Re: [squid-users] SSL client cert configuration and provision

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 23 May 2011 11:59:20 +1200

 On Sun, 22 May 2011 11:34:48 +0100, Stephan Hügel wrote:
> On 22 May 2011 04:01, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On 22/05/11 06:09, Stephan Hügel wrote:
>>>
>>> Hello,
>>> Apologies in advance for the (presumably) repetitive question:
>>> I'd like to set up squid to provide an SSL cert required for access
>>> to
>>> a certain site on behalf of my users. I've converted the cert (it
>>> was
>>> provided in PFX format) to PEM format, and generated a key (though
>>> I'm
>>> not entirely sure that's necessary).
>>> I've installed squid 2.7.STABLE9 on Ubuntu 11.04, and configured
>>> http
>>> access for users on my subnet, and this is working correctly:
>>>
>>> http_port 3128
>>> acl all src all
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/32
>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
>>> acl localnet src 10.10.10.0/24
>>> [snip]
>>> http_access allow localnet
>>> icp_access allow localnet
>>>
>>> But I haven't been able to find a HOWTO for transparently providing
>>> the required SSL cert on behalf of clients when they connect to the
>>> site which requires it.
>>> I assume I have to provide a https_port (443?) , and https_allow
>>> localnet, but I'm not sure about anything else.
>>>
>>> TIA
>>
>> https_port is for reverse-proxy when the certificate is to be
>> presented to
>> the *client*.
>>
>> From what you say, it seems clients are supposed to present a unique
>> identifier certificate to the *server* and you want to forge from
>> Squid?
>>
>>
>> Before we give you any config, which of those completely different
>> setups do
>> you actually want?
>>
>>
> Amos,
> The latter; I'd like Squid to present the cert on behalf of the
> clients.

 Then the https_port end for squid<->client is irrelevant.

 The cert needs to go on a cache_peer line pointing Squid at the origin
 server. Similar to reverse-proxy but not quite:

  cache_peer example.com parent 443 0 originserver ssl
 sslcert=/path/to/cert.pem name=AB
  acl site dstdomain example.com
  cache_peer_access AB allow site
  never_direct allow site

 Note: port and http_access are left alone so your regular forwarding
 permissions take control. Only never_direct is added to prevent Squid
 connecting via direct links without the cert.

 Amos
Received on Sun May 22 2011 - 23:59:27 MDT

This archive was generated by hypermail 2.2.0 : Mon May 23 2011 - 12:00:02 MDT