Search squid archive

Re: http to squid to https

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Apr 29, 2012, at 10:36 PM, Amos Jeffries wrote:

> On 28/04/2012 10:37 a.m., Squid Tiz wrote:
>> I am kinda new to squid.  Been looking over the documentation and I just wanted a sanity check on what I am trying to do.
>> 
>> I have a web client that hits my squid server.  The squid connects to an apache server via ssl.
>> 
>> Here are the lines of interest from my squid.conf for version 3.1.8
>> 
>> http_port 80 accel defaultsite=123.123.123.123
>> cache_peer 123.123.123.123 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=apache1
>> 
>> The good news is, that works just as I hoped.  I get a connection.
>> 
>> But I am questioning the DONT_VERIFY_PEER.    Don't I want to verify peer?
> 
> Ideally yes. It is better security. But up to you whether you need it or not.
> It means having available to OpenSSL on the squid box (possibly via squid.conf settings) the CA certificate which signed the peers certificate, so that verification will not fail.
> 
>> 
>> I simply hacked up a self signed cert on the apache server.  Installed mod_ssl and restarted apache and everything started to work on 443.
>> 
>> On the command line for the squid server I can curl the apache box with:
>> 
>> curl --cacert  _the_signed_cert_from_the_apache_node_ https://apache.server
>> 
>> Is there a way with sslcert and sslkey to setup a keypair that will verify?
> 
> They are for configuring the *client* certificate and key sent by Squid to Apache. For when Apache is doing the verification of its clients.
> 
> Squid has a sslcacert= option which does the same as curl --cacert option. For validating the Apache certificate(s).
> 
>>   Do I need a signed cert?
> 
> Yes, TLS requires signing. Your self-signing CA will do however, so long as both ends of the connection are in agreement on the CA trust.
> 
>> 
>> I tried to add the cert and key to the cach_peer line in the config.  Squid did restart.  But no connection.  Why would curl work but not squid?
>> 
> see above.
> 
> Amos

Amos,

Thanks for the reply.  

I was just curious to see if I good get this to fly.  The goal is to attach to the squid server via http and have squid verify and attach to the SSL server using a self signed cert.  This seems to work.  Squid starts OK and my logs are clean.  No validation errors.

Comments appreciated.


Create the CA stuff on the apache server:

Key
openssl genrsa -des3 -out ca.key 4096
CRT
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Create a server cert:

Key
openssl genrsa -des3 -out server.key 4096
CSR
openssl req -new -key server.key -out server.csr
CRT
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Then go a head and install these certs on the server.  Test the server on port 443/SSL etc.

Then create a client cert:

Key
openssl genrsa -des3 -out client.key 2048
CSR
openssl req -new -key client.key -out client.csr
CRT
openssl ca -in client.csr -cert ca.crt -keyfile ca.key -out client.crt

Touch up the key - don't want to enter the password on start-up.

openssl rsa -in client.key -out client.key.insure
mv client.key client.key.secure
mv client.key.insecure client.key

Then take the ca.crt, the client.key and the client.crt and deploy them on the squid server.

Update the /etc/hosts file:

ip-address cn-name-of-apache-server

Then the squid.conf:

http_port 8080 accel defaultsite=cn-name-of-apache-server
cache_peer cn-name-of-apache-server parent 443 0 no-query originserver ssl \
sslcafile=/path/ca.crt sslcert=/path/client.crt sslkey=/path/client.key name=yum1


-- 
Regs
-Dean




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux