Thank you. Is it possible to place CA certificate in the openssl path so that squid finds by default? If so can anyone mention the openssl path where squid searches fro the certificate by default. I have tried placing certificate in /etc/pki/certs file name myca.cert but it is not working. Thanks, Anandhan On Fri, Nov 11, 2011 at 8:12 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 11/11/2011 2:54 p.m., Anandha V wrote: >> >> Hi Amos >> >> Thanks for your reply >> >> I have made reverse proxy setup as follows, >> >> Client(https)-------(https)squid1(https))----(https)Originserver(8443) >> >> I have made squid conf as follows and setup works fine >> >> https_port 443 accel cert=/usr/local/myCA/certs/server.crt >> key=/usr/local/myCA/private/server.key >> cache_peer originserver parent 8443 0 originserver ssl no-digest >> sslcafile=/usr/local/myCA/certs/myca.crt no-digest >> >> >> Whether i need to specify ssl certificates/key in the cache_peer using >> sslcert and sslkey for the connections between squid and origin server >> to be in https? >> >> or just the CA certificate of the apache is enough.? > > The minimum config is just "ssl" option on the cache_peer. Which will verify > the Apache certificate is valid and send a generic client certificate. The > rest is just about how much you want to lock down the security. > * If Apache is validating a specific client certificate you need to > configure that cert to be sent by Squid. > * If Apache is using a self-signed certificate you need to configure wither > sslflags=DONT_VERIFY_PEER or the CA to validate it with into Squid. > > Amos >
