Re: [squid-users] https questions from Ken W. on 2008-06-07 (squid-users)

From: Ken W. <kenw97_at_gmail.com>
Date: Sat, 7 Jun 2008 18:29:11 +0800

Hello members,

My squid's config for https looks as below:

http_port 80 accel vhost
https_port 443 accel vhost cert=/usr/local/squid/etc/ssl/server.cert
key=/usr/local/squid/etc/ssl/server.key

cache_peer 12.34.56.78 parent 80 0 no-query front-end-https=auto
originserver name=origin_1
acl service_1 dstdomain .abc.com
cache_peer_access origin_1 allow service_1

When I access to squid with:

https://www.abc.com

I got no success and cache.log show:

2008/06/07 14:37:02| httpsAccept: Error allocating handle:
error:0906A068:PEM routines:PEM_do_header:bad password read
2008/06/07 14:37:02| httpsAccept: Error allocating handle:
error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
2008/06/07 14:37:02| httpsAccept: Error allocating handle:
error:140BA0C3:SSL routines:SSL_new:null ssl ctx

This is the info for my squid:

Squid Cache: Version 3.0.STABLE6
configure options: '--prefix=/usr/local/squid3.0' '--disable-carp'
'--enable-async-io=128' '--enable-removal-policies=heap lru'
'--disable-wccp' '--disable-wccpv2' '--enable-kill-parent-hack'
'--disable-snmp' '--disable-htcp' '--disable-poll' '--disable-select'
'--disable-ident-lookups' '--with-aio' '--with-large-files'
'--with-filedescriptors=51200' '--enable-ssl'

I'm running it under redhat linux AS5.

Please help, thanks.

--Ken

2008/6/7 Henrik Nordstrom <henrik_at_henriknordstrom.net>:
> On lör, 2008-06-07 at 09:58 +0800, Ken W. wrote:
>> 2008/6/7 Henrik Nordstrom <henrik_at_henriknordstrom.net>:
>>
>> >
>> > But you are quite likely to run into issues with the server sending out
>> > http:// URLs in it's responses unless the server has support for running
>> > behind an SSL frontend. See for example the front-end-https cache_peer
>> > option.
>> >
>>
>> Thanks Henrik.
>> Under my setting, can squid work correctly for this flow?
>>
>> clients --https--> squid --http--> webserver
>> webserver --http--> squid --https--> clients
>
> Again, yes, provided your web server application has support for being
> used in this manner.
>
>
>
>
Received on Sat Jun 07 2008 - 10:29:18 MDT

This archive was generated by hypermail 2.2.0 : Sun Jun 08 2008 - 12:00:03 MDT