[squid-users] squid HTTPs as reverse proxy problem
snakeeyes
ahmed.zaeem at netstream.ps
Tue Apr 21 01:17:11 UTC 2015
Thankx , I will tell u wt I did so far abd hope u help me in the directive squid needed :
Mkdir /etc/openvpn/
wget https://github.com/OpenVPN/easy-rsa-old/archive/master.zip
unzip master
cd easy-rsa-old-master/
cp -R easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
Now I have the files :
[root at squid keys]# ls -l
total 76
-rw-r--r-- 1 root root 4120 Apr 20 17:51 01.pem
-rw-r--r-- 1 root root 4006 Apr 20 17:52 02.pem
-rw-r--r-- 1 root root 1383 Apr 20 17:51 ca.crt
-rw------- 1 root root 912 Apr 20 17:51 ca.key
-rw-r--r-- 1 root root 245 Apr 20 17:51 dh1024.pem
-rw-r--r-- 1 root root 276 Apr 20 17:52 index.txt
-rw-r--r-- 1 root root 21 Apr 20 17:52 index.txt.attr
-rw-r--r-- 1 root root 21 Apr 20 17:51 index.txt.attr.old
-rw-r--r-- 1 root root 136 Apr 20 17:51 index.txt.old
-rw-r--r-- 1 root root 3 Apr 20 17:52 serial
-rw-r--r-- 1 root root 3 Apr 20 17:51 serial.old
-rw-r--r-- 1 root root 4120 Apr 20 17:51 server.crt
-rw-r--r-- 1 root root 729 Apr 20 17:51 server.csr
-rw------- 1 root root 920 Apr 20 17:51 server.key
What do I need for squid directive ?
Is what I did above is okay ?
cheers
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Yuri Voinov
Sent: Monday, April 20, 2015 6:22 AM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] squid HTTPs as reverse proxy problem
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Man,
self-signed sertificate required only for SSL Bump (not pump :)).
For SSL reverse proxy you need CA's signed server certificate.
Feel the difference.
21.04.15 5:16, snakeeyes пишет:
> Hi all , I need a help in
setting up squid for https reverse proxy
>
> I mean I want to authorize the certificate on my pc so that
be able to
> acces https using http not tunnel method
>
> I have searched a lot and most of docs mention ssl pump , but
again im here
> don't want ssl pump feature and all I need is just reverse
proxy.
>
>
>
> Here is steps that I did :
>
> cd /etc/squid
>
>
>
> openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509
-subj
> '/C=dsa/ST=asd/L=aaa/O=abcv/CN=abc' -keyout
/etc/squid/abc.pem -out
>
> /etc/squid/abc.pem
>
>
>
> openssl x509 -in /etc/squid/abc.pem -outform DER -out
/etc/squid/abc.der
>
>
>
> whereis ssl_crtd
>
>
>
> chown squid:squid /var/lib/ssl_db
>
>
>
> after that edited squid.conf with :
>
>
>
> https_port 443 cert=/etc/squid/abc.pem key=/etc/squid/abc.pem
>
>
>
>
>
>
>
> then went to my browser and added abc.der as authorized
certificates
>
>
>
> when I connect to proxy I have erros logs :
>
>
>
> 2015/04/20 15:44:18 kid1| Error negotiating SSL connection on
FD 11: Success
> (0)
>
> 2015/04/20 15:44:19 kid1| Error negotiating SSL connection on
FD 11: Success
> (0)
>
> 2015/04/20 15:44:21 kid1| Error negotiating SSL connection on
FD 11: Success
> (0)
>
> 2015/04/20 15:44:23 kid1| Error negotiating SSL connection on
FD 11: Success
> (0)
>
> 2015/04/20 15:45:33 kid1| Error negotiating SSL connection on
FD 11: Success
> (0)
>
> 2015/04/20 15:45:33 kid1| Error negotiating SSL connection on
FD 11: Success
> (0)
>
> 2015/04/20 15:47:01 kid1| Error negotiating SSL connection on
FD 11: Success
> (0)
>
> 2015/04/20 15:53:44 kid1| Error negotiating SSL connection on
FD 11: Success
> (0)
>
> 2015/04/20 15:53:46 kid1| Error negotiating SSL connection on
FD 11: Success
> (0)
>
> 2015/04/20 15:53:47 kid1| Error negotiating SSL connection on
FD 11: Success
> (0)
>
>
>
>
>
> Where could be the problem ?
>
>
>
>
>
> Here is my squid config :
>
>
>
>
>
> squid -v
>
> Squid Cache: Version 3.5.1
>
> Service Name: squid
>
> configure options: '--prefix=/usr' '--includedir=/include'
> '--mandir=/share/man' '--infodir=/share/info'
'--sysconfdir=/etc'
> '--enable-cachemgr-hostname=drx' '--localstatedir=/var'
> '--libexecdir=/lib/squid' '--disable-maintainer-mode'
> '--disable-dependency-tracking' '--disable-silent-rules'
'--srcdir=.'
> '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
> '--mandir=/usr/share/man' '--enable-inline'
'--enable-async-io=8'
> '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap'
> '--enable-delay-pools' '--enable-cache-digests'
'--enable-underscores'
> '--enable-icap-client' '--enable-follow-x-forwarded-for'
'--enable-auth'
>
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam
> ,squid_radius_auth,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm'
> '--enable-digest-auth-helpers=ldap,password'
> '--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-esi'
> '--disable-translation' '--with-logdir=/var/log/squid'
> '--with-pidfile=/var/run/squid.pid'
'--with-filedescriptors=131072'
> '--with-large-files' '--with-default-user=squid'
'--enable-linux-netfilter'
> '--enable-ltdl-convenience' '--enable-ssl'
'--enable-ssl-crtd'
> '--enable-arp-acl' 'CXXFLAGS=-DMAXTCPLISTENPORTS=20000'
'--with-openssl'
> '--enable-snmp'
>
>
>
>
>
>
>
>
>
>
>
> cheers
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVNP1qAAoJENNXIZxhPexGA7QIAKGDJIOUiKxo0iemYhT2b+dz
YEVjuOMcjOu643MzUpFNJEezD0spQrGk01Lrj9DLJrlTv6fH5CWEAJJcsy/ieyAV
KN/SVxS6v98N5KitIhNGbeSO3OKMASJVvgaSi/MpTEl2snRUNaSSiJDKvu9oJqje
fo19qw+Ce4tH1QjnvRX+v1IHYlBcqBroGnQAR/kNnW1QdC0kXWy2X/hv0eJ5Lmyd
kSLtiSaOVl6qJ64S1UuQWL9mW8phPI/mYJBOZ3AGe535VO+15pXsFrsxfeIIF8ra
DmV6cEKEtMVDikI8n9DvlRvJV/vFMmrtI2vqWgXE6HEjmr1WNiYDqkQVczYXeQk=
=Pb8X
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150420/f2b7321a/attachment-0001.html>
More information about the squid-users
mailing list