Re: [squid-users] Re: Configuring Squid to Proxy HTTPS

From: Martin \(Jake\) Jacobson <jakecjacobson_at_gmail.com>
Date: Fri, 4 Feb 2011 10:44:08 -0500

Hi,

I am sorry if I sound like I don't know what I am doing with Squid but
I don't and it is really, really frustrating. I been reading over the
O'Reilly book and I am more lost than ever before.

Here is what I am trying to do:

* My squid box is running on port 3128
* My bot is configured to send requests to my squid box over
http://squidbox:3128
* Squid is then supposed to proxy request to destination and when a
PKI cert challenge is given by destination box, squid would present
its cert/ca chain and not send the challenge back to the requesting
bot.

I wish I could load the bot with its own certs but that is not going
to happen any time soon, so I am forced to try this method.

The good news is I got past the denied error but the bad news is I am
still being challenged for my PKI cert and it doesn't appear that the
certs/ca loaded by the cache_peer line is being loaded or submitted on
my behave.

Correct me if I am wrong, but cache_peer is used to talk to other
squid boxes and not a web server. When I start squid in single user
mode, 'squid -Nd1' I see everything coming up but I don't see anywhere
in the output that it loaded the PKI or CAs. Should I see this?

Here is the cache_peer line I have

cache_peer my_login_site parent 443 0 proxy-only ssl
sslcert=/webroot/conf/squid/.ssl/server.crt
sslkey=/webroot/conf/squid/.ssl/server.key
sslcapath=/webroot/conf/squid/.ssl/ca/ ssldomain=google.intelink.gov
no-query originserver

In my squid access log I see:

1296833229.332 20520 xxx.xxx.xxx.xxx TCP_MISS/200 7596 CONNECT
my_login_site:443 - DIRECT/xxx.xxx.xxx.xxx-

All of the certs and ca are owned by root. Squid is running as user
squid but since I start squid as root, I figured that root would be ok
to own the cert/ca. Is this incorrect?

Thanks for any help anyone can give me on this and sorry for the
length of this post.

Jake Jacobson

http://www.google.com/profiles/jakecjacobson

Our greatest fear should not be of failure,
but of succeeding at something that doesn't really matter.
�� -- ANONYMOUS

On Thu, Feb 3, 2011 at 4:34 PM, Martin (Jake) Jacobson
<jakecjacobson_at_gmail.com> wrote:
> Amos,
>
> Thank you for the help. �I was able to get squid configured and
> running but I am getting an "access denied" error from squid when
> trying to connect. �In the squid access logs I see something like
> "TCP_DENIED/403 1539 CONNECT www.mydestination.com:443"
>
> I didn't change any of the minimum acl or http_access lines in the
> basic squid configuration. �Can you point me in the correct direction
> on this problem? � Again, thanks for your help.
>
> Jake Jacobson
>
> http://www.google.com/profiles/jakecjacobson
>
> Our greatest fear should not be of failure,
> but of succeeding at something that doesn't really matter.
> �� -- ANONYMOUS
>
>
>
> On Wed, Feb 2, 2011 at 10:04 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On Wed, 2 Feb 2011 11:15:31 -0500, "Martin \(Jake\) Jacobson" wrote:
>>> Hi,
>>>
>>> I need to configure a proxy box that will proxy a site that requires a
>>> PKI cert. �The site requires a chained cert and fails if the cert
>>> presented is unchained. �We have a bot that is only presenting its
>>> cert and not the complete chain so it fails the connection.
>>
>> Sounds like you need to figure out why a non-chained cert was loaded into
>> the bot in the first place.
>>
>>>
>>> I am wondering if we could have squid make the request for the
>>> resource and instead of using the bot's cert, the squid client would
>>> use the chained cert that I have loaded with squid?
>>>
>>> Jake Jacobson
>>
>> To use Squid certs you will need the bot to communicate over unsecured
>> HTTP with Squid.
>> Then you just configure a cache_peer line in Squid presenting the relevant
>> cert to the website.
>>
>> Amos
>>
>
Received on Fri Feb 04 2011 - 15:44:16 MST

This archive was generated by hypermail 2.2.0 : Sat Feb 05 2011 - 12:00:01 MST