[squid-users] Is "https_port" required for transparent (reverse) proxying?

From: Tim Neto <[email protected]>
Date: Wed, 30 Nov 2005 17:47:03 -0500

Squid Cache: Version 2.5.STABLE11
configure options: --host=i386-redhat-linux --build=i386-redhat-linux
--target=i386-redhat-linux-gnu
                            --prefix=/usr --exec-prefix=/usr
--bindir=/usr/bin
                            --sbindir=/usr/sbin --sysconfdir=/etc
--datadir=/usr/share
                            --includedir=/usr/include --libdir=/usr/lib
--libexecdir=/usr/libexec
                            --localstatedir=/var
--sharedstatedir=/usr/com --mandir=/usr/share/man
                            --infodir=/usr/share/info --exec_prefix=/usr
--libexecdir=/usr/lib/squid
                            --localstatedir=/var
--sysconfdir=/etc/squid--enable-poll --enable-snmp
                            --enable-removal-policies=heap,lru
--enable-storeio=aufs,coss,diskd,ufs
                            --enable-ssl --with-openssl=/usr/kerberos
--enable-delay-pools
                            --enable-linux-netfilter --with-pthreads
                            
--enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB,SASL,MSNT
                            --enable-ntlm-auth-helpers=SMB,winbind
                            
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group

https_port config file line definition:

   https_port 209.202.99.178:443 cert=/etc/squid/webmail.pem

When I enable the above line in my configuration file squid fails to
start. In the /var/log/messages I get:

Nov 30 17:28:14 proxy1 squid[3818]: Squid Parent: child process 3820
exited with status 0
Nov 30 17:28:24 proxy1 squid[5338]: Squid Parent: child process 5340 started
Nov 30 17:28:24 proxy1 (squid): Failed to acquire SSL private key:
error:0906D06C:PEM routines:PEM_read_bio:no start line
Nov 30 17:28:24 proxy1 squid[5338]: Squid Parent: child process 5340
exited due to signal 6
Nov 30 17:28:27 proxy1 squid[5338]: Squid Parent: child process 5389 started
Nov 30 17:28:28 proxy1 (squid): Failed to acquire SSL private key:
error:0906D06C:PEM routines:PEM_read_bio:no start line
Nov 30 17:28:28 proxy1 squid[5338]: Squid Parent: child process 5389
exited due to signal 6
Nov 30 17:28:31 proxy1 squid[5338]: Squid Parent: child process 5437 started
Nov 30 17:28:32 proxy1 (squid): Failed to acquire SSL private key:
error:0906D06C:PEM routines:PEM_read_bio:no start line
Nov 30 17:28:32 proxy1 squid[5338]: Squid Parent: child process 5437
exited due to signal 6
Nov 30 17:28:35 proxy1 squid[5338]: Squid Parent: child process 5483 started
Nov 30 17:28:35 proxy1 (squid): Failed to acquire SSL private key:
error:0906D06C:PEM routines:PEM_read_bio:no start line
Nov 30 17:28:35 proxy1 squid[5338]: Squid Parent: child process 5483
exited due to signal 6
Nov 30 17:28:38 proxy1 squid[5338]: Squid Parent: child process 5530 started
Nov 30 17:28:39 proxy1 (squid): Failed to acquire SSL private key:
error:0906D06C:PEM routines:PEM_read_bio:no start line
Nov 30 17:28:39 proxy1 squid[5338]: Squid Parent: child process 5530
exited due to signal 6
Nov 30 17:28:39 proxy1 squid[5338]: Exiting due to repeated, frequent
failures

 From the default squid.conf file (the one with the documentation
comments), I noticed this:

# TAG: https_port
#Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
#
#The socket address where Squid will listen for HTTPS client
# requests.
#
# This is really only useful for situations where you are running
# squid in accelerator mode and you want to do the SSL work at the
# accelerator level.
#
# You may specify multiple socket addresses on multiple lines,
# each with their own SSL certificate and/or options.

The remark about "This is really only useful for situations where you
are running squid in accelerator mode and you want to do the SSL work at
the accelerator level." makes me question whether I need an "https_port"
directive.

So do I need "https_port" for transparent (reverse) proxying in 2.5
STABLE 11?

If yes, then how do I approach resolving the errors I am getting?

Thanks.

Tim

-- 
-----------------------------------------------------------
Timothy E. Neto
 Computer Systems Engineer         Komatsu Canada Limited
 Ph#: 905-625-6292 x265            1725B Sismet Road
 Fax: 905-625-6348                 Mississauga, Canada
 E-Mail: tneto@komatsu.ca          L4W 1P9
-----------------------------------------------------------
Received on Wed Nov 30 2005 - 15:46:36 MST

This archive was generated by hypermail pre-2.1.9 : Thu Dec 01 2005 - 12:00:10 MST