Re: [squid-users] squid reverse proxy with ssl: access denied

From: Henrik Nordstrom <[email protected]>
Date: Fri, 03 Nov 2006 15:15:12 +0100

fre 2006-11-03 klockan 14:48 +0100 skrev nick humphrey:

> but as soon as i removed "sslflags=DONT_VERIFY_PEER" in the cache_peer
> line i was not able to connect to wl81machine from the internet, and
> the terminal window on wl81machine spat out stuff like this:

OpenSSL on your Squid did not know/trust the CA who have signed the key
of the web server. The list of trusted CA:s can be definied in many
ways, i.e. cafile= or capath=, or even OpenSSL builtin default
locations.

cafile want's a file containing the public certificates of the trusted
CA's. in PEM format.

capath wants an OpenSSL hashed directory of CA certificates.

> it also works just fine with and without originserver in the
> cache_peer line...wierd...it seems to make no difference.

The originserver options is a bit subtle. Most servers work kind of
acceptable without it, but not all. Also some protocol features like
persistent connections or authentication require it to be set properly.

> one question i still have though is, when something does go wrong, the
> error page shows the ip address to the internal machine. i don't want
> that. is that an error page template i need to edit to remove that?

Yes, it's in the error directory.

> how would i get it to display the external domain name instead (if
> possible)?

The available template codes can be found in the FAQ section on writing
custom error messages.

Regards
Henrik

Received on Fri Nov 03 2006 - 07:15:22 MST

This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:02 MST