i found out that i could remove this line: sslproxy_flags DONT_VERIFY_PEER but as soon as i removed "sslflags=DONT_VERIFY_PEER" in the cache_peer line i was not able to connect to wl81machine from the internet, and the terminal window on wl81machine spat out stuff like this: ---------------- <Error> <Security> <BEA-090133> <Could not load a jks keystore from the file /usr/bea/jdk142_05/jre/lib/security/cacerts. Exception: java.io.IOException: Keystore was tampered with, or password was incorrect> <Warning> <Security> <BEA-090164> <Failed to load trusted certificates from keystore /usr/bea/jdk142_05/jre/lib/security/cacerts of type jks> <Warning> <Security> <BEA-090172> <No trusted certificates have been loaded. Server will not trust to any certificate it receives.> <Info> <WebLogicServer> <BEA-000307> <Exportable key maximum lifespan set to 500 uses.> <Info> <WebLogicServer> <BEA-000300> <Certificate contents: 1 certificate(s): fingerprint = 9159e9828376b26ccc9e68daadeb0f0d, not before = Tue Oct 31 09:38:10 CET 2006, not after = Mon Jan 29 09:38:10 CET 2007, holder = C=se SP=minkommune L=minby O=minbedrift OU=teknisk CN=minbedrift.no-ip.com , issuer = C=se SP=minkommune L=minby O=minbedrift OU=teknisk CN=minbedrift.no-ip.com , key = modulus length=129, exponent length=3> ... <Warning> <Security> <BEA-090487> <UNKNOWN_CA alert received from deb3machine.lan - 192.168.0.9. The peer is rejecting the certificate chain as being untrusted or incomplete.> ----------------- where deb3machine is the one running the squid reverse proxy with ssl... it also works just fine with and without originserver in the cache_peer line...wierd...it seems to make no difference. thanks for the cosmetic note =) implemented ;) for those interested, here's my squid.conf: http://norgesinternettforum.no/showpost.php?p=2652&postcount=2 one question i still have though is, when something does go wrong, the error page shows the ip address to the internal machine. i don't want that. is that an error page template i need to edit to remove that? how would i get it to display the external domain name instead (if possible)? thanks Nick Humphrey 2006/11/2, Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx>:
tor 2006-11-02 klockan 15:54 +0100 skrev nick humphrey: > cache_peer 192.168.0.150 parent 8080 3130 ssl sslflags=DONT_VERIFY_PEER no-query DONT_VERIFY_PEER opens you to man-in-the-middle attacks. Better to give it the CA information needed to validate the peer.. Also you need the originserver option to tell Squid it's an origin server. Cosmetic note: I find it easier to read using ICP port 0 when using the no-query option. Regards Henrik
