Re: [squid-users] Web client not capable of SSL

From: D.Veenker <dv_at_veenker.tk>
Date: Mon, 03 May 2010 22:34:23 +0200

Well, I'm almost there. My config now looks like this ...

-------------------
http_port 8080
http_access allow all

cache_peer www.binsearch.info sibling 443 0 no-query default ssl
sslflags=DONT_VERIFY_DOMAIN proxy-only

acl binsearch dstdomain www.binsearch.info
never_direct allow binsearch

cache_peer_access www.binsearch.info allow all
-------------------

This is just a test, since I still have to add the client certificate
and, as you may understand, I will not get me in all of this for the
binsearch.info website. So, it's all for testing purposes.

For some reason this config gives security errors. This is the page I
will see in the browser.

-------------------
ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://www.binsearch.info/

The following error was encountered:

    * Unable to forward this request at this time.

This request could not be forwarded to the origin server or to any
parent caches. The most likely cause for this error is that:

    * The cache administrator does not allow this cache to make direct
connections to origin servers, and
    * All configured parent caches are currently unreachable.

Your cache administrator is webmaster.
Generated Mon, 03 May 2010 01:33:02 GMT by localhost (squid/3.0.STABLE8)
-------------------

All other domains I browse are working perfectly. It might have
something to do with the never_direct setting. When I remove that
section everything is working smoothly.

What am I doing wrong here? Did I miss something?

Thanks in advance, Dj.

Henrik Nordström wrote:
> sön 2010-05-02 klockan 13:43 +0200 skrev D.Veenker:
>
>> My web client is not capable of SSL and definitely no client certificates.
>>
>> - Can Squid do all the SSL-work in a transparent way, including the
>> client cerificates?
>>
>
> Yes.
>
>
>> - How does the config look like?
>>
>
> Depends, but based on your later response it can be done two ways
>
> a) Via a cache_peer for the site in question, using the ssl and
> originserver options, and port 443 instead of 80. You can also specify
> the client certificate here. In addition to cache_peer you also need to
> specify never_direct for this site to force Squid to always use the
> cache_peer.
>
> b) By using an url rewriter helper to rewrite the request to https://
> instead of http://. But gets a little messier to configure which client
> certificate Squid should use here as there is only a global setting and
> not per requested site like when using cache_peer.
>
>
>> - Do a need to recompile Squid with --enalble-ssl?
>>
>
> Yes. Your Squid needs native SSL support to be able to wrap HTTP
> requests in SSL. Tunnel mode is not sufficient for this.
>
> Regards
> Henrik
>
>
>
Received on Mon May 03 2010 - 20:34:35 MDT

This archive was generated by hypermail 2.2.0 : Tue May 04 2010 - 12:00:03 MDT