On 5/09/18 4:05 PM, Hariharan Sethuraman wrote: > Hi All, > > I have my https_port 443 in reverse proxy. When client sends a GET > request, the rewrite correctly rewrites the URL and that rewritten GET > request fails with below error. > 2018/09/05 03:03:38| Error negotiating SSL on FD 15: error:14007086:SSL > routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0) > > I dont where to add the trusted certificates, because I dont know where > to specify the trusted certificates in /etc/ssl/certs directory. > > I have two ways to support: > 1) I may have cache_peer parent proxy (next proxy to internet) For reverse-proxy the peer should be (or be towards) the origin. Not towards the public Internet. Use the cache_peer tls-ca= option to tell Squid which specific CA that peer/origin is supposed to be using. > 2) I dont need to give any parent proxy (because this host is connected > to internet without next proxy) For connections directly to the Internet (which reverse-proxy cannot make without being forced) the global "Trusted CA" are used by default, there is nothing to be done in that regard. You can choose to disable them with: tls_outgoing_options default-ca=off If you need to make Squid trust a specific CA which is not one of the global trusted set (eg private for your use, or self-signed) then use: tls_outgoing_options cafile=/path/to/ca.pem You can also combine the above settings so only a few global CA which you actually trust get loaded. The cafile= option can be repeated in Squid-4 to load multiple CA details. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
