[squid-users] HTTPS Acceleration / SSL between squid and accelerated server....

From: Rakesh Kumar <[email protected]>
Date: Wed, 10 Mar 2004 08:30:08 +0300

I disabled in browser to use Squid as a proxy. When I do
https://mail.xyz.com. I am getting follwoing error (after long time):

The requested URL could not be retrieved.
While trying to retrive the URL: http://172.29.1.14:443
READ ERROR.
(104) connection reset be peer.

In access.log I get -

1078896546.765 172357 168.187.198.212 TCP_MISS/500 1367 GET
http://172.29.1.14:443/
- DIRECT/172.29.1.14 text/html

Why this error it should show https://172.29.1.14:443 ??????

The squid.conf is as following:

https_port 443 cert=/usr/local/ssl/cacert.pem key=/usr/local/ssl/privkey.pem
httpd_accel_host 172.29.1.14
httpd_accel_port 443
httpd_accel_single_host on
httpd_accel_with_proxy on
acl accel_servers dst 172.29.1.14
acl port443 port 443
acl http protocol http
http_access allow accel_servers http port443

Now what I did today:
1. I disabled certificate on Exchange server and changed following:

        httpd_accel_port 443 -to- httpd_accel_port 80
        acl port443 port 443 -to- acl port80 port 80
        http_access allow accel_servers http port443 -to- http_access allow
accel_servers http port80

Allowed in firewall-2 to the pass traffice between squid server and exchange
server on port 80 in place of 443.
This arrangement worked OK. This means that there was no encryption between
between squid server and exchange server.

2. After this I restored the changes made in step 1. In the access.log I get
follwoing:

1078818083.121 43952 168.187.198.212 TCP_MISS/000 0 GET
http://172.29.1.14:443
- DIRECT/172.29.1.14 -

Thinking that the messages should have been "GET https://172.29.1.14 so I
changed follwoing in squid.conf -

 acl http protocol http -to- acl https protocol https

but I am getting same message in access.log. Can I not have SSL between
client & Squid-Rev and Squid-Rev & Exchange srever????????

3. Another question ( may be I am late to ask it) Can I not have SSL between
Exchange & client, Squid-Reverse proxy just pass it i.e. Tunneling SSL
through Proxy in reverse mode?

4. While returning wiht error as seen in 'URL could not be retrived' it
shows the internal IP. Can I change it to appear from real IP of
mail.xyz.com.

Thanks

Rakesh Kumar Jha

************************************************************************
On Mon, 8 Mar 2004, Rakesh Kumar wrote:

> 2004/03/08 10:27:41| clientNegotiateSSL: Error negotiating SSL connection
on FD

> 10: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request

You get this if you have configured your browser to use Squid as a proxy.

Don't do this for reverse-proxying.

Regards

Henrik

#####################################################################################
DISCLAIMER
Any non-official business related views, opinions and other information presented
in this electronic mail are solely those of the sender/author. Burgan Bank does not
endorse or accept responsibility for these opinions, views or conclusions.

If you are not the addressee indicated in this electronic mail or responsible for
delivering this electronic message to the inteded recipient, you should delete this
message and notify the sender immediately.

Burgan Bank
#####################################################################################
Received on Tue Mar 09 2004 - 22:45:56 MST

This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:02 MST