On 17/03/11 22:05, arielf wrote:
Hi all, I am trying to use squid as a forward proxy for target applications using both http and https sites I added the following lines to my squid.conf http_port 3128 ssl-bump key=/path/mykey.pem cert=/path/mycert.pem ssl_bump allow all Now I tested on third party http and https sites, and it works nicely :) However when I try to proxy a portal that I configured the security keys for it does not work
Please correct me if this is wrong but I suspect your understanding of the terminology is incorrect.
I have not heard tomcat being used as a proxy gateway, so I'm assuming you actually mean it is used as the web app service "server".
"Forward proxy" is a proxy being used by a residential ISP or business to gateway their users out to the general Internet. (there are other uses, but that is the general usage case)
"Reverse proxy" (sometimes called "accelerator proxy") is the type used act as the front interface for a web service.
The setup description reads bit like you are struggling to setup Squid as a reverse proxy for tomcat. Possibly as a forward-proxy for some local clients at the same time. Correct?
From cache.log: -----BEGIN SSL SESSION PARAMETERS----- MHECAQECAgMBBAIANQQg0b4mR/aJ5Vez5HNh6dSwUL4vs/d+v+ceEwKpWxHdFoME MI3ZqOI/+MjpLLsjIoFchf9dxA/wD9aoZZgrbiq6GRtvOTWRRFeaQA1KFfVgmFo7 FaEGAgRNgfR5ogQCAgEspAIEAA== -----END SSL SESSION PARAMETERS----- 2011/03/17 07:46:01| SSL unknown certificate error 18 in /C=IL/ST=NA/L=NA/O=IBM/OU=HRL/CN=Magen 2011/03/17 07:46:01| fwdNegotiateSSL: Error negotiating SSL connection on FD 13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) I actually configured my tomcat and squid with the same security keystore. Of course tomcat used JKS and squid uses PEM, so I created a self signed JKS keystore for tomcat and then exported key and cert in PEM format from it to use for squid. This is how I did it: keytool -genkey -keyalg RSA -alias mykey -keystore keystore.jks -storepass "password" -validity 365 keytool -export -alias mykey -keystore keystore.jks -file mycert.crt keytool -import -trustcacerts -alias mycert -file mycert.crt -keystore keystore.jks keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore keystore.p12 openssl pkcs12 -in keystore.p12 -out keystore.pem openssl rsa -in keystore.pem -out mykey.pem openssl x509 -in keystore.pem -out mycrt.pem Then I use: keystore.jks for tomcat, and mykey.pem/mycert.pem for squid Of course if any of have made this type of configuration work, I am willing to create any key/cert/keystore for both squid/tomcat since they are both under my control. If anyone has an idea how to make this work, I'd be VERY grateful. Thanks, Ariel.
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5
