Search squid archive

Re: Cache Peer Redirection Based on User Certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Based on a string in client certficate (in my case CN field) I would like to route an https request to a dedicated webserver by using the cache_peer_access directive.

E.g.: Client with certificate field CN a111 will be redirected to the parent P1

Client with certificate field CN a222 will be redirected to the parent P2

That works with acl type "src" but not with acl type user_cert


Thanks
Walt




----- Original Message ----- From: "Eliezer Croitoru" <eliezer@xxxxxxxxxxxx>
To: <squid-users@xxxxxxxxxxxxxxx>
Sent: Saturday, December 28, 2013 2:43 PM
Subject: Re:  Cache Peer Redirection Based on User Certificate


I am still not sure what you are trying to achieve..

From the docs at:
http://www.squid-cache.org/Doc/config/acl/

acl aclname user_cert attribute values...
  # match against attributes in a user SSL certificate
  # attribute is one of DN/C/O/CN/L/ST [fast]

It is only there for a basic inspection of the user SSL certificate...
the same goes for:
acl aclname ca_cert attribute values...
  # match against attributes a users issuing CA SSL certificate
  # attribute is one of DN/C/O/CN/L/ST [fast]

It is there since 3.1 and the respective aspect on the client side is on the side of the "client" which we are talking about "squid" in the manner of making squid as a client and user while the "end user" cannot send squid certificates for now.

Squid is not a VPN system which allows specific clients access to a specific level of the system since it's a very fast piece of software.
All these levels of SSL connection is not to be used inside of squid.

I must say that I am not the SSL expert and if you need more information on the matter it's pretty simple to ask about the whole subject to understand it properly.(feel free to contact me or anyone else)

Regards,
Eliezer

On 28/12/13 15:15, Waldemar Siebert wrote:
Hello,

what about acl user_cert?

It works with http_access, but not with cache_peer_access. See Log bellow
I use Squid 3.1.8

Thanks
Walt






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux