Re: [squid-users] squid reverse proxy with ssl: access denied

From: nick humphrey <[email protected]>
Date: Fri, 3 Nov 2006 14:48:13 +0100

i found out that i could remove this line:
sslproxy_flags DONT_VERIFY_PEER

but as soon as i removed "sslflags=DONT_VERIFY_PEER" in the cache_peer
line i was not able to connect to wl81machine from the internet, and
the terminal window on wl81machine spat out stuff like this:
----------------
<Error> <Security> <BEA-090133> <Could not load a jks keystore from
the file /usr/bea/jdk142_05/jre/lib/security/cacerts. Exception:
java.io.IOException: Keystore was tampered with, or password was
incorrect>
<Warning> <Security> <BEA-090164> <Failed to load trusted certificates
from keystore /usr/bea/jdk142_05/jre/lib/security/cacerts of type jks>
<Warning> <Security> <BEA-090172> <No trusted certificates have been
loaded. Server will not trust to any certificate it receives.>
<Info> <WebLogicServer> <BEA-000307> <Exportable key maximum lifespan
set to 500 uses.>
<Info> <WebLogicServer> <BEA-000300> <Certificate contents: 1
certificate(s): fingerprint = 9159e9828376b26ccc9e68daadeb0f0d, not
before = Tue Oct 31 09:38:10 CET 2006, not after = Mon Jan 29 09:38:10
CET 2007, holder = C=se SP=minkommune L=minby O=minbedrift OU=teknisk
CN=minbedrift.no-ip.com , issuer = C=se SP=minkommune L=minby
O=minbedrift OU=teknisk CN=minbedrift.no-ip.com , key = modulus
length=129, exponent length=3>
...
<Warning> <Security> <BEA-090487> <UNKNOWN_CA alert received from
deb3machine.lan - 192.168.0.9. The peer is rejecting the certificate
chain as being untrusted or incomplete.>
-----------------
where deb3machine is the one running the squid reverse proxy with ssl...

it also works just fine with and without originserver in the
cache_peer line...wierd...it seems to make no difference.

thanks for the cosmetic note =) implemented ;)

for those interested, here's my squid.conf:
http://norgesinternettforum.no/showpost.php?p=2652&postcount=2

one question i still have though is, when something does go wrong, the
error page shows the ip address to the internal machine. i don't want
that. is that an error page template i need to edit to remove that?
how would i get it to display the external domain name instead (if
possible)?

thanks
Nick Humphrey
2006/11/2, Henrik Nordstrom <henrik@henriknordstrom.net>:
> tor 2006-11-02 klockan 15:54 +0100 skrev nick humphrey:
>
> > cache_peer 192.168.0.150 parent 8080 3130 ssl sslflags=DONT_VERIFY_PEER no-query
>
> DONT_VERIFY_PEER opens you to man-in-the-middle attacks. Better to give
> it the CA information needed to validate the peer..
>
> Also you need the originserver option to tell Squid it's an origin
> server.
>
> Cosmetic note: I find it easier to read using ICP port 0 when using the
> no-query option.
>
> Regards
> Henrik
>
>
>
Received on Fri Nov 03 2006 - 06:48:17 MST

This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:02 MST