Fw: [squid-users] ssl between squid accellerators

Henrik
ok all looks good now using
 sslflags=DONT_VERIFY_PEER (selfsigned)
 httpd_accel_with_proxy on

Much thanks for your help.

----- Original Message -----
From: "mlister" <mailme@triad.rr.com>
To: <squid-users@squid-cache.org>
Sent: Thursday, March 27, 2003 11:52 AM
Subject: Re: [squid-users] ssl between squid accellerators

> ok this makes sense with never_direct and both squid servers pointing to
the
> same webserver.
> I put everything in place but I'm getting the (71) protocol error. The
hint
> from the FAQ that
> squid could be blocked lead me to the cache.log where I'm getting errors
> with the negotion
> of the ssl certificate:
>
> SQUID1 is showing
> 2003/03/27 16:44:46| TCP connection to 10.10.1.73/443 failed
> 2003/03/27 16:44:46| SSL unknown certificate error 18 in
> /C=US/ST=XX/L=XXXXXX/O=XXXXXX/CN=SQUID2
> 2003/03/27 16:44:46| fwdNegotiateSSL: Error negotiating SSL connection on
FD
> 13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed (1/-1)
>
> SQUID2 is showing
> 2003/03/27 11:40:00| clientNegotiateSSL: Error negotiating SSL connection
on
> FD 10: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> (1/0)
>
> the above is duplicate after having recreated the key, cert (on SQUID2)
> with:
> "openssl req -new -x509 -nodes -keyout test_key.pem -out test_cert.pem"
>
> do I need to copy anything over to SQUID1 (any keys?) or perhaps set
anymore
> directives in
> regards to SSL on SQUID2 ? (I notice cache_peer has further ssl options
for
> keys)
>
> Again, Henrick I appreciate your time and patience while I'm newly
learning
> squid and the ssl world.
>
>
> ----- Original Message -----
> From: "Henrik Nordstrom" <hno@squid-cache.org>
> To: "mlister" <mailme@triad.rr.com>
> Cc: <squid-users@squid-cache.org>
> Sent: Wednesday, March 26, 2003 7:19 PM
> Subject: Re: [squid-users] ssl between squid accellerators
>
>
> > mlister wrote:
> >
> > > Anyways I will compile Squid-3 and start working with it, but I am
> curious
> > > if you (Henrik, or any of the listers) have any sample configuration
> files
> > > or could give me cache_peer directive examples to where I have
something
> to
> > > mold.
> > >
> > > client <---SSL-->SQUID1<---SSL--->SQUID2<---HTTP-->webserver
> >
> >
> > Squid-3:
> >
> > SQUID1:
> >
> > https_port 443 cert=... accel defaultsite=www.your.domain
> > cache_peer squid2 parent 443 0 ssl no-query originserver
> >
> > SQUID2:
> >
> > https_port 443 cert=... accel defaultsite=www.your.domain
> > cache_peer webserver parent 80 0 no-query originserver
> >
> >
> > Squid-2.5+ssl update:
> >
> > SQUID1:
> >
> > https_port 443 cert=...
> > httpd_accel_host www.your.domain
> > httpd_accel_port 80
> > cache_peer squid2 parent 443 0 ssl no-query
> > never_direct allow all
> >
> > alternatively instead of using cache_peer+never_direct, use a redirector
> > which rewrites the requests as https://www.your.domain/ and register
> > www.your.domain into /etc/hosts with the address of SQUID2.
> >
> > SQUID2:
> >
> > https_port 443 cert=..
> > httpd_accel_host www.your.domain
> >
> > and put www.your.domain into /etc/hosts with the address of the real web
> > server.
> >
> >
> >
> >
> > In all cases you should also configure http_access to only allow access
> > to www.your.domain..
> >
> >
> >
> >
> > Regards
> > Henrik
>
Received on Thu Mar 27 2003 - 10:56:19 MST