Re: Cache Peer Redirection Based on User Certificate

["Waldemar Siebert" <wsiebert@xxxxxxxxx>]

Hello,

what about acl user_cert?

It works with http_access, but not with cache_peer_access. See Log bellow
I use Squid 3.1.8

Thanks
Walt


----- Original Message ----- 
From: "Eliezer Croitoru" <eliezer@xxxxxxxxxxxx>
To: <squid-users@xxxxxxxxxxxxxxx>
Sent: Friday, December 27, 2013 8:19 PM
Subject: Re:  Cache Peer Redirection Based on User Certificate


> Hey there,
>
> Squid doesn't support and cannot support any user level certificate 
> validation or intervention.
> You are looking for a feature which is in the level of "forgery" and 
> "theft" which are not supported by squid project.
>
> Thanks,
> Eliezer
>
> On 27/12/13 17:39, Waldemar Siebert wrote:
> > Hello,
> > i've really diligent searched all Squid mailing lists and archives, but
> > without success.
> > My problem: I try to implement Cache Peer Redirection based on User
> > Certificate.
> > Config extract:
> > #################################################
> > # First HTTPS peer
> > cache_peer websrv01.dd.com parent 443 0 no-query proxy-only no-digest
> > originserver ssl sslflags=DONT_VERIFY_PEER name=PEER01
> >
> > acl CERT_01 user_cert CN NYTIMES
> >
> > cache_peer_access PEER01 allow CERT_01
> >
> > http_access allow CERT_01
> >
> > # Second HTTPS peer
> >
> > cache_peer websrv02.dd.com parent 443 0 no-query proxy-only no-digest
> > originserver ssl sslflags=DONT_VERIFY_PEER name=PEER02
> >
> > acl CERT_02 user_cert CN BOSTONGLOBE
> >
> > cache_peer_access PEER02 allow CERT_02
> >
> > http_access allow CERT02
> >
> > http_access deny all
> >
> > ################################################
> >
> > The acl CERT_01,02 works with http_access:
> >
> > 2013/12/27 13:35:25.093| ACLChecklist::preCheck: 0xa6a3f68 checking
> > 'http_access allow CERT_01'
> > 2013/12/27 13:35:25.093| ACLList::matches: checking CERT_01
> > 2013/12/27 13:35:25.093| ACL::checklistMatches: checking 'CERT_01'
> > 2013/12/27 13:35:25.093| aclMatchStringList: checking 'NYTIMES'
> > 2013/12/27 13:35:25.094| aclMatchStringList: 'NYTIMES' found
> > 2013/12/27 13:35:25.094| ACL::ChecklistMatches: result for 'CERT_01' is 1
> > 2013/12/27 13:35:25.094| ACLList::matches: result is true
> >
> >
> > But witch cache _peer_access not:
> >
> > 2013/12/27 13:35:25.113| ACLChecklist::preCheck: 0xbfbde738 checking
> > 'cache_peer_access PEER01 allow CERT_01'
> > 2013/12/27 13:35:25.113| ACLList::matches: checking CERT_01
> > 2013/12/27 13:35:25.113| ACL::checklistMatches: checking 'CERT_01'
> > 2013/12/27 13:35:25.113| ACL::ChecklistMatches: result for 'CERT_01' is 0
> > 2013/12/27 13:35:25.113| ACLList::matches: result is false
> > 2013/12/27 13:35:25.113| aclmatchAclList: 0xbfbde738 returning false
> > (AND list entry failed to match)
> > 2013/12/27 13:35:25.113| aclmatchAclList: async=0 nodeMatched=0
> > async_in_progress=0 lastACLResult() = 0 finished() = 0
> > 2013/12/27 13:35:25.113| aclCheckFast: no matches, returning: 0
> >
> >
> > Please help me. Thanks.