On 28/04/2012 10:37 a.m., Squid Tiz wrote:
I am kinda new to squid. Been looking over the documentation and I just wanted a sanity check on what I am trying to do. I have a web client that hits my squid server. The squid connects to an apache server via ssl. Here are the lines of interest from my squid.conf for version 3.1.8 http_port 80 accel defaultsite=123.123.123.123 cache_peer 123.123.123.123 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=apache1 The good news is, that works just as I hoped. I get a connection. But I am questioning the DONT_VERIFY_PEER. Don't I want to verify peer?
Ideally yes. It is better security. But up to you whether you need it or not. It means having available to OpenSSL on the squid box (possibly via squid.conf settings) the CA certificate which signed the peers certificate, so that verification will not fail.
I simply hacked up a self signed cert on the apache server. Installed mod_ssl and restarted apache and everything started to work on 443. On the command line for the squid server I can curl the apache box with: curl --cacert _the_signed_cert_from_the_apache_node_ https://apache.server Is there a way with sslcert and sslkey to setup a keypair that will verify?
They are for configuring the *client* certificate and key sent by Squid to Apache. For when Apache is doing the verification of its clients.
Squid has a sslcacert= option which does the same as curl --cacert option. For validating the Apache certificate(s).
Do I need a signed cert?
Yes, TLS requires signing. Your self-signing CA will do however, so long as both ends of the connection are in agreement on the CA trust.
I tried to add the cert and key to the cach_peer line in the config. Squid did restart. But no connection. Why would curl work but not squid?
see above. Amos
