[squid-users] Trusted CA Certificate with ssl_bump
Patrick Chemla
patrick.chemla at performance-managers.com
Thu Nov 17 18:11:54 UTC 2016
Hi Alex, sorry for disturbing, but it works with
https_port 5.39.105.241:443 accel defaultsite=www.semplixxxx.com
cert=/etc/squid/ssl/semplixxxx.com.crt key=/etc/squid/ssl/semplixxxx.com.key
Many, many, many Thanks for valuable help.
Patrick
Le 17/11/2016 à 19:48, Patrick Chemla a écrit :
> Hi Alex,
>
> I followed the
>
> http://wiki.squid-cache.org/SquidFaq/ReverseProxy
>
> I am getting errors when trying to connect. What could it be?
>
> This is the config: Is there something bad there?
>
> ======================================
> debug_options ALL,1 33,2 28,9
>
> http_port 5.39.105.241:443 accel defaultsite=www.semplixxxx.com
> cert=/etc/squid/ssl/semplixxxx.com.crt
> key=/etc/squid/ssl/semplixxxx.com.key
>
> cache_peer 172.16.16.83 parent 80 0 no-query originserver login=PASS
> sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5
> name=SEMP1
> cache_peer 172.16.17.83 parent 80 0 no-query originserver login=PASS
> sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5
> name=SEMP2
>
> acl w3_semplixxxx dstdomain .semplixxxx.com
> cache_peer_access SEMP1 allow w3_semplixxxx
> cache_peer_access SEMP1 deny all
>
> http_access allow w3_semplixxxx
>
> =====================================
>
> $ wget https://www.semplixxxx.com
> --2016-11-17 19:34:49-- https://www.semplixxxx.com/
> Résolution de www.semplitech.com (www.semplixxxx.com)… xxx.xxx.xxx.xxx
> Connexion à www.semplitech.com
> (www.semplixxxx.com)|xxx.xxx.xxx.xxx|:443… connecté.
> OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol
> Incapable d'établir une connexion SSL.
>
> Same error with the browser
> =========================================
> THis is what I have in access_log file:
> - ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:34:49 +0100] "NONE
> error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE
> - ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:35:30 +0100] "NONE
> error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE
>
> ===========================================
> This is what I have in cache.log:
> 2016/11/17 18:35:28.724 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520
> 2016/11/17 18:35:28.725 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520
> 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(178) lookup:
> id=0xf55ca8ed404 query ARP table
> 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(222) lookup:
> id=0xf55ca8ed404 query ARP on each interface (480 found)
> 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface lo
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup:
> id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth2
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2:1
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2:2
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2:3
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2:4
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2:5
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2:6
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2:7
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2:8
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth3
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup:
> id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth3
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface virbr0
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup:
> id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on virbr0
> 2016/11/17 18:35:30.753 kid1| 28,3| Eui48.cc(520) lookup:
> id=0xf55ca8ed404 ccc.ccc.ccc.ccc NOT found
> 2016/11/17 18:35:30.753 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2660
> 2016/11/17 18:35:30.753 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0x78737acd2660
> 2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(2583)
> clientProcessRequest: clientProcessRequest: Invalid Request
> 2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(816) swanSong:
> local=5.39.105.241:443 remote=ccc.ccc.ccc.ccc:48745 flags=1
> 2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(70) preCheck:
> 0x78737acd23c0 checking fast ACLs
> 2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking
> access_log daemon:/var/log/squid/access.log
> 2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking
> (access_log daemon:/var/log/squid/access.log line)
> 2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked:
> (access_log daemon:/var/log/squid/access.log line) = 1
> 2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked:
> access_log daemon:/var/log/squid/access.log = 1
> 2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(63) markFinished:
> 0x78737acd23c0 answer ALLOWED for match
> 2016/11/17 18:35:30.754 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd23c0
> 2016/11/17 18:35:30.754 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0x78737acd23c0
> 2016/11/17 18:36:15.609 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520
> 2016/11/17 18:36:15.609 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520
>
> Thanks for help
> Patrick
>
> Le 16/11/2016 à 20:16, Patrick Chemla a écrit :
>> Many Thanks Alex. I will try in the next hours and let you if I am
>> successful.
>>
>> Patrick
>>
>>
>> Le 16/11/2016 à 20:04, Alex Crow a écrit :
>>>
>>> On 16/11/16 17:33, Patrick Chemla wrote:
>>>> Thanks for your answers, I am not doing anything illegal, I am
>>>> trying to
>>>> build a performant platform.
>>>>
>>>> I have a big server running about 10 different websites.
>>>>
>>>> I have on this server virtual machines, each specialized for one-some
>>>> websites, and squid help me to send the traffic to the destination
>>>> website on the internal VM according to the URL.
>>>>
>>>> Some VMs are paired, so squid will loadbalance the traffic on group of
>>>> VMs according to the URL/acls.
>>>>
>>>> All this works in HTTP, thanks to Amos advices few weeks ago.
>>>>
>>>> Now, I need to set SSL traffic, and because the domains are
>>>> different I
>>>> need to use different IPs:443 to be able to use different
>>>> certificates.
>>>>
>>>> I tried many times in the past to make squid working in SSL and never
>>>> succeed because of so many options, and this question: Does the
>>>> traffic
>>>> between squid and the backend should be SSL? If yes, it's OK for me.
>>>> nothing illegal.
>>>>
>>>> The second question: How to set up the SSL link on squid getting
>>>> the SSL
>>>> request and sending to the backend. Actually the backend can handle
>>>> SSL
>>>> traffic, it's OK for me if I find the way to make squid handle the
>>>> traffic, according to the acls. squid must decrypt the request,
>>>> compute
>>>> the acls, then re-crypt to send to the backend.
>>>>
>>>> The reason I asked not to reencrypt is because of performances. All
>>>> this
>>>> is on the same server, from the host to the VMs and decrypt, the
>>>> reencrypt, then decrypt will be ressources consumming. But I can do it
>>>> like that.
>>>>
>>>> Now, do you have any Howto, clear, that will help? I found many on
>>>> Google and not any gave me the solution working.
>>>>
>>>> The other question is about Trusted Certificates. We have on the
>>>> websites trusted certificates. Should we use the same on the squid?
>>>>
>>>> Thanks for appeciate help
>>>>
>>>> Patrick
>>>>
>>>>
>>> You are using a reverse proxy/web accelerator setup. Nothing you do
>>> there will be illegal if you're using it for your own servers! You
>>> should be able to use HTTP to the backend and just offer HTTPS from
>>> squid. This will avoid loading the backend with encryption cycles. You
>>> don't need any certificate generation as AFAIK you already have all the
>>> certs you need.
>>>
>>> See:
>>>
>>> http://wiki.squid-cache.org/SquidFaq/ReverseProxy
>>>
>>> for starters. You can adapt the wildcard example; if you have specific
>>> certs for each domain, just listen on a different IP for each domain
>>> and
>>> set up multiple https_port with a different listening IP for each site.
>>> If you have a wildcard cert, ie *.mydomain.com, follow it directly.
>>>
>>> Here's a couple more:
>>>
>>> http://wiki.univention.com/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy
>>>
>>>
>>> (I found the above with a simple google for "squid reverse ssl proxy".
>>> Google is your friend here... )
>>>
>>> http://www.squid-cache.org/Doc/config/https_port/
>>>
>>> That's as far as my knowledge goes on reverse in Squid, at my site we
>>> use nginx.But AFAIK if you're doing what I think you're doing that
>>> should be enough. Squid does have a lot of config parameters, but then
>>> so does any other fully capable proxy server. Just focus on the parts
>>> you need for your role and it will be much easier. Specifically ignore
>>> bump/peek+splice, it's just for forward proxy.
>>>
>>> Alex
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list