Re: [squid-users] http to squid to https

From: Squid Tiz <squid_at_tizatron.com>
Date: Mon, 30 Apr 2012 17:00:30 -0700

On Apr 29, 2012, at 10:36 PM, Amos Jeffries wrote:

> On 28/04/2012 10:37 a.m., Squid Tiz wrote:
>> I am kinda new to squid. Been looking over the documentation and I just wanted a sanity check on what I am trying to do.
>>
>> I have a web client that hits my squid server. The squid connects to an apache server via ssl.
>>
>> Here are the lines of interest from my squid.conf for version 3.1.8
>>
>> http_port 80 accel defaultsite=123.123.123.123
>> cache_peer 123.123.123.123 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=apache1
>>
>> The good news is, that works just as I hoped. I get a connection.
>>
>> But I am questioning the DONT_VERIFY_PEER. Don't I want to verify peer?
>
> Ideally yes. It is better security. But up to you whether you need it or not.
> It means having available to OpenSSL on the squid box (possibly via squid.conf settings) the CA certificate which signed the peers certificate, so that verification will not fail.
>
>>
>> I simply hacked up a self signed cert on the apache server. Installed mod_ssl and restarted apache and everything started to work on 443.
>>
>> On the command line for the squid server I can curl the apache box with:
>>
>> curl --cacert _the_signed_cert_from_the_apache_node_ https://apache.server
>>
>> Is there a way with sslcert and sslkey to setup a keypair that will verify?
>
> They are for configuring the *client* certificate and key sent by Squid to Apache. For when Apache is doing the verification of its clients.
>
> Squid has a sslcacert= option which does the same as curl --cacert option. For validating the Apache certificate(s).
>
>> Do I need a signed cert?
>
> Yes, TLS requires signing. Your self-signing CA will do however, so long as both ends of the connection are in agreement on the CA trust.
>
>>
>> I tried to add the cert and key to the cach_peer line in the config. Squid did restart. But no connection. Why would curl work but not squid?
>>
> see above.
>
> Amos

Amos,

Thanks for the reply.

I was just curious to see if I good get this to fly. The goal is to attach to the squid server via http and have squid verify and attach to the SSL server using a self signed cert. This seems to work. Squid starts OK and my logs are clean. No validation errors.

Comments appreciated.

Create the CA stuff on the apache server:

Key
openssl genrsa -des3 -out ca.key 4096
CRT
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Create a server cert:

Key
openssl genrsa -des3 -out server.key 4096
CSR
openssl req -new -key server.key -out server.csr
CRT
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Then go a head and install these certs on the server. Test the server on port 443/SSL etc.

Then create a client cert:

Key
openssl genrsa -des3 -out client.key 2048
CSR
openssl req -new -key client.key -out client.csr
CRT
openssl ca -in client.csr -cert ca.crt -keyfile ca.key -out client.crt

Touch up the key - don't want to enter the password on start-up.

openssl rsa -in client.key -out client.key.insure
mv client.key client.key.secure
mv client.key.insecure client.key

Then take the ca.crt, the client.key and the client.crt and deploy them on the squid server.

Update the /etc/hosts file:

ip-address cn-name-of-apache-server

Then the squid.conf:

http_port 8080 accel defaultsite=cn-name-of-apache-server
cache_peer cn-name-of-apache-server parent 443 0 no-query originserver ssl \
sslcafile=/path/ca.crt sslcert=/path/client.crt sslkey=/path/client.key name=yum1

-- 
Regs
-Dean
Received on Tue May 01 2012 - 00:01:09 MDT

This archive was generated by hypermail 2.2.0 : Tue May 01 2012 - 12:00:05 MDT