Re: [squid-users] SOAP client with no SSL client-certificate features

Hi Amos,

Thank for all the nice info. I am really making progress here !!

The client-application we are using to connect to the SOAP-server does
not have the ability to change anything in the request itself. So, we
cannot make a proxy request with the full https-url in it.

So, I guess we need to request an http-url from that application and I
was hoping Squid could interper that request en rewite the URL to https.
Also, the method might be rewritten from POST to GET, taking your advice
in account. In that case the client-application does not even know we
are connecting to a SSL-server. And that's exactly what we need to
accomplish.

And then still there is the client-certificate issue.
I found the config sslproxy_client_certificate and sslproxy_client_key.
Which one should I use, and how can I associate it with the
SOAP-server-URL? I guess Squid will not send the certificate I configure
to every server requesting for a client-certificate??? Do I have to
combine these config-settings with others to get a correct working
config-file?

At this point I started with a brand new empty config, like this:

acl all src all
http_access allow all

http_port 8080

###
# --- Here should be some rewriting config -----

###
# ---- Here should be some client_certificate config(s)

Hope you can bring me one step further to 'world domination' ;)

Greetz, Dolf

Ps. I am pretty impressed by the features of Squid. It runs on debian
like a Dutch ice skater ! Might use it for other applications too.

Amos Jeffries wrote:
> On Wed, 21 Apr 2010 10:01:27 +0200, "D.Veenker" wrote:
>
>> That sounds promising. And also thanks for the tips concerning the
>>
> correct
>
>> cache-headers
>>
>> ** Let's assume the SOAP-client can only use unencrypted http, but the
>> webservice does only accept https requests. In which Squid configuration
>> setting do I have to set the translation from http to https? Or, how
>>
> does
>
>> Squid know which URL's or domains it has to transfer to https with
>>
> client
>
>> certificates?
>>
>
> This is the reason absolute URLs are passed in the request line. They
> start with a protocol scheme ftp://, http://, https:// and the proxy uses
> that to tell which server protocol to use to fetch the data.
>
> Proxy requests are formatted like so:
>
> GET https://example.com/foo HTTP/1.1
> Host: example.com
> ...
>
> Different to Normal web server requests which start with:
>
> GET /foo HTTP/1.1
> Host: example.com
> ...
>
>
>
>> ** In which configuration setting do I have to mention the location of
>>
> the
>
>> client certificates?
>>
>
> The sslproxy_* options.
> http://www.squid-cache.org/Doc/config/
>
>
> Amos
>
>
>> -----Oorspronkelijk bericht-----
>> Van: Amos Jeffries
>> Verzonden: woensdag 21 april 2010 1:07
>>
>> On Tue, 20 Apr 2010 23:25:59 +0200, "D.Veenker" <dv_at_veenker.tk> wrote:
>>
>>> I am running into the following problem and I think Squid might be just
>>>
>
>
>>> the solution I am looking for. But I'm not sure about it.
>>>
>>> We are developing an application consuming a SOAP-webservice. The
>>> platform we are developing on (4D) does not support SSL with client
>>> certificates. It does support the regular HTTPS features though.
>>>
>>> So I was wondering if Squid could help me out, and proxy a regular
>>> plain-http (or https) request from this newly made application to the
>>> webservice implementing the SSL connection with client certificates.
>>>
>>> Let's say the url of the webservice is:
>>> https://webservice.domain.com/methods
>>> From this developed 4D-application I'd like to connect to
>>> http://webservice.domain.com/methods and let Squid do all the SSL
>>> features using client certificate authorization.
>>>
>>> Situation:
>>> Application not capable of SSL with client certificates -->> plain
>>> HTTP-request -->> Squid (+ client certificate provided by webservice
>>> company) -->> HTTPS request with client certificate -->> SSL Webservice
>>>
>>> And of course vice-versa, but I assume you already guessed that. The
>>> certificates are formatted as .der documents, but I guess I can
>>>
> overcome
>
>>> the problem when squid does only support a particular format by
>>> converting the certificate.
>>>
>>> ** Is this type of proxying possible using Squid?
>>>
>> Yes.
>>
>>
>>> ** How do I configure such a situation in Squid?
>>>
>> Simply make sure the HTTP requests sent through Squid contain full
>> absolute URLs starting with https://.
>>
>> There are some other details such as the difference between Proxy-*
>> headers and their regular client->server "normal" versions.
>>
>>
>>
>>> ** What elements need to be compiled with Squid to get these features
>>> implemented?
>>>
>> Nothing special. The defaults are fine.
>>
>>
>>> To be honest I'm an total rookie to Squid so I might need some specific
>>>
>
>
>>> help, on the other hand not to lazy to get through some docs when you
>>>
> me
>
>>> point me in the right direction. And last but not least, I have a
>>>
> strong
>
>>> wish to run Squid on a debian server.
>>>
>> http://wiki.squid-cache.org/ has almost everything you need for playing
>> with Squid.
>>
>>
>> PS: Just a mention. Check your SOAP underlayer. A lot of SOAP systems
>>
> uses
>
>> POST requests which are not cacheable when they should be using GET
>> requests which are. Tools that use REST HTTP seems to be better IME when
>> going through any proxies.
>>
>> Amos
>>
Received on Wed Apr 28 2010 - 21:12:15 MDT