[squid-users] Have issue with "https_port ssl-bump intercept"
squid3 at treenet.co.nz
Fri Aug 17 08:59:40 UTC 2018
On 17/08/18 20:39, pius wrote:
> Hi Amos,
> Thanks for the reply. It makes more things clear.
> I do apologize for a Friday message in advance.
> I will explain a bit more about my situation. We are using Jfrog artifactory
> in our private network. Artifactory host lots of remote repos. We are
> planning lock down the artifactory using squid. So in my case artifactory is
> the client.
> artifactory ------> Squid(whitelist) -----> Internet
> http (3129) / https (3130)
> I followed the steps from your message. I trust the self-signed squid
> certificate in artifactory. Now I error I am getting is in artifactory is
> "Connection to remote repository failed: Host name 'repo.jenkins-ci.org'
> does not match the certificate subject provided by the peer
> Looks like artifactory is requesting repo.jenkins-ci.org to squid without
> enough information about domain name. May be that why squid created a ssl
> certificate in behalf of artifactory with a IP address and instead of domain
> name. So how can map the ip to a domain name ? DNS server ?
With the config I provided Squid should only send the custom cert to the
client if there is a problem connecting to the upstream server of your
http_access rules perform a "deny" action.
Are you able to identify which of those is going on?
your Squid access.log and/or cache.log should have some hints.
More information about the squid-users