Re: [squid-users] Cache Peer Redirection Based on User Certificate

From: Waldemar Siebert <wsiebert_at_online.de>
Date: Sat, 28 Dec 2013 14:15:47 +0100

Hello,

what about acl user_cert?

It works with http_access, but not with cache_peer_access. See Log bellow
I use Squid 3.1.8

Thanks
Walt

----- Original Message -----
From: "Eliezer Croitoru" <eliezer_at_ngtech.co.il>
To: <squid-users_at_squid-cache.org>
Sent: Friday, December 27, 2013 8:19 PM
Subject: Re: [squid-users] Cache Peer Redirection Based on User Certificate

> Hey there,
>
> Squid doesn't support and cannot support any user level certificate
> validation or intervention.
> You are looking for a feature which is in the level of "forgery" and
> "theft" which are not supported by squid project.
>
> Thanks,
> Eliezer
>
> On 27/12/13 17:39, Waldemar Siebert wrote:
>> Hello,
>> i've really diligent searched all Squid mailing lists and archives, but
>> without success.
>> My problem: I try to implement Cache Peer Redirection based on User
>> Certificate.
>> Config extract:
>> #################################################
>> # First HTTPS peer
>> cache_peer websrv01.dd.com parent 443 0 no-query proxy-only no-digest
>> originserver ssl sslflags=DONT_VERIFY_PEER name=PEER01
>>
>> acl CERT_01 user_cert CN NYTIMES
>>
>> cache_peer_access PEER01 allow CERT_01
>>
>> http_access allow CERT_01
>>
>> # Second HTTPS peer
>>
>> cache_peer websrv02.dd.com parent 443 0 no-query proxy-only no-digest
>> originserver ssl sslflags=DONT_VERIFY_PEER name=PEER02
>>
>> acl CERT_02 user_cert CN BOSTONGLOBE
>>
>> cache_peer_access PEER02 allow CERT_02
>>
>> http_access allow CERT02
>>
>> http_access deny all
>>
>> ################################################
>>
>> The acl CERT_01,02 works with http_access:
>>
>> 2013/12/27 13:35:25.093| ACLChecklist::preCheck: 0xa6a3f68 checking
>> 'http_access allow CERT_01'
>> 2013/12/27 13:35:25.093| ACLList::matches: checking CERT_01
>> 2013/12/27 13:35:25.093| ACL::checklistMatches: checking 'CERT_01'
>> 2013/12/27 13:35:25.093| aclMatchStringList: checking 'NYTIMES'
>> 2013/12/27 13:35:25.094| aclMatchStringList: 'NYTIMES' found
>> 2013/12/27 13:35:25.094| ACL::ChecklistMatches: result for 'CERT_01' is 1
>> 2013/12/27 13:35:25.094| ACLList::matches: result is true
>>
>>
>> But witch cache _peer_access not:
>>
>> 2013/12/27 13:35:25.113| ACLChecklist::preCheck: 0xbfbde738 checking
>> 'cache_peer_access PEER01 allow CERT_01'
>> 2013/12/27 13:35:25.113| ACLList::matches: checking CERT_01
>> 2013/12/27 13:35:25.113| ACL::checklistMatches: checking 'CERT_01'
>> 2013/12/27 13:35:25.113| ACL::ChecklistMatches: result for 'CERT_01' is 0
>> 2013/12/27 13:35:25.113| ACLList::matches: result is false
>> 2013/12/27 13:35:25.113| aclmatchAclList: 0xbfbde738 returning false
>> (AND list entry failed to match)
>> 2013/12/27 13:35:25.113| aclmatchAclList: async=0 nodeMatched=0
>> async_in_progress=0 lastACLResult() = 0 finished() = 0
>> 2013/12/27 13:35:25.113| aclCheckFast: no matches, returning: 0
>>
>>
>> Please help me. Thanks.
>>
>
Received on Sat Dec 28 2013 - 13:15:57 MST

This archive was generated by hypermail 2.2.0 : Sat Dec 28 2013 - 12:00:06 MST