On 17/03/11 22:05, arielf wrote:
> Hi all,
>
> I am trying to use squid as a forward proxy for target applications using
> both http and https sites
> I added the following lines to my squid.conf
>
> http_port 3128 ssl-bump key=/path/mykey.pem cert=/path/mycert.pem
> ssl_bump allow all
>
> Now I tested on third party http and https sites, and it works nicely :)
> However when I try to proxy a portal that I configured the security keys for
> it does not work
Please correct me if this is wrong but I suspect your understanding of
the terminology is incorrect.
I have not heard tomcat being used as a proxy gateway, so I'm assuming
you actually mean it is used as the web app service "server".
"Forward proxy" is a proxy being used by a residential ISP or business
to gateway their users out to the general Internet. (there are other
uses, but that is the general usage case)
"Reverse proxy" (sometimes called "accelerator proxy") is the type used
act as the front interface for a web service.
The setup description reads bit like you are struggling to setup Squid
as a reverse proxy for tomcat. Possibly as a forward-proxy for some
local clients at the same time. Correct?
>
> From cache.log:
> -----BEGIN SSL SESSION PARAMETERS-----
> MHECAQECAgMBBAIANQQg0b4mR/aJ5Vez5HNh6dSwUL4vs/d+v+ceEwKpWxHdFoME
> MI3ZqOI/+MjpLLsjIoFchf9dxA/wD9aoZZgrbiq6GRtvOTWRRFeaQA1KFfVgmFo7
> FaEGAgRNgfR5ogQCAgEspAIEAA==
> -----END SSL SESSION PARAMETERS-----
> 2011/03/17 07:46:01| SSL unknown certificate error 18 in
> /C=IL/ST=NA/L=NA/O=IBM/OU=HRL/CN=Magen
> 2011/03/17 07:46:01| fwdNegotiateSSL: Error negotiating SSL connection on FD
> 13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed (1/-1/0)
>
> I actually configured my tomcat and squid with the same security keystore.
> Of course tomcat used JKS and squid uses PEM, so I created a self signed JKS
> keystore for tomcat and then exported key and cert in PEM format from it to
> use for squid.
>
> This is how I did it:
> keytool -genkey -keyalg RSA -alias mykey -keystore keystore.jks -storepass
> "password" -validity 365
> keytool -export -alias mykey -keystore keystore.jks -file mycert.crt
> keytool -import -trustcacerts -alias mycert -file mycert.crt -keystore
> keystore.jks
>
> keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS
> -deststoretype PKCS12 -destkeystore keystore.p12
> openssl pkcs12 -in keystore.p12 -out keystore.pem
> openssl rsa -in keystore.pem -out mykey.pem
> openssl x509 -in keystore.pem -out mycrt.pem
>
> Then I use: keystore.jks for tomcat, and mykey.pem/mycert.pem for squid
>
> Of course if any of have made this type of configuration work, I am willing
> to create any key/cert/keystore for both squid/tomcat since they are both
> under my control.
>
> If anyone has an idea how to make this work, I'd be VERY grateful.
> Thanks, Ariel.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5Received on Fri Mar 18 2011 - 00:52:01 MDT
This archive was generated by hypermail 2.2.0 : Sat Mar 19 2011 - 12:00:01 MDT