Hi,
We were able to set up the squid in a host to container infrastructure. That is saying the squid is installed on host, proxying traffic from the container on the same host. With transparent proxy including SSL traffic.
Another feature we enabled is request_header_access and request_header_replace, to spoof and modify token in HTTP headers sending to target dstdomain.
The issue we are having right now is the certificate installed on the container is a self signed cert, we were trying to migrate this cert to a real trusted CA cert, or a Baltimore root cert.
The issues seems to be in the subject name of the cert. In the self signed cert, I simply leave everything blank. In the Baltimore root cert(squid.key and squid.crt in below squid.conf example, request through Microsoft internal service and it is Baltimore root), even if I have the dstdomain in squid.conf as subject name(abc.microsoft.com in below squid.conf example), I am still getting “server certificate verification failed” error in CURL. Is there anything I am missing or it simply doesn’t support? In my understanding, it should has no difference with squid as root CA signer in self signed cert?
P.S. I do notice that it is illegal for a trusted CA to issue official cert to squid because squid itself is man-in-the-middle, so Squid can only accept self signed cert and squid as root CA? I tried to search the email archive but no luck.
I have such a squid.conf
acl abc dstdomain .abc.microsoft.com
request_header_access Authorization deny abc
request_header_replace Authorization Basic whateverYourTokeisButForBasicItHasToBeBase64Encoded
request_header_access All allow all
https_port 3129 cert=/etc/squid3/squid.crt key=/etc/squid3/squid.key ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name "/etc/squid3/ssl_sites.txt"
ssl_bump server-first all
always_direct allow all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
Thanks,
Lei
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users