On 19/03/11 08:25, arielf wrote:
Hi Amos, thanks for your response.
I'll try to clarify.
I want my browser (a client's browser) to always go through a squid proxy
for accessing any website (target application). This is because I have an
icap service working on the data. Thus to my understanding this is a forward
proxy.
Since I want it to work for both http and https sites, I configured squid to
work with ssl-bump as shown above. I have tested this configuration, by
setting firefox proxy settings to go to squid on port 3128, and it seems to
work fine :)
Now I have an additional target application. This application happens to be
a portal that is run on tomcat. Furthermore, it is a tomcat that I
configured the security settings for. Thus I have browser -> squid -> portal
(run on tomcat).
To my understanding this is still part of the same forward proxy? am I wrong
here?
Ah, understood. Thanks.
Yes from the browser viewpoint it is a forward proxy. From your admin
viewpoint this is a forward proxy with one specific domain using a
cache_peer parent with originserver flag.
The squid is entering into a strange multi-mode handling though. The
requests enters as forward proxy and exits as reverse.
The handing of CONNECT and ssl-bump are a bit broken when this mode
change takes place internally to Squid. I have just days ago added
changes that look like fixing CONNECT, these will be in 3.1.12. But
ssl-bump remains broken.
Using ssl-bump Squid will pass the tomcat requests with absolute
https:// URLs.
Unfortunately, on this particular setting I get the failure I showed above.
From cache.log:
-----BEGIN SSL SESSION PARAMETERS-----
MHECAQECAgMBBAIANQQg0b4mR/aJ5Vez5HNh6dSwUL4vs/d+v+ceEwKpWxHdFoME
MI3ZqOI/+MjpLLsjIoFchf9dxA/wD9aoZZgrbiq6GRtvOTWRRFeaQA1KFfVgmFo7
FaEGAgRNgfR5ogQCAgEspAIEAA==
-----END SSL SESSION PARAMETERS-----
2011/03/17 07:46:01| SSL unknown certificate error 18 in
/C=IL/ST=NA/L=NA/O=IBM/OU=HRL/CN=Magen
2011/03/17 07:46:01| fwdNegotiateSSL: Error negotiating SSL connection on
FD
13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (1/-1/0)
I guess I am still understanding something badly, please point me to it.
I think this should work for passing requests to the tomcat:
cache_peer <tomcat-IP> parent 443 0 originserver ssl
sslflags=DONT_VERIFY_PEER
Once the requests are getting there you may hit a problem with those
ssl-bump absolute URLs. The Tomcat app might need tweaking to accept
them. Or a re-writer may be needed to strip "https://domain"; of the
front of those particular ones.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.11
Beta testers wanted for 3.2.0.5
