Re: [squid-users] http to squid to https

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 30 Apr 2012 17:36:09 +1200

On 28/04/2012 10:37 a.m., Squid Tiz wrote:
> I am kinda new to squid. Been looking over the documentation and I just wanted a sanity check on what I am trying to do.
>
> I have a web client that hits my squid server. The squid connects to an apache server via ssl.
>
> Here are the lines of interest from my squid.conf for version 3.1.8
>
> http_port 80 accel defaultsite=123.123.123.123
> cache_peer 123.123.123.123 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=apache1
>
> The good news is, that works just as I hoped. I get a connection.
>
> But I am questioning the DONT_VERIFY_PEER. Don't I want to verify peer?

Ideally yes. It is better security. But up to you whether you need it or
not.
It means having available to OpenSSL on the squid box (possibly via
squid.conf settings) the CA certificate which signed the peers
certificate, so that verification will not fail.

>
> I simply hacked up a self signed cert on the apache server. Installed mod_ssl and restarted apache and everything started to work on 443.
>
> On the command line for the squid server I can curl the apache box with:
>
> curl --cacert _the_signed_cert_from_the_apache_node_ https://apache.server
>
> Is there a way with sslcert and sslkey to setup a keypair that will verify?

They are for configuring the *client* certificate and key sent by Squid
to Apache. For when Apache is doing the verification of its clients.

Squid has a sslcacert= option which does the same as curl --cacert
option. For validating the Apache certificate(s).

> Do I need a signed cert?

Yes, TLS requires signing. Your self-signing CA will do however, so long
as both ends of the connection are in agreement on the CA trust.

>
> I tried to add the cert and key to the cach_peer line in the config. Squid did restart. But no connection. Why would curl work but not squid?
>
see above.

Amos
Received on Mon Apr 30 2012 - 05:36:14 MDT

This archive was generated by hypermail 2.2.0 : Tue May 01 2012 - 12:00:05 MDT