RE: [squid-users] ACL issue using Squid as reverse proxy server

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 27 Jan 2011 03:40:25 +0000

On Thu, 27 Jan 2011 00:21:32 +0000, smudly Quickhands <smudly_at_hotmail.com>
wrote:
> Thanks for the previous post I made the suggested changes to squid.conf
> but I still can not connect.  Now on the Web browser I am getting Failed
to
> establish a secure connection to owaServer  The system returned (71)
> Protocol error
>
> On the squid server I am seeing a bunch of the following
> fwdNegotiateSSL: Error negotiating SSL connection on FD 12: error:
> 14090086: SSL routines:SSL#_GET_SERVER_CERTIFICATE: certificate verify
> failed (1/-1/0)
>
> Is this a configuration error with Squid or an issue with my
> certificates.   I have one SSL certificate for mail.myco.com which I
> purchased for the Exchange server.   Following the instructions in a
> previous post I exported the certificate on the Exchange Server, copied
the
> pfx file to the Squid server and used openSSL to convert it to a private
> pem file which I stored in etc/ssl/private , a public pem file which I
> stored in etc/ssl/certs and a server.key file is stored in etc/ssl
>
> below is the current squid.conf file
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>
> acl localnet src 25.0.0.0/8    # RFC1918 possible internal network
>
> acl SSL_ports port 443
> acl Safe_ports port 80        # http
> acl Safe_ports port 443        # https
> acl Safe_ports port 25        #
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
> https_port  25.36.2.33:443 accel cert=/etc/ssl/certs/mail.myco.com.pem
> key=/etc/ssl/server.key defaultsite=mail.myco.com
> cache_peer 25.36.2.32 parent 443 0 no-query originserver login=PASS ssl
> sslcert=/etc/ssl/certs/mail.myco.com.pem sslkey=/etc/ssl/server.key
> name=owaServer
> **  I tried the above line with connection-auth=on (and off)
>

The sslcert= parameter on cache_peer is the client cert to be used by
Squid when contacting that server. This is different to the server cert
used on https_port and often self-generated. The only key thing is that the
OWA server accepts it as valid.

I've updated the wiki example a bit to make it clearer:
http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess

Amos
Received on Thu Jan 27 2011 - 03:40:42 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 27 2011 - 12:00:03 MST