<div dir="ltr"><div class="gmail_default" style="font-size:small"><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Hi,</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">We were able to set up the squid in a host to container
infrastructure. That is saying the squid is installed on host, proxying traffic
from the container on the same host. With transparent proxy including SSL
traffic.</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Another feature we enabled is request_header_access and
request_header_replace, to spoof and modify token in HTTP headers sending to
target dstdomain.</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">The issue we are having right now is the certificate
installed on the container is a self signed cert, we were trying to migrate
this cert to a real trusted CA cert, or a Baltimore root cert.</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">The issues seems to be in the subject name of the cert. In
the self signed cert, I simply leave everything blank. In the Baltimore root
cert(squid.key and squid.crt in below squid.conf example, request through
Microsoft internal service and it is Baltimore root), even if I have the
dstdomain in squid.conf as subject name(<a href="http://abc.microsoft.com">abc.microsoft.com</a> in below squid.conf
example), I am still getting “server certificate verification failed” error in
CURL. Is there anything I am missing or it simply doesn’t support? In my
understanding, it should has no difference with squid as root CA signer in self
signed cert?</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">P.S. I do notice that it is illegal for a trusted CA to
issue official cert to squid because squid itself is man-in-the-middle, so
Squid can only accept self signed cert and squid as root CA? I tried to search
the email archive but no luck.</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">I have such a squid.conf</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">acl abc dstdomain .<a href="http://abc.microsoft.com">abc.microsoft.com</a></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">request_header_access Authorization deny abc</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">request_header_replace Authorization Basic
whateverYourTokeisButForBasicItHasToBeBase64Encoded</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">request_header_access All allow all</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">https_port 3129 cert=/etc/squid3/squid.crt
key=/etc/squid3/squid.key ssl-bump intercept generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">acl SSL_port port 443</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">http_access allow SSL_port</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">acl allowed_https_sites ssl::server_name
"/etc/squid3/ssl_sites.txt"</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">ssl_bump server-first all</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">always_direct allow all</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">acl step1 at_step SslBump1</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">acl step2 at_step SslBump2</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">acl step3 at_step SslBump3</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">ssl_bump peek step1 all</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">ssl_bump peek step2 allowed_https_sites</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">ssl_bump splice step3 allowed_https_sites</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Thanks,</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Lei</p></div></div>