[squid-users] Have issue with "https_port ssl-bump intercept"
Amos Jeffries
squid3 at treenet.co.nz
Fri Aug 17 08:59:40 UTC 2018
On 17/08/18 20:39, pius wrote:
> Hi Amos,
>
>
> Thanks for the reply. It makes more things clear.
>
> I do apologize for a Friday message in advance.
>
> I will explain a bit more about my situation. We are using Jfrog artifactory
> in our private network. Artifactory host lots of remote repos. We are
> planning lock down the artifactory using squid. So in my case artifactory is
> the client.
>
> artifactory ------> Squid(whitelist) -----> Internet
> http (3129) / https (3130)
>
> I followed the steps from your message. I trust the self-signed squid
> certificate in artifactory. Now I error I am getting is in artifactory is
>
> "Connection to remote repository failed: Host name 'repo.jenkins-ci.org'
> does not match the certificate subject provided by the peer
> (CN=130.211.20.35)"
>
> Looks like artifactory is requesting repo.jenkins-ci.org to squid without
> enough information about domain name. May be that why squid created a ssl
> certificate in behalf of artifactory with a IP address and instead of domain
> name. So how can map the ip to a domain name ? DNS server ?
>
With the config I provided Squid should only send the custom cert to the
client if there is a problem connecting to the upstream server of your
http_access rules perform a "deny" action.
Are you able to identify which of those is going on?
your Squid access.log and/or cache.log should have some hints.
Amos
More information about the squid-users
mailing list