Re: [squid-users] Need help configuring squid 3.1.11 to pass Certs

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 25 Feb 2011 12:01:40 +1300

On 25/02/11 06:32, Martin (Jake) Jacobson wrote:
> Hi,
>
> I am trying to build a squid box that will proxy requests to two sites
> that require a PKI cert. The client doesn't have a cert so I want the
> squid box to take a request from the client and submit the certs it
> has to retrieve the resource.
>
> I was able to build squid 3.1.11 with ssl support and I have a very
> basic squid configuration to test. When I run squid -k parse I see
> that squid sees the certs
>
> 2011/02/24 17:23:19| Initializing cache_peer akocac SSL context
> 2011/02/24 17:23:19| Using certificate in /webroot/conf/squid/.ssl/server.crt
> 2011/02/24 17:23:19| Using private key in /webroot/conf/squid/.ssl/server.key
> 2011/02/24 17:23:19| NOTICE: Peer certificates are not verified for validity!
> 2011/02/24 17:23:19| Initializing cache_peer informationassurance SSL context
> 2011/02/24 17:23:19| Using certificate in /webroot/conf/squid/.ssl/server.crt
> 2011/02/24 17:23:19| Using private key in /webroot/conf/squid/.ssl/server.key
> 2011/02/24 17:23:19| NOTICE: Peer certificates are not verified for validity!
>
> BUT when I run squid -Nd1 I don't see any information about using the
> certs or private key!!!

Strange,. Check that you do not have another instance of Squid using
another squid.conf sitting around somewhere.

>
> When squid is running I have tried to
>
> 1. Configure my web browser to use the squid proxy and retrieve a
> resource but instead of the Squid certs being passed, I am requested
> to use my certs loaded in my browser.

The major browsers pass https:// requests to the proxy for handling
quite differently to http://.
They only open a CONNECT tunnel instead and do all of the SSL encryption
inside it themselves.

>
> 2. Telneting to the box and do a GET request for the resouced
> telnet localhost 3128
> Connected to linsrcheval2o.
> Escape character is '^]'.
> GET https://myProtectedSitel/pki/login/external_silent_autologin.jhtml
> HTTP/1.0 403 Forbidden

Well, to point out the obvious that is "Forbidden". The test itself if
not forbidden by the ACLs somewhere should have used the squid
cache_peer certs.

Find out which software and controls are blocking it and you will have a
good way to test this setup.

>
> Both cases seem to indicate that squid is not using the PKI cert/key
> it has. Here is my configuration file:
>
> cache_peer protectedSite1 parent 443 0 no-query ssl
> sslcert=/webroot/conf/squid/.ssl/server.crt
> sslkey=/webroot/conf/squid/.ssl/server.key
> sslcapath=/webroot/conf/squid/.ssl/ca/ sslversion=3
> sslflags=DONT_VERIFY_PEER originserver proxy-only name=site1

> cache_peer protectedSite2 sibling 443 0 no-query no-digest
> no-netdb-exchange ssl sslcert=/webroot/conf/squid/.ssl/server.crt
> sslkey=/webroot/conf/squid/.ssl/server.key
> sslcapath=/webroot/conf/squid/.ssl/ca/ sslversion=3
> sslflags=DONT_VERIFY_PEER originserver proxy-only name=site2
>

Assuming the keys are all correct that looks right for encrypting the
origin link from Squid.

> Let me know if you need anything else and thanks for the help on this.
>

In order to get the browsers past their tendency for CONNECT you will
have to setup an http_port with reverse-proxy settings and set the local
DNS to point browsers at your Squid for that particular site.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.11
   Beta testers wanted for 3.2.0.5
Received on Thu Feb 24 2011 - 23:01:47 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 25 2011 - 12:00:03 MST