Hi, I am sorry if I sound like I don't know what I am doing with Squid but I don't and it is really, really frustrating. I been reading over the O'Reilly book and I am more lost than ever before. Here is what I am trying to do: * My squid box is running on port 3128 * My bot is configured to send requests to my squid box over http://squidbox:3128 * Squid is then supposed to proxy request to destination and when a PKI cert challenge is given by destination box, squid would present its cert/ca chain and not send the challenge back to the requesting bot. I wish I could load the bot with its own certs but that is not going to happen any time soon, so I am forced to try this method. The good news is I got past the denied error but the bad news is I am still being challenged for my PKI cert and it doesn't appear that the certs/ca loaded by the cache_peer line is being loaded or submitted on my behave. Correct me if I am wrong, but cache_peer is used to talk to other squid boxes and not a web server. When I start squid in single user mode, 'squid -Nd1' I see everything coming up but I don't see anywhere in the output that it loaded the PKI or CAs. Should I see this? Here is the cache_peer line I have cache_peer my_login_site parent 443 0 proxy-only ssl sslcert=/webroot/conf/squid/.ssl/server.crt sslkey=/webroot/conf/squid/.ssl/server.key sslcapath=/webroot/conf/squid/.ssl/ca/ ssldomain=google.intelink.gov no-query originserver In my squid access log I see: 1296833229.332 20520 xxx.xxx.xxx.xxx TCP_MISS/200 7596 CONNECT my_login_site:443 - DIRECT/xxx.xxx.xxx.xxx- All of the certs and ca are owned by root. Squid is running as user squid but since I start squid as root, I figured that root would be ok to own the cert/ca. Is this incorrect? Thanks for any help anyone can give me on this and sorry for the length of this post. Jake Jacobson http://www.google.com/profiles/jakecjacobson Our greatest fear should not be of failure, but of succeeding at something that doesn't really matter. -- ANONYMOUS On Thu, Feb 3, 2011 at 4:34 PM, Martin (Jake) Jacobson <jakecjacobson@xxxxxxxxx> wrote: > Amos, > > Thank you for the help. I was able to get squid configured and > running but I am getting an "access denied" error from squid when > trying to connect. In the squid access logs I see something like > "TCP_DENIED/403 1539 CONNECT www.mydestination.com:443" > > I didn't change any of the minimum acl or http_access lines in the > basic squid configuration. Can you point me in the correct direction > on this problem? Again, thanks for your help. > > Jake Jacobson > > http://www.google.com/profiles/jakecjacobson > > Our greatest fear should not be of failure, > but of succeeding at something that doesn't really matter. > -- ANONYMOUS > > > > On Wed, Feb 2, 2011 at 10:04 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> On Wed, 2 Feb 2011 11:15:31 -0500, "Martin \(Jake\) Jacobson" wrote: >>> Hi, >>> >>> I need to configure a proxy box that will proxy a site that requires a >>> PKI cert. The site requires a chained cert and fails if the cert >>> presented is unchained. We have a bot that is only presenting its >>> cert and not the complete chain so it fails the connection. >> >> Sounds like you need to figure out why a non-chained cert was loaded into >> the bot in the first place. >> >>> >>> I am wondering if we could have squid make the request for the >>> resource and instead of using the bot's cert, the squid client would >>> use the chained cert that I have loaded with squid? >>> >>> Jake Jacobson >> >> To use Squid certs you will need the bot to communicate over unsecured >> HTTP with Squid. >> Then you just configure a cache_peer line in Squid presenting the relevant >> cert to the website. >> >> Amos >> >
