On Sun, 22 May 2011 11:34:48 +0100, Stephan HÃgel wrote:
On 22 May 2011 04:01, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 22/05/11 06:09, Stephan HÃgel wrote:
Hello,
Apologies in advance for the (presumably) repetitive question:
I'd like to set up squid to provide an SSL cert required for access
to
a certain site on behalf of my users. I've converted the cert (it
was
provided in PFX format) to PEM format, and generated a key (though
I'm
not entirely sure that's necessary).
I've installed squid 2.7.STABLE9 on Ubuntu 11.04, and configured
http
access for users on my subnet, and this is working correctly:
http_port 3128
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.10.10.0/24
[snip]
http_access allow localnet
icp_access allow localnet
But I haven't been able to find a HOWTO for transparently providing
the required SSL cert on behalf of clients when they connect to the
site which requires it.
I assume I have to provide a https_port (443?) , and https_allow
localnet, but I'm not sure about anything else.
TIA
https_port is for reverse-proxy when the certificate is to be
presented to
the *client*.
From what you say, it seems clients are supposed to present a unique
identifier certificate to the *server* and you want to forge from
Squid?
Before we give you any config, which of those completely different
setups do
you actually want?
Amos,
The latter; I'd like Squid to present the cert on behalf of the
clients.
Then the https_port end for squid<->client is irrelevant.
The cert needs to go on a cache_peer line pointing Squid at the origin
server. Similar to reverse-proxy but not quite:
cache_peer example.com parent 443 0 originserver ssl
sslcert=/path/to/cert.pem name=AB
acl site dstdomain example.com
cache_peer_access AB allow site
never_direct allow site
Note: port and http_access are left alone so your regular forwarding
permissions take control. Only never_direct is added to prevent Squid
connecting via direct links without the cert.
Amos
