Re: Reverse proxy: http to https and certificate authentication

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Mailing List SVR wrote:
> Il giorno dom, 01/02/2009 alle 21.56 +1300, Amos Jeffries ha scritto:
> > Mailing List SVR wrote:
> > > Il giorno dom, 01/02/2009 alle 20.28 +1300, Amos Jeffries ha scritto:
> > > > Mailing List SVR wrote:
> > > > > Hi all,
> > > > >
> > > > > I have a soap client using python ZSI, the other end is oracle soa
> > > > > 10.1.3.1.0 all works fine since some months. The last week oracle soa
> > > > > was configured to accept client certificate authentication over https.
> > > > > If I try to use the standard python httplib.HTTPSConnection library it
> > > > > fails with the infamous "bad record mac" error and so also ZSI that use
> > > > > httplib. Other java tools such as soapui works just fine with oracle
> > > > > soa. 
> > > > >
> > > > > Can squid do the hard work for me in the following configuration?
> > > > >
> > > > > ZSI soap client -> squid proxy over http -> oracle soa https
> > > > >
> > > > > however squid could be authenticate to oracle soa loading the cert file
> > > > > and the cert key from a local file.
> > > > >
> > > > > So I would like to send my soap request to squid over http and squid
> > > > > could connect to oracle soa over https presenting its own client
> > > > > certificate (not send from my application but load from local file).
> > > > >
> > > > > Is this configuration possible?
> > > > >
> > > > > thanks
> > > > > Nicola
> > > > Yes Squid can certainly act as a HTTP->HTTPS proxy for you.
> > > > Just configure a normal cache_peer pointing at oracle to using SSL,
> > > >   http://www.squid-cache.org/Doc/config/cache_peer/
> > > > and configure ZSI to connect to the Squid HTTP port without SSL.
> > > thanks but squid need to present a client certificate to authenticate
> > > against oracle, cache peer seems lack directive to specify certificate,
> > Look again:
> >      ssl
> >      sslcert=/path/to/ssl/certificate
> >      sslkey=/path/to/ssl/key
> >      sslversion=1|2|3|4
> >      sslcipher=...
> >      ssloptions=...
>
> You are right but I'm ot a squid expert so I need some more directions
> please.
>
> I added this line to squid.conf
>
> cache_peer <oraclesoahostname>   parent    443  0 no-query no-digest
> no-netdb-exchange proxy-only default ssl
> sslcert=/etc/squid/cert/clients1.crt sslkey=/etc/squid/cert/clients1.key
> sslversion=1
>
> <oraclesoahostanme> is in my hosts file,
>
> now how squid redirect the request to <oraclesoahostname> and how I can
> connect to squid? On standard 3128 port (for example wget
> http://<squidip>:squidport/<what here?>>) or I have to use it as http
> proxy (export HTTP_PROXY=...)? 
>
> thanks for your patience,
>
> Nicola

Depends on whether Squid is listening on.
Normal http_port 3128 is connected to normally as any other proxy with 
HTTP to port 3128.

If the certificate is working, squid will startup and mention that its 
read and checked the cert. And requests go out to the peer.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE12
  Current Beta Squid 3.1.0.4