[squid-users] Re: squid as forward proxy for portal run on tomcat from arielf on 2011-03-22 (squid-users)

From: arielf <arielf_at_il.ibm.com>
Date: Tue, 22 Mar 2011 00:19:06 -0700 (PDT)

I placed my squid.conf at the end of this post.
Squid forward proxy works fine for all third party http and https sites, but
fails when I try to proxy this specific portal that I put up on tomcat.

This is the failure:
2011/03/22 07:02:03| Accepting bumpy HTTP connections at [::]:3128, FD 15.
2011/03/22 07:02:03| HTCP Disabled.
2011/03/22 07:02:03| Squid modules loaded: 0
2011/03/22 07:02:03| Adaptation support is on
2011/03/22 07:02:03| Ready to serve requests.
2011/03/22 07:02:04| storeLateRelease: released 0 objects
-----BEGIN SSL SESSION PARAMETERS-----
MHECAQECAgMBBAIANQQgKd/gfAJ8PhKA+JjxkCPjZf11uL6J1DKxC1vWtAgtntAE
MLqexrqhHJDzrd3AH5V71jhuFf/e7HInhIzUKsjlxKRmJowAAyvZzCUCpwUPYyRQ
NaEGAgRNiIG5ogQCAgEspAIEAA==
-----END SSL SESSION PARAMETERS-----
2011/03/22 07:02:17| SSL unknown certificate error 19 in
/C=IL/ST=Haifa/O=IBM/OU=HRL/CN=Tomcat
2011/03/22 07:02:17| fwdNegotiateSSL: Error negotiating SSL connection on FD
13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (1/-1/0)
2011/03/22 07:02:17| SSL unknown certificate error 19 in
/C=IL/ST=Haifa/O=IBM/OU=HRL/CN=Tomcat
2011/03/22 07:02:17| SSL unknown certificate error 19 in
/C=IL/ST=Haifa/O=IBM/OU=HRL/CN=Tomcat
2011/03/22 07:02:17| fwdNegotiateSSL: Error negotiating SSL connection on FD
13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (1/-1/0)
2011/03/22 07:02:17| SSL unknown certificate error 19 in
/C=IL/ST=Haifa/O=IBM/OU=HRL/CN=Tomcat
2011/03/22 07:02:17| SSL unknown certificate error 19 in
/C=IL/ST=Haifa/O=IBM/OU=HRL/CN=Tomcat
2011/03/22 07:02:17| fwdNegotiateSSL: Error negotiating SSL connection on FD
13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (1/-1/0)
2011/03/22 07:02:17| SSL unknown certificate error 19 in
/C=IL/ST=Haifa/O=IBM/OU=HRL/CN=Tomcat

Please advise,
Thanks, Ariel.

--------------------------------
squid.conf
--------------------------------
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443 8443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
always_direct allow all
http_access allow all

http_port 3128 ssl-bump key=squidkey.pem cert=squidcert.pem
ssl_bump allow all

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

icap_log /var/log/squid/icap.log icap_squid
icap_enable on
icap_send_client_ip on
icap_service_failure_limit -1
icap_service_revival_delay 30
icap_service guardium respmod_precache bypass=0
icap://127.0.0.1:1344/guardium
adaptation_access guardium allow all

request_header_access Accept-Encoding deny all
append_domain .haifa.ibm.com

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-as-forward-proxy-for-portal-run-on-tomcat-tp3383986p3395677.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Received on Tue Mar 22 2011 - 07:19:08 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 23 2011 - 12:00:02 MDT