[squid-users] squid HTTPs as reverse proxy problem

Yuri Voinov yvoinov at gmail.com
Mon Apr 20 15:21:23 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
What does OpenVPN to SQUID ?!

21.04.15 7:17, snakeeyes пишет:
> Thankx , I will tell u wt I did so far abd hope u help me in the directive squid needed :
>
> Mkdir /etc/openvpn/
> wget https://github.com/OpenVPN/easy-rsa-old/archive/master.zip
>
> unzip master
>
> cd easy-rsa-old-master/
>
> 
>
> cp -R easy-rsa/ /etc/openvpn/
>
> 
>
> cd /etc/openvpn/easy-rsa/2.0
>
> chmod 755 *
>
> source ./vars
>
> ./vars
>
> ./clean-all
>
> 
>
> ./build-ca
>
> 
>
> ./build-key-server server
>
> 
>
> ./build-dh
>
> 
>
> Now I have the files :
>
> [root at squid keys]# ls -l
>
> total 76
>
> -rw-r--r-- 1 root root 4120 Apr 20 17:51 01.pem
>
> -rw-r--r-- 1 root root 4006 Apr 20 17:52 02.pem
>
> -rw-r--r-- 1 root root 1383 Apr 20 17:51 ca.crt
>
> -rw------- 1 root root  912 Apr 20 17:51 ca.key
>
> -rw-r--r-- 1 root root  245 Apr 20 17:51 dh1024.pem
>
> -rw-r--r-- 1 root root  276 Apr 20 17:52 index.txt
>
> -rw-r--r-- 1 root root   21 Apr 20 17:52 index.txt.attr
>
> -rw-r--r-- 1 root root   21 Apr 20 17:51 index.txt.attr.old
>
> -rw-r--r-- 1 root root  136 Apr 20 17:51 index.txt.old
>
> -rw-r--r-- 1 root root    3 Apr 20 17:52 serial
>
> -rw-r--r-- 1 root root    3 Apr 20 17:51 serial.old
>
> -rw-r--r-- 1 root root 4120 Apr 20 17:51 server.crt
>
> -rw-r--r-- 1 root root  729 Apr 20 17:51 server.csr
>
> -rw------- 1 root root  920 Apr 20 17:51 server.key
>
> 
>
> 
>
> 
>
> 
>
> What do I need for squid directive ?
>
> 
>
> Is what I did above is okay ?
>
> 
>
> 
>
> cheers
>
> 
>
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org]
On Behalf Of Yuri Voinov
> Sent: Monday, April 20, 2015 6:22 AM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] squid HTTPs as reverse proxy problem
>
> 
>
>
> Man,
>
> self-signed sertificate required only for SSL Bump (not pump :)).
>
> For SSL reverse proxy you need CA's signed server certificate.
>
> Feel the difference.
>
> 21.04.15 5:16, snakeeyes пишет:
> > Hi all , I need a help in
>
>       setting up squid for https reverse proxy
>
>
>
>
>
>
>
>       > I mean I want to  authorize the certificate on my pc so that
>
>       be able to
>
>
>
>       > acces https using http not tunnel method
>
>
>
>
>
>
>
>       > I have searched a lot and most of docs mention ssl pump , but
>
>       again im here
>
>
>
>       > don't want ssl pump feature and all I need is just reverse
>
>       proxy.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > Here is steps that I did :
>
>
>
>
>
>
>
>       > cd /etc/squid
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509
>
>       -subj
>
>
>
>       > '/C=dsa/ST=asd/L=aaa/O=abcv/CN=abc' -keyout
>
>       /etc/squid/abc.pem -out
>
>
>
>
>
>
>
>       > /etc/squid/abc.pem
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > openssl x509 -in /etc/squid/abc.pem -outform DER -out
>
>       /etc/squid/abc.der
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > whereis ssl_crtd
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > chown squid:squid /var/lib/ssl_db
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > after that  edited squid.conf with :
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > https_port 443 cert=/etc/squid/abc.pem key=/etc/squid/abc.pem
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > then went to my browser and added abc.der as authorized
>
>       certificates
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > when I connect to proxy I have erros logs :
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > 2015/04/20 15:44:18 kid1| Error negotiating SSL connection on
>
>       FD 11: Success
>
>
>
>       > (0)
>
>
>
>
>
>
>
>       > 2015/04/20 15:44:19 kid1| Error negotiating SSL connection on
>
>       FD 11: Success
>
>
>
>       > (0)
>
>
>
>
>
>
>
>       > 2015/04/20 15:44:21 kid1| Error negotiating SSL connection on
>
>       FD 11: Success
>
>
>
>       > (0)
>
>
>
>
>
>
>
>       > 2015/04/20 15:44:23 kid1| Error negotiating SSL connection on
>
>       FD 11: Success
>
>
>
>       > (0)
>
>
>
>
>
>
>
>       > 2015/04/20 15:45:33 kid1| Error negotiating SSL connection on
>
>       FD 11: Success
>
>
>
>       > (0)
>
>
>
>
>
>
>
>       > 2015/04/20 15:45:33 kid1| Error negotiating SSL connection on
>
>       FD 11: Success
>
>
>
>       > (0)
>
>
>
>
>
>
>
>       > 2015/04/20 15:47:01 kid1| Error negotiating SSL connection on
>
>       FD 11: Success
>
>
>
>       > (0)
>
>
>
>
>
>
>
>       > 2015/04/20 15:53:44 kid1| Error negotiating SSL connection on
>
>       FD 11: Success
>
>
>
>       > (0)
>
>
>
>
>
>
>
>       > 2015/04/20 15:53:46 kid1| Error negotiating SSL connection on
>
>       FD 11: Success
>
>
>
>       > (0)
>
>
>
>
>
>
>
>       > 2015/04/20 15:53:47 kid1| Error negotiating SSL connection on
>
>       FD 11: Success
>
>
>
>       > (0)
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > Where could be the problem ?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > Here is my squid config :
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > squid -v
>
>
>
>
>
>
>
>       > Squid Cache: Version 3.5.1
>
>
>
>
>
>
>
>       > Service Name: squid
>
>
>
>
>
>
>
>       > configure options:  '--prefix=/usr' '--includedir=/include'
>
>
>
>       > '--mandir=/share/man' '--infodir=/share/info'
>
>       '--sysconfdir=/etc'
>
>
>
>       > '--enable-cachemgr-hostname=drx' '--localstatedir=/var'
>
>
>
>       > '--libexecdir=/lib/squid' '--disable-maintainer-mode'
>
>
>
>       > '--disable-dependency-tracking' '--disable-silent-rules'
>
>       '--srcdir=.'
>
>
>
>       > '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
>
>
>
>       > '--mandir=/usr/share/man' '--enable-inline'
>
>       '--enable-async-io=8'
>
>
>
>       > '--enable-storeio=ufs,aufs,diskd,rock'
>
>       '--enable-removal-policies=lru,heap'
>
>
>
>       > '--enable-delay-pools' '--enable-cache-digests'
>
>       '--enable-underscores'
>
>
>
>       > '--enable-icap-client' '--enable-follow-x-forwarded-for'
>
>       '--enable-auth'
>
>
>
>
>
>
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam
>
>
>
>       > ,squid_radius_auth,multi-domain-NTLM'
>
>       '--enable-ntlm-auth-helpers=smb_lm'
>
>
>
>       > '--enable-digest-auth-helpers=ldap,password'
>
>
>
>       > '--enable-negotiate-auth-helpers=squid_kerb_auth'
>
>       '--enable-esi'
>
>
>
>       > '--disable-translation' '--with-logdir=/var/log/squid'
>
>
>
>       > '--with-pidfile=/var/run/squid.pid'
>
>       '--with-filedescriptors=131072'
>
>
>
>       > '--with-large-files' '--with-default-user=squid'
>
>       '--enable-linux-netfilter'
>
>
>
>       > '--enable-ltdl-convenience' '--enable-ssl'
>
>       '--enable-ssl-crtd'
>
>
>
>       > '--enable-arp-acl' 'CXXFLAGS=-DMAXTCPLISTENPORTS=20000'
>
>       '--with-openssl'
>
>
>
>       > '--enable-snmp'
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > cheers
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > _______________________________________________
>
>
>
>       > squid-users mailing list
>
>
>
>       > squid-users at lists.squid-cache.org
<mailto:squid-users at lists.squid-cache.org>
>
>
>
>       > http://lists.squid-cache.org/listinfo/squid-users
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJVNRlzAAoJENNXIZxhPexG4/QIAJUl79LIoLOVaFJk2mygK+fd
IZdw9cXaZ3e7nVsgyZ/Ue4PYxQHyHuRXjU36rdVMsOn5xZV8Xltw37WEkMnZZvRF
DheuJ6T2FNVgkRJrMb1PcE4Wz/CjIbWje07l3B49Ou2HRuU5EIXYEerYxv52qXU5
k+T+lRrB1gGwPgH/BveM3JHKq1p2TDj9rR4eYc5VRJenZe7bgRF73ocpgzdkJYzb
Q3VpUhq3IZ+e1JSbiyGV2lD5Uc91Ys7vP8ER9rm4DSjSQC2rO94/jHBwr6mCQbZi
i2ZOA329mtXkfwTbGvWNeyFpNf/AfTxjOIBfY1ZWLfcPzZCm62rA8VIxMA7qaz8=
=264Y
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150420/31364337/attachment-0001.html>


More information about the squid-users mailing list