Search squid archive

Re: Web client not capable of SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Well, I'm almost there. My config now looks like this ...

-------------------
http_port 8080
http_access allow all

cache_peer www.binsearch.info sibling 443 0 no-query default ssl sslflags=DONT_VERIFY_DOMAIN proxy-only

acl binsearch dstdomain www.binsearch.info
never_direct allow binsearch

cache_peer_access www.binsearch.info allow all
-------------------

This is just a test, since I still have to add the client certificate and, as you may understand, I will not get me in all of this for the binsearch.info website. So, it's all for testing purposes.

For some reason this config gives security errors. This is the page I will see in the browser.

-------------------
ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://www.binsearch.info/

The following error was encountered:

   * Unable to forward this request at this time.

This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:

* The cache administrator does not allow this cache to make direct connections to origin servers, and
   * All configured parent caches are currently unreachable.

Your cache administrator is webmaster.
Generated Mon, 03 May 2010 01:33:02 GMT by localhost (squid/3.0.STABLE8)
-------------------

All other domains I browse are working perfectly. It might have something to do with the never_direct setting. When I remove that section everything is working smoothly.

What am I doing wrong here? Did I miss something?

Thanks in advance, Dj.



Henrik Nordström wrote:
sön 2010-05-02 klockan 13:43 +0200 skrev D.Veenker:
My web client is not capable of SSL and definitely no client certificates.

- Can Squid do all the SSL-work in a transparent way, including the client cerificates?

Yes.

- How does the config look like?

Depends, but based on your later response it can be done two ways

a) Via a cache_peer for the site in question, using the ssl and
originserver options, and port 443 instead of 80. You can also specify
the client certificate here. In addition to cache_peer you also need to
specify never_direct for this site to force Squid to always use the
cache_peer.

b) By using an url rewriter helper to rewrite the request to https://
instead of http://. But gets a little messier to configure which client
certificate Squid should use here as there is only a global setting and
not per requested site like when using cache_peer.

- Do a need to recompile Squid with --enalble-ssl?

Yes. Your Squid needs native SSL support to be able to wrap HTTP
requests in SSL. Tunnel mode is not sufficient for this.

Regards
Henrik




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux