Search squid archive

Re: squid AND ssl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

joe ryan wrote:

Hi,
I have a simple webserver that listens on port 80 for requests. I
would like to secure access to this webserver using squid and SSL. I
can access the simple website through http without any issue. When I


As your config shows. Squid is never involved with port 80 inbound traffic.


try and access it using https: I get a message in the cache file. See
attached.
The web page error show up as Connection to 192.168.0.1 Failed
The system returned:
    (13) Permission denied

I am running Squid stable 2.7 and I used openssl to generate the cert and key.
I have attached my conf file and cache errors.
Can squid secure an unsecure webserver the way i am trying to do do



From your config:
> http_port 192.168.0.1:8080
 ...
> http_access allow all
This is not a secure configuration. Either use accel options on the port line to set default handling security. Or explicitly permit and deny specific access to things using ACL. 

Also this:

> acl webSrv dst 192.168.0.1
> acl webPrt port 80
> http_access allow webSrv webprt
Is even less secure. As an accelerator clients will never visit squid asking for port 80, since squid does not listen there. 

These two lines:
> https_port 192.168.0.1:443 accel <snip>
> cache_peer 192.168.0.1 parent 443 0 no-query <snip>
explicitly state that all incoming HTTPS requests are to be looped from squid into squid ... infinity. 

But luckily for you ...

> always_direct allow all

... prevents any cache_peer ever being used.
I believe you need to chop your http_port and http_access configuration back to the defaults then reconstruct along these guidelines for the HTTP portion: 
 http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator
At which point you should have both HTTP and HTTPS accepted by squid and passed to the HTTPS-enabled web server.
For Squid to be a proper reverse-proxy/accelerator you need Squid to listen on port 192.168.0.1:80 and the app to listen on some other IP port 80 (127.0.0.1:80 is commonly used in these circumstances).
I also get the impression the web server is not HTTPS enabled. Therefore you probably do not actually want any SSL options on the cache_peer line. Then HTTPS will be on the public clients->squid link and internal link plain HTTP. 


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
  Current Beta Squid 3.1.0.7
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux