Re: [squid-users] squid reverse proxy with ssl: access denied

From: nick humphrey <nick.c.humphrey@dont-contact.us>
Date: Thu, 2 Nov 2006 08:40:01 +0100

here's some of what was in the cache.log:
-------------
Initialising SSL.
Using certificate in /usr/local/squid/etc/key.crt
Using private key in /usr/local/squid/etc/key.key
Initialising SSL.
NOTICE: Peer certificates are not verified for validity!
DNS Socket created at 0.0.0.0, port 32786, FD 7
Adding domain lan from /etc/resolv.conf
Adding nameserver 192.168.0.1 from /etc/resolv.conf
Accepting HTTPS connections at 0.0.0.0, port 8080, FD 8.
Accepting ICP messages at 0.0.0.0, port 3130, FD 10.
WCCP Disabled.
Loaded Icons.
Ready to serve requests.
Failed to select source for 'https://192.168.0.150:8080/'
  always_direct = 0
   never_direct = 0
       timedout = 0
...
clientNegotiateSSL: Error negotiating SSL connection on FD 12:
error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request (1/-1)
------------------

i'm not sure about that last line, it came in at 6 am so it is
probably a bot or something (this is a public site)...

so i'm guessing always_direct should be 1 or is that irrelevant? (how
would i set that?)

2006/11/2, Henrik Nordstrom <henrik@henriknordstrom.net>:
> ons 2006-11-01 klockan 16:24 +0100 skrev nick humphrey:
> > het (our local network)
> >
> > i have a weblogic server 8.1 (wl81machine) in our intranet running a
> > ssl/https site (we're testing out verisign ssl).
> >
> > i also have installed squid 2.6 STABLE4 (with --enable-ssl) on debian
> > 3 (deb3machine)
> >
> > squid is acting as a reverse proxy to wl81machine, basically just
> > sending requests back and forth, no caching or anything, on port 8080.
>
> Ok.
>
> > when i try to access wl81machine from the internet i get an access
> > denied error and it shows the ip address to wl81machine without the
> > port:
> > "
> > while trying to retrieve the url: https://192.168.0.150
> > the following error was encountered:
> > access denied
> > ...
> > "
>
> Anything in cache.log?
>
>
> > i know this is got to be something wrong with my squid.conf:
> > #-----START---------
> > https_port 8080 cert=/usr/local/squid/etc/key.crt
> > key=/usr/local/squid/etc/key.key defaultsite=192.168.0.150
>
> defaultsite should be the official site name, i.e. the same as you have
> in the cert.
>
> The server Squid should connect to is defined by cache_peer. Which I
> couldn't find any in your config btw...
>
> Regards
> Henrik
>
>
>
Received on Thu Nov 02 2006 - 00:40:11 MST

This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:02 MST