On 05/02/11 04:44, Martin (Jake) Jacobson wrote:
> Hi,
>
> I am sorry if I sound like I don't know what I am doing with Squid but
> I don't and it is really, really frustrating. I been reading over the
> O'Reilly book and I am more lost than ever before.
>
> Here is what I am trying to do:
>
> * My squid box is running on port 3128
> * My bot is configured to send requests to my squid box over
> http://squidbox:3128
> * Squid is then supposed to proxy request to destination and when a
> PKI cert challenge is given by destination box, squid would present
> its cert/ca chain and not send the challenge back to the requesting
> bot.
>
> I wish I could load the bot with its own certs but that is not going
> to happen any time soon, so I am forced to try this method.
>
> The good news is I got past the denied error but the bad news is I am
> still being challenged for my PKI cert and it doesn't appear that the
> certs/ca loaded by the cache_peer line is being loaded or submitted on
> my behave.
>
> Correct me if I am wrong, but cache_peer is used to talk to other
> squid boxes and not a web server. When I start squid in single user
You are wrong. cache_peer is used to connect to a specific HTTP service.
Proxy, web server, or web application does not matter.
Though usually only proxies provide the ICP/HTCP needed by 'sibling'.
'parent' type can be any provider service.
> mode, 'squid -Nd1' I see everything coming up but I don't see anywhere
> in the output that it loaded the PKI or CAs. Should I see this?
I believe you should see "Initializing https proxy context" followed by
a "Initializing cache_peer XX SSL context" for each SSL peer. They are
displayed at cache.log display level 3,1
>
> Here is the cache_peer line I have
>
> cache_peer my_login_site parent 443 0 proxy-only ssl
> sslcert=/webroot/conf/squid/.ssl/server.crt
> sslkey=/webroot/conf/squid/.ssl/server.key
> sslcapath=/webroot/conf/squid/.ssl/ca/ ssldomain=google.intelink.gov
> no-query originserver
>
> In my squid access log I see:
>
> 1296833229.332 20520 xxx.xxx.xxx.xxx TCP_MISS/200 7596 CONNECT
> my_login_site:443 - DIRECT/xxx.xxx.xxx.xxx-
>
> All of the certs and ca are owned by root. Squid is running as user
> squid but since I start squid as root, I figured that root would be ok
> to own the cert/ca. Is this incorrect?
>
> Thanks for any help anyone can give me on this and sorry for the
> length of this post.
>
You are most of the way there. You still have to make the bot pass its
requests to the proxy so Squid can see them as HTTP instead of encrypted
CONNECT body data.
You could use https_port as an SSL reverse-proxy for that site and fool
the bot into connecting its encryption to Squid instead.
Or on the trickier side you may be able to configure the bot to send its
requests to Squid as http://...:443/ instead of https://
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4Received on Sat Feb 05 2011 - 12:57:57 MST
This archive was generated by hypermail 2.2.0 : Mon Feb 07 2011 - 12:00:02 MST