Re: [squid-users] Cache Peer Redirection Based on User Certificate

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Fri, 27 Dec 2013 21:19:37 +0200

Hey there,

Squid doesn't support and cannot support any user level certificate
validation or intervention.
You are looking for a feature which is in the level of "forgery" and
"theft" which are not supported by squid project.

Thanks,
Eliezer

On 27/12/13 17:39, Waldemar Siebert wrote:
> Hello,
> i've really diligent searched all Squid mailing lists and archives, but
> without success.
> My problem: I try to implement Cache Peer Redirection based on User
> Certificate.
> Config extract:
> #################################################
> # First HTTPS peer
> cache_peer websrv01.dd.com parent 443 0 no-query proxy-only no-digest
> originserver ssl sslflags=DONT_VERIFY_PEER name=PEER01
>
> acl CERT_01 user_cert CN NYTIMES
>
> cache_peer_access PEER01 allow CERT_01
>
> http_access allow CERT_01
>
> # Second HTTPS peer
>
> cache_peer websrv02.dd.com parent 443 0 no-query proxy-only no-digest
> originserver ssl sslflags=DONT_VERIFY_PEER name=PEER02
>
> acl CERT_02 user_cert CN BOSTONGLOBE
>
> cache_peer_access PEER02 allow CERT_02
>
> http_access allow CERT02
>
> http_access deny all
>
> ################################################
>
> The acl CERT_01,02 works with http_access:
>
> 2013/12/27 13:35:25.093| ACLChecklist::preCheck: 0xa6a3f68 checking
> 'http_access allow CERT_01'
> 2013/12/27 13:35:25.093| ACLList::matches: checking CERT_01
> 2013/12/27 13:35:25.093| ACL::checklistMatches: checking 'CERT_01'
> 2013/12/27 13:35:25.093| aclMatchStringList: checking 'NYTIMES'
> 2013/12/27 13:35:25.094| aclMatchStringList: 'NYTIMES' found
> 2013/12/27 13:35:25.094| ACL::ChecklistMatches: result for 'CERT_01' is 1
> 2013/12/27 13:35:25.094| ACLList::matches: result is true
>
>
> But witch cache _peer_access not:
>
> 2013/12/27 13:35:25.113| ACLChecklist::preCheck: 0xbfbde738 checking
> 'cache_peer_access PEER01 allow CERT_01'
> 2013/12/27 13:35:25.113| ACLList::matches: checking CERT_01
> 2013/12/27 13:35:25.113| ACL::checklistMatches: checking 'CERT_01'
> 2013/12/27 13:35:25.113| ACL::ChecklistMatches: result for 'CERT_01' is 0
> 2013/12/27 13:35:25.113| ACLList::matches: result is false
> 2013/12/27 13:35:25.113| aclmatchAclList: 0xbfbde738 returning false
> (AND list entry failed to match)
> 2013/12/27 13:35:25.113| aclmatchAclList: async=0 nodeMatched=0
> async_in_progress=0 lastACLResult() = 0 finished() = 0
> 2013/12/27 13:35:25.113| aclCheckFast: no matches, returning: 0
>
>
> Please help me. Thanks.
>
Received on Fri Dec 27 2013 - 19:19:58 MST

This archive was generated by hypermail 2.2.0 : Sat Dec 28 2013 - 12:00:06 MST