Hello, I am trying to use Squid as proxy so that traffic goes through an icap service I built and continues to intended site. I will have several clients (browsers) that are accessing several server sites. I need help configuring https correctly :( I tried testing out my configuration using a broswer from ip: 9.148.16.192 I used firefox foxyproxy plugin to direct http traffic to 9.148.26.247:3128 and https to 3129 (machine/ports where my squid is listening, checked this with netstat) I started testing two sites, one http and another https: 1. http://mydomain.com/MyCRM/index.php 2. https://9.148.26.247:8443/ - this site runs on tomcat that I configured with mykey.jks when I start I get all OK messages: 2011/03/01 08:23:40| Accepting HTTP connections at [::]:3128, FD 15. 2011/03/01 08:23:40| Accepting HTTPS connections at [::]:3129, FD 16. 2011/03/01 08:23:40| HTCP Disabled. 2011/03/01 08:23:40| Configuring Parent 9.148.16.192/3129/0 when I try site 1 (http) all seems to work fine. however when I try site 2, I get an error: 2011/03/01 08:37:54| clientNegotiateSSL: Error negotiating SSL connection on FD 12: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) where am I going wrong?? many thanks, Ariel :) my config is below: # # configure https port # https_port 3129 key=/root/security/mykey.key.pem cert=/root/security/mycert.crt.pem vhost cache_peer 9.148.16.192 parent 3129 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=securePeer1 cache_peer_access securePeer1 allow all acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost always_direct allow all http_access allow all # Squid normally listens to port 3128 http_port 3128 # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 icap_log /var/log/squid/icap.log icap_squid icap_enable on icap_send_client_ip on icap_service_failure_limit -1 icap_service_revival_delay 30 icap_service myservice respmod_precache bypass=0 icap://127.0.0.1:1344/myservice adaptation_access myservice allow all request_header_access Accept-Encoding deny all append_domain .haifa.ibm.com -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/icap-and-https-tp3329449p3329449.html Sent from the Squid - Users mailing list archive at Nabble.com.
