On 11/11/2011 2:54 p.m., Anandha V wrote:
> Hi Amos
>
> Thanks for your reply
>
> I have made reverse proxy setup as follows,
>
> Client(https)-------(https)squid1(https))----(https)Originserver(8443)
>
> I have made squid conf as follows and setup works fine
>
> https_port 443 accel cert=/usr/local/myCA/certs/server.crt
> key=/usr/local/myCA/private/server.key
> cache_peer originserver parent 8443 0 originserver ssl no-digest
> sslcafile=/usr/local/myCA/certs/myca.crt no-digest
>
>
> Whether i need to specify ssl certificates/key in the cache_peer using
> sslcert and sslkey for the connections between squid and origin server
> to be in https?
>
> or just the CA certificate of the apache is enough.?
The minimum config is just "ssl" option on the cache_peer. Which will
verify the Apache certificate is valid and send a generic client
certificate. The rest is just about how much you want to lock down the
security.
* If Apache is validating a specific client certificate you need to
configure that cert to be sent by Squid.
* If Apache is using a self-signed certificate you need to configure
wither sslflags=DONT_VERIFY_PEER or the CA to validate it with into Squid.
Amos
Received on Fri Nov 11 2011 - 02:42:52 MST
This archive was generated by hypermail 2.2.0 : Fri Nov 11 2011 - 12:00:02 MST