Re: [squid-users] Cache Peer Redirection Based on User Certificate

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Sat, 28 Dec 2013 18:48:57 +0200

OK just to make sure we are talking about the same issue:
try to read this file:
http://www1.ngtech.co.il/squid/ssl2.pcap

And tell me what do you mean..
packet number..
byte offset..

Thanks,
Eliezer

On 28/12/13 16:49, Waldemar Siebert wrote:
> Based on a string in client certficate (in my case CN field) I would
> like to route an https request to a dedicated webserver by using the
> cache_peer_access directive.
>
> E.g.: Client with certificate field CN a111 will be redirected to the
> parent P1
>
> Client with certificate field CN a222 will be redirected to the parent P2
>
> That works with acl type "src" but not with acl type user_cert
>
>
> Thanks
> Walt
>
>
>
>
> ----- Original Message ----- From: "Eliezer Croitoru"
> <eliezer_at_ngtech.co.il>
> To: <squid-users_at_squid-cache.org>
> Sent: Saturday, December 28, 2013 2:43 PM
> Subject: Re: [squid-users] Cache Peer Redirection Based on User Certificate
>
>
>> I am still not sure what you are trying to achieve..
>>
>> From the docs at:
>> http://www.squid-cache.org/Doc/config/acl/
>>
>> acl aclname user_cert attribute values...
>> # match against attributes in a user SSL certificate
>> # attribute is one of DN/C/O/CN/L/ST [fast]
>>
>> It is only there for a basic inspection of the user SSL certificate...
>> the same goes for:
>> acl aclname ca_cert attribute values...
>> # match against attributes a users issuing CA SSL certificate
>> # attribute is one of DN/C/O/CN/L/ST [fast]
>>
>> It is there since 3.1 and the respective aspect on the client side is
>> on the side of the "client" which we are talking about "squid" in the
>> manner of making squid as a client and user while the "end user"
>> cannot send squid certificates for now.
>>
>> Squid is not a VPN system which allows specific clients access to a
>> specific level of the system since it's a very fast piece of software.
>> All these levels of SSL connection is not to be used inside of squid.
>>
>> I must say that I am not the SSL expert and if you need more
>> information on the matter it's pretty simple to ask about the whole
>> subject to understand it properly.(feel free to contact me or anyone
>> else)
>>
>> Regards,
>> Eliezer
>>
>> On 28/12/13 15:15, Waldemar Siebert wrote:
>>> Hello,
>>>
>>> what about acl user_cert?
>>>
>>> It works with http_access, but not with cache_peer_access. See Log
>>> bellow
>>> I use Squid 3.1.8
>>>
>>> Thanks
>>> Walt
>>
>
Received on Sat Dec 28 2013 - 16:49:35 MST

This archive was generated by hypermail 2.2.0 : Sat Dec 28 2013 - 12:00:06 MST