RE: [squid-users] ACL issue using Squid as reverse proxy server

From: smudly Quickhands <smudly_at_hotmail.com>
Date: Thu, 27 Jan 2011 00:21:32 +0000

Thanks for the previous post I made the suggested changes to squid.conf but I still can not connect.  Now on the Web browser I am getting Failed to establish a secure connection to owaServer  The system returned (71) Protocol error

On the squid server I am seeing a bunch of the following
fwdNegotiateSSL: Error negotiating SSL connection on FD 12: error: 14090086: SSL routines:SSL#_GET_SERVER_CERTIFICATE: certificate verify failed (1/-1/0)

Is this a configuration error with Squid or an issue with my certificates.   I have one SSL certificate for mail.myco.com which I purchased for the Exchange server.   Following the instructions in a previous post I exported the certificate on the Exchange Server, copied the pfx file to the Squid server and used openSSL to convert it to a private pem file which I stored in etc/ssl/private , a public pem file which I stored in etc/ssl/certs and a server.key file is stored in etc/ssl

below is the current squid.conf file

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 25.0.0.0/8    # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 443        # https
acl Safe_ports port 25        #
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

https_port  25.36.2.33:443 accel cert=/etc/ssl/certs/mail.myco.com.pem key=/etc/ssl/server.key defaultsite=mail.myco.com
cache_peer 25.36.2.32 parent 443 0 no-query originserver login=PASS ssl sslcert=/etc/ssl/certs/mail.myco.com.pem sslkey=/etc/ssl/server.key name=owaServer
**  I tried the above line with connection-auth=on (and off)

***   I tried both of the followin lines at different times ***
acl OWA dstdomain mail.myco.com
acl OWA dst 25.36.2.32/32

cache_peer_access owaServer allow OWA
never_direct allow OWA

http_access allow OWA

http_access allow localnet
http_access allow localhost

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

                                               
Received on Thu Jan 27 2011 - 00:21:39 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 27 2011 - 12:00:03 MST