Re: [squid-users] Squid proxy server - Client certificate (reverse proxy)

From: Qvalpro Solutions <orplavq_at_gmail.com>
Date: Tue, 1 Feb 2011 14:28:18 +1100

Hi Amos,

Thanks for the response.

I tried using:
https_port 443 accel defaultsite=ccapi.client.qvalent.com
cert=C:\certificate\mycert.pem
cache_peer ccapi.client.qvalent.com parent 443 0 no-query login=PASS
ssl sslcert=C:\payway\ccapi.pem

The transactions still did not work and when I checked the Squid
cache.log, I found a message that says "commBind: Cannot bind socket
FD 15 to *:443: (10013) WSAEACCES, Permission denied" - please let me
know if this is a problem and if there is a way to work around this
issue.

Thanks,
KB.

On Tue, Feb 1, 2011 at 7:52 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 01/02/11 09:01, Qvalpro Solutions wrote:
>>
>> Hi Amos,
>>
>> Thanks for the detailed response. I tried configuring Squid, but
>> couldn't get it working yet.
>>
>> Can you please elaborate "You setup Squid as a reverse-proxy and make
>> old billing application believe Squid is the Payway system. Usually
>> via DNS". Sorry if this sounds dumb.
>>
>> Steps followed by myself:
>> 1. Downloaded Squid 2.7 STABLE8 (reverse proxy with SSL support) and
>> installed it in my windows server which has the billing application
>> 2. Started the Squid service and stored the Payway's digital
>> certificate inside the "payway" directory in C: of the windows server
>> 3. Added the following options to the squid.conf file:
>> https_port accel defaultsite=https://ccapi.client......./ccapi
>> cert=C:\payway\ccapi.pem
>
> defaultsite is the domain name only. ie defaultsite=ccapi.example.com
>
>> cache_peer ssl sslcert=C:\payway\ccapi.pem
>
>
>
> I presume this works like all the other web API billing systems I've seen.
> With the client connects to you like so?
>  client -> billing -> squid -> payway
>
> In which case you would use:
>  https_port 443 accel defaultsite=ccapi.example.com
> sslcert=<something-self-signed>
>  cache_peer ccapi.example.com parent 443 0 no-query ssl sslcert=...
>
> to produce:
>  client -> billing --(SSL internal unverified)--> squid --(SSL certificate
> verified)--> payway
>
>
> The sslcert= for the https_port line can be something self-signed that the
> billing system trusts but nobody anywhere else knows about. By default squid
> will accept any client who can perform SSL.
>
>
> If the billing system can be configured to use a proxy for internet access
> that is even better, you can remove the http_port line tricks and just use
> "http_port 3128" and "never_direct allow all".
>
> OR, you could make the billing->squid section work without SSL at all. Just
> make sure the billing system works with http:// URLs and setup http_port 80
> accel defaultsite=.
>
>
>> 4. Tried to initiate a test transaction from the billing application,
>> but it didn't work.
>>
>> Assumptions made:
>> 1. I have stored the Payway related details (aforementioned https URL,
>> username, password&  Merchant ID for the API) in the billing system
>> installed in the windows server. I hope that when the billing
>> application tries to process a credit card payment, the proxy will
>> automatically take over the transaction.
>> 2. I have not added the username/password of the API to the Squid
>> configuration. Please let me know if I need to add the details in
>> Squid proxy too and if yes, kindly provide me the syntax to be used.
>>
>
> Most types of auth you will only need "login=PASS" (exact text) on the
> cache_peer line and the credentials at the billing system end point.
>
>> Please let me know if I am going in the right direction.
>>
>> Thanks,
>> KB.
>>
>> On Fri, Jan 28, 2011 at 11:08 AM, Amos Jeffries<squid3_at_treenet.co.nz>
>>  wrote:
>>>
>>> On 28/01/11 07:48, Qvalpro Solutions wrote:
>>>>
>>>> Hi Folks,
>>>>
>>>> I just started exploring Squid proxy and I am clueless of how to use
>>>> Squid in my setup.
>>>>
>>>> Some background on why I am trying to use the Squid proxy:
>>>> I have a billing application installed in a windows server. This
>>>> particular billing application uses some proprietary file system,
>>>> which cannot be customized. I have purchased a Payway API account
>>>> (Payway API is nothing but a payment processing system for credit
>>>> cards) for using with the billing application. I just noticed that the
>>>> Payway API needs a digital certificate to be installed for processing
>>>> the payments. Unfortunately, my billing application doesn't allow any
>>>> certificate installation. When I spoke to the billing application
>>>> development company and Payway, they suggested me to use the Squid
>>>> proxy to workaround the problem. I was also told that the Squid proxy
>>>> can provide the client certificate.
>>>>
>>>> As I don't have adequate exposure to setting up proxy servers, I have
>>>> the following questions:
>>>> 1. Can I install the Squid proxy in the same server where my billing
>>>> application is located?
>>>
>>> Yes.
>>>
>>> Additional problem though: Windows Squid builds only have experimental
>>> SSL
>>> support and are limited to squid-2.7 for now.
>>>
>>> If you need to do this for Windows please contact Guido at Acme
>>> Consulting
>>> (http://squid.acmeconsulting.it/) for support.
>>>
>>>
>>>> 2. How do I connect the billing application to the Squid Proxy? Do I
>>>> need to use some port for this and how am I supposed to connect the
>>>> Squid Proxy to the Payway API?
>>>
>>> You setup Squid as a reverse-proxy and make old billing application
>>> believe
>>> Squid is the Payway system. Usually via DNS. Squid handles the rest once
>>> requests are arriving nicely to it.
>>>
>>> Start with this:
>>> http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator
>>> it covers the very simple config just to get an accelerator working.
>>> Stuff
>>> like SSL require additional config.
>>>
>>>> 3. How do I install the digital certificate provided by Payway in the
>>>> Squid proxy and what format of digital certificate is to be used -
>>>> .net or PHP or ASP or something else?
>>>
>>> Squid uses .PEM format certificates.
>>>
>>> After doing the setup from your question 2.  You configure Squid to use
>>> them
>>> with additional options on the cache_peer line.
>>> Set the "ssl" flag to enable SSL on the link then any of the other ssl*=
>>> options as needed by the Payway system.
>>>
>>> http://www.squid-cache.org/Doc/config/cache_peer/
>>>
>>> (snipped Q4-6 since they are answerd above as well).
>>>
>>> Amos
>>> --
>>> Please be using
>>>  Current Stable Squid 2.7.STABLE9 or 3.1.10
>>>  Beta testers wanted for 3.2.0.4
>>>
>
>
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.10
>  Beta testers wanted for 3.2.0.4
>
Received on Tue Feb 01 2011 - 03:28:25 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST