Hi Thanks I thought that might be the issue. could you point me to an example for requesting client certs for a directory Thanks Alex On 30 December 2015 at 21:56, Matus UHLAR - fantomas <uhlar@xxxxxxxxxxx> wrote: > On 30.12.15 15:11, Alex Samad wrote: >> >> I have squid 3.5.12 working as a reverse proxy >> >> cache_peer 127.0.0.1 \ >> parent 443 0 proxy-only no-query no-digest originserver \ >> login=PASS \ >> ssl \ >> sslcafile=/etc/pki/tls/certs/ca-bundle.crt \ >> sslflags=DONT_VERIFY_PEER \ >> name=webServer >> >> This points to httpd which has a >> <Location /test/> >> DirectoryIndex index.shtml index.html >> Options -Indexes -Includes +IncludesNOEXEC >> -SymLinksIfOwnerMatch -ExecCGI -FollowSymLinks >> >> SSLOptions +StdEnvVars +ExportCertData >> SSLVerifyClient optional_no_ca >> SSLVerifyDepth 4 >> </Location> >> >> Unfortunately the request for a client cert never makes it to the client. >> >> How can I change this to allow client certs to work > > > client certs will only work when you pass the connection directly to web > server without unbundling SSL. > That means, it's useless to use reverse proxy for HTTPS server when it needs > client certificates. > > The workaround you could be in verifying client certificates by squid, > pushing that info to server and webserver trusting that info... > > -- > Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Chernobyl was an Windows 95 beta test site. > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
