
> > After the installation I included a little rewrite cgi into the
> squid.conf
> > which rewrites the incoming request like :
> > https://localserver into https://192.168.1.1 but I still get the error
> > message Bad Request ...
> > What am I doing wrong?
> > Is there a usable version of Squid 3 out yet?
> >
> > Thanks again for your support
> > greetz
> > Sebastian Nell
> >
> >
> >
> >
> >
> >
> > Henrik Nordstrom <hno@squid-cache.org> am 26.03.2003 12:42:46
> >
> > An: sebastian.nell@bgs-ag.de
> > Kopie: squid-users@squid-cache.org
> > Thema: Re: [squid-users] Squid as SSL ReverseProxy - SSL Gateway or
> > however you wanna call it
> >
> >
> > Squid-2.5 does not support this out of the box.
> >
> > With the SSL update patch for Squid-2.5 it gets somewhat possible by
> > defining the internal server as a ssl enabled cache_peer (works with
> > most web servers) or using a redirector to rewrite the accelerated URLs
> > into https://... (works with all web servers)
> >
> >
> > Squid-3 will support such configuration directly, and is significantly
> > easier to configure than Squid-2.5 + ssl_update.
> >
> >
> > In both cases the https:// request is proxied by Squid, meaning that
> > there is one SSL tunnel between the client and Squid, and another SSL
> > tunnel between Squid and the web server, with Squid decrypting and then
> > re-encrypting the traffic in the middle.
> >
> > If what you want is a SSL tunnel between the client and the internal
> > server then you need to use a tcp plug or port forwarding.
> >
> > Regards
> > Henrik
> >
> >
> > ons 2003-03-26 klockan 09.58 skrev sebastian.nell@bgs-ag.de:
> > > Hi!
> > >
> > > I have been reading through this mailing list quite a while and have
> > > stumbled over a lot of
> > > Posts concerning Squid and SSL but not an answer to what I really
> need.
> > > What I need is a SSL Connection on both sides of Squid
> > >
> > > Client < -----SSL---- > Squid < ----- SSL ----- > Internal Server
> > >
> > > I know that this question has been ask quite often and there where
> People
> > > who said
> > > it works some said it doesn?t but there has never been a "real" answer
> > or
> > > an example
> > > concerning whether it is possible or not!
> > >
> > > My Squid.conf looks like this (using Squid 2.5 stable1):
> > >
> > > http_port 172.16.3.131:80
> > > https_port 172.16.3.131:443 cert=squid_cert.pem key=squid_key.pem
> > > ...
> > > acl all src 0.0.0.0/0.0.0.0
> > > acl manager proto cache_object
> > > acl localhost src 127.0.0.1/255.255.255.255
> > > acl to_localhost dst 127.0.0.0/8
> > > acl allowed_hosts src 192.168.1.1/255.255.255.0
> > > acl SSL_ports port 443 563
> > > ...
> > > acl CONNECT method CONNECT
> > > ...
> > > redirect_rewrites_host_header off
> > >
> > >
> > > http_access allow manager localhost
> > > http_access deny manager
> > > http_access allow allowed_hosts
> > > http_access deny all
> > > http_access allow CONNECT !SSL_ports
> > > http_access allow CONNECT
> > > ...
> > > acl our_networks src 192.168.1.0/24 192.168.4.0/24
> > > http_access allow our_networks
> > > http_reply_access allow all
> > > ...
> > > httpd_accel_port 443
> > > httpd_accel_host virtual
> > > httpd_accel_single_host off
> > > httpd_accel_with_proxy off
> > > httpd_accel_uses_host_header on
> > > ....
> > >
> > > And at my /etc/hosts I added an entry
> > >
> > > 192.168.1.10 localserver
> > >
> > > When I try to access localserver through Squid and https I get the
> error
> > > Message
> > > "Error- Bad Request This web server is running in SSL mode. Try the URL
> > > https:://pc352:443/ instead."
> > >
> > > pc352 is the computer name of localserver.
> > >
> > > How to I get SSL to work from Squid to the localserver?
> > >
> > > I would be more than thankful if someone could help me out on this one!
> > >
> > > THX
> > >
> > > Sebastian
> > >
> > > *******************************************
> > > Beratungsgesellschaft
> > > Software Systemplanung AG
> > > Gesch�ftssitz Mainz
> > > Niederlassung Rhein/Main
> > > Robert-Koch-Stra�e 41
> > > 55129 Mainz
> > > Phone: 06131 914-0 (-166), Fax -400
> > > E-Mail: Sebastian.Nell@bgs-ag.de
> > > web: www.bgs-ag.de
> > > ********************************************
> > --
> > Henrik Nordstrom <hno@squid-cache.org>
> > MARA Systems AB, Sweden
> >
> >
> --
> Henrik Nordstrom <hno@squid-cache.org>
> MARA Systems AB, Sweden
>
>

-- 
Henrik Nordstrom <hno@squid-cache.org>
MARA Systems AB, Sweden
Received on Thu Mar 27 2003 - 10:07:54 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:23 MST