Re: squid HTTPs as reverse proxy problem

Yuri Voinov <yvoinov@xxxxxxxxx> · Mon, 20 Apr 2015 19:21:46 +0600



    -----BEGIN PGP SIGNED MESSAGE----- 

    Hash: SHA256 

     
    Man,

    
    self-signed sertificate required only for SSL Bump (not pump :)).

    
    For SSL reverse proxy you need CA's signed server certificate.

    
    Feel the difference.

    
    21.04.15 5:16, snakeeyes пишет:

    > Hi all , I need a help in
      setting up squid for https reverse proxy 

      >

      > I mean I want to  authorize the certificate on my pc so that
      be able to

      > acces https using http not tunnel method

      >

      > I have searched a lot and most of docs mention ssl pump , but
      again im here

      > don't want ssl pump feature and all I need is just reverse
      proxy.

      >

      >  

      >

      > Here is steps that I did :

      >

      > cd /etc/squid

      >

      >  

      >

      > openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509
      -subj

      > '/C=dsa/ST=asd/L=aaa/O=abcv/CN=abc' -keyout
      /etc/squid/abc.pem -out 

      >

      > /etc/squid/abc.pem

      >

      >  

      >

      > openssl x509 -in /etc/squid/abc.pem -outform DER -out
      /etc/squid/abc.der

      >

      >  

      >

      > whereis ssl_crtd

      >

      >  

      >

      > chown squid:squid /var/lib/ssl_db

      >

      >  

      >

      > after that  edited squid.conf with :

      >

      >  

      >

      > https_port 443 cert=/etc/squid/abc.pem key=/etc/squid/abc.pem

      >

      >  

      >

      >  

      >

      >  

      >

      > then went to my browser and added abc.der as authorized
      certificates

      >

      >  

      >

      > when I connect to proxy I have erros logs :

      >

      >  

      >

      > 2015/04/20 15:44:18 kid1| Error negotiating SSL connection on
      FD 11: Success

      > (0)

      >

      > 2015/04/20 15:44:19 kid1| Error negotiating SSL connection on
      FD 11: Success

      > (0)

      >

      > 2015/04/20 15:44:21 kid1| Error negotiating SSL connection on
      FD 11: Success

      > (0)

      >

      > 2015/04/20 15:44:23 kid1| Error negotiating SSL connection on
      FD 11: Success

      > (0)

      >

      > 2015/04/20 15:45:33 kid1| Error negotiating SSL connection on
      FD 11: Success

      > (0)

      >

      > 2015/04/20 15:45:33 kid1| Error negotiating SSL connection on
      FD 11: Success

      > (0)

      >

      > 2015/04/20 15:47:01 kid1| Error negotiating SSL connection on
      FD 11: Success

      > (0)

      >

      > 2015/04/20 15:53:44 kid1| Error negotiating SSL connection on
      FD 11: Success

      > (0)

      >

      > 2015/04/20 15:53:46 kid1| Error negotiating SSL connection on
      FD 11: Success

      > (0)

      >

      > 2015/04/20 15:53:47 kid1| Error negotiating SSL connection on
      FD 11: Success

      > (0)

      >

      >  

      >

      >  

      >

      > Where could be the problem ?

      >

      >  

      >

      >  

      >

      > Here is my squid config :

      >

      >  

      >

      >  

      >

      > squid -v

      >

      > Squid Cache: Version 3.5.1

      >

      > Service Name: squid

      >

      > configure options:  '--prefix=/usr' '--includedir=/include'

      > '--mandir=/share/man' '--infodir=/share/info'
      '--sysconfdir=/etc'

      > '--enable-cachemgr-hostname=drx' '--localstatedir=/var'

      > '--libexecdir=/lib/squid' '--disable-maintainer-mode'

      > '--disable-dependency-tracking' '--disable-silent-rules'
      '--srcdir=.'

      > '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'

      > '--mandir=/usr/share/man' '--enable-inline'
      '--enable-async-io=8'

      > '--enable-storeio=ufs,aufs,diskd,rock'
      '--enable-removal-policies=lru,heap'

      > '--enable-delay-pools' '--enable-cache-digests'
      '--enable-underscores'

      > '--enable-icap-client' '--enable-follow-x-forwarded-for'
      '--enable-auth'

      >
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam

      > ,squid_radius_auth,multi-domain-NTLM'
      '--enable-ntlm-auth-helpers=smb_lm'

      > '--enable-digest-auth-helpers=ldap,password'

      > '--enable-negotiate-auth-helpers=squid_kerb_auth'
      '--enable-esi'

      > '--disable-translation' '--with-logdir=/var/log/squid'

      > '--with-pidfile=/var/run/squid.pid'
      '--with-filedescriptors=131072'

      > '--with-large-files' '--with-default-user=squid'
      '--enable-linux-netfilter'

      > '--enable-ltdl-convenience' '--enable-ssl'
      '--enable-ssl-crtd'

      > '--enable-arp-acl' 'CXXFLAGS=-DMAXTCPLISTENPORTS=20000'
      '--with-openssl'

      > '--enable-snmp'

      >

      >  

      >

      >  

      >

      >  

      >

      >  

      >

      >  

      >

      > cheers

      >

      >

      >

      >

      > _______________________________________________

      > squid-users mailing list

      > squid-users@xxxxxxxxxxxxxxxxxxxxx

      > http://lists.squid-cache.org/listinfo/squid-users

    
    -----BEGIN PGP SIGNATURE-----


    Version: GnuPG v2


    iQEcBAEBCAAGBQJVNP1qAAoJENNXIZxhPexGA7QIAKGDJIOUiKxo0iemYhT2b+dz


    YEVjuOMcjOu643MzUpFNJEezD0spQrGk01Lrj9DLJrlTv6fH5CWEAJJcsy/ieyAV


    KN/SVxS6v98N5KitIhNGbeSO3OKMASJVvgaSi/MpTEl2snRUNaSSiJDKvu9oJqje


    fo19qw+Ce4tH1QjnvRX+v1IHYlBcqBroGnQAR/kNnW1QdC0kXWy2X/hv0eJ5Lmyd


    kSLtiSaOVl6qJ64S1UuQWL9mW8phPI/mYJBOZ3AGe535VO+15pXsFrsxfeIIF8ra


    DmV6cEKEtMVDikI8n9DvlRvJV/vFMmrtI2vqWgXE6HEjmr1WNiYDqkQVczYXeQk=


    =Pb8X


    -----END PGP SIGNATURE-----


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users