RE: [squid-users] SSL Tunnel out-of-box?

From: Daniel Palmer <DanielPalmer@dont-contact.us>
Date: Wed, 22 Oct 2003 11:38:18 +1000

It's a little off topic - but I'm wondering why, if you want secure
communications between the clients and the Squid server, you aren't
thinking of using something like IPsec which *should* provide seamless
encryption / data authentication..

Sorry, I can't answer your actual question :)

Daniel

-----Original Message-----
From: WEHT.net Webmaster [mailto:webmaster@WEHT.net]
Sent: Wednesday, 22 October 2003 11:16 AM
To: squid-users@squid-cache.org
Subject: [squid-users] SSL Tunnel out-of-box?

Sorry if there are well known answers to this, I've been looking but not
finding...

Is there a way to get an SSL Tunnel between the client and squid under
2.5.STABLE4 out-of-box (or with a server side patch?)

Client <--- SSL ---> Squid <--- Non-SSL/SSL ---> Internet

My conf is posted below, this works fine via non-SSL between the
client<->squid (including hitting URI's via SSL on the other side of the
squid cache), but when I set my proxy address on the clients to use the
SSL port on the squid side, I get this error:

Oct 21 21:06:00 sp0090 squid[17038]: clientNegotiateSSL: Error
negotiating SSL connection on FD 16: error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request

Which from what I can gather seems to mean the SSL port is getting
non-SSL requests from the client. I guess what I'm wondering is if there
is a way to do this out-of-box without having to use something like an
SSH tunnel from the client side, i.e. convince the web browsers to open
SSL connections to the squid cache all the time?

Again, sorry if its an FAQ...

# begin config
http_port 69.60.1.98:3128
https_port 69.60.1.98:443 cert=/etc/squid/ssl/server-req.pem \
        key=/etc/squid/ssl/server-key.pem
tcp_outgoing_address 69.60.1.98
httpd_accel_host proxy.example.com
httpd_accel_uses_host_header on
httpd_accel_host virtual
httpd_accel_port 444
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
redirect_rewrites_host_header off
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

auth_param basic program /usr/lib/squid/ncsa_auth \
        /usr/lib/squid/etc/authusers.txt
auth_param basic children 5
auth_param basic realm proxy.example.com
auth_param basic credentialsttl 2 hours

acl password proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow password
http_reply_access allow all
icp_access allow all

-- 
WEHT.net
The Online Compendium of "What Ever Happened To" & "Where Are They Now?"
Received on Tue Oct 21 2003 - 19:38:20 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:20:34 MST