On 05/02/11 04:44, Martin (Jake) Jacobson wrote:
Hi, I am sorry if I sound like I don't know what I am doing with Squid but I don't and it is really, really frustrating. I been reading over the O'Reilly book and I am more lost than ever before. Here is what I am trying to do: * My squid box is running on port 3128 * My bot is configured to send requests to my squid box over http://squidbox:3128 * Squid is then supposed to proxy request to destination and when a PKI cert challenge is given by destination box, squid would present its cert/ca chain and not send the challenge back to the requesting bot. I wish I could load the bot with its own certs but that is not going to happen any time soon, so I am forced to try this method. The good news is I got past the denied error but the bad news is I am still being challenged for my PKI cert and it doesn't appear that the certs/ca loaded by the cache_peer line is being loaded or submitted on my behave. Correct me if I am wrong, but cache_peer is used to talk to other squid boxes and not a web server. When I start squid in single user
You are wrong. cache_peer is used to connect to a specific HTTP service. Proxy, web server, or web application does not matter. Though usually only proxies provide the ICP/HTCP needed by 'sibling'. 'parent' type can be any provider service.
mode, 'squid -Nd1' I see everything coming up but I don't see anywhere in the output that it loaded the PKI or CAs. Should I see this?
I believe you should see "Initializing https proxy context" followed by a "Initializing cache_peer XX SSL context" for each SSL peer. They are displayed at cache.log display level 3,1
Here is the cache_peer line I have cache_peer my_login_site parent 443 0 proxy-only ssl sslcert=/webroot/conf/squid/.ssl/server.crt sslkey=/webroot/conf/squid/.ssl/server.key sslcapath=/webroot/conf/squid/.ssl/ca/ ssldomain=google.intelink.gov no-query originserver In my squid access log I see: 1296833229.332 20520 xxx.xxx.xxx.xxx TCP_MISS/200 7596 CONNECT my_login_site:443 - DIRECT/xxx.xxx.xxx.xxx- All of the certs and ca are owned by root. Squid is running as user squid but since I start squid as root, I figured that root would be ok to own the cert/ca. Is this incorrect? Thanks for any help anyone can give me on this and sorry for the length of this post.
You are most of the way there. You still have to make the bot pass its requests to the proxy so Squid can see them as HTTP instead of encrypted CONNECT body data.
You could use https_port as an SSL reverse-proxy for that site and fool the bot into connecting its encryption to Squid instead.
Or on the trickier side you may be able to configure the bot to send its requests to Squid as http://...:443/ instead of https://
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
