[squid-users] squid 3.5 reverse proxy https configuration problem
Alex Rousskov
rousskov at measurement-factory.com
Wed May 20 16:59:47 UTC 2020
On 5/20/20 12:20 PM, sjmeyer wrote:
> I have a squid configured as a reverse proxy on RHEL 7.8
>
> the certificates on the squid box seem okay the squid -k parse passes,
> however when I attempt to access the back-end server via squid I get
>
> Error negotiating SSL connection on FD 13: error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown (1/0)
AFAICT, your client (e.g., a browser) probably does not trust Squid's
certificate (i.e., /etc/squid/tls/devi_public.pem). Should it? What does
the client say?
> It'd my understanding to resolve the SSL error I need to add the CA of the
> backend sever to the RHEL trust store
If my understanding about the scope of the error is correct, then the
backend server is irrelevant. The error is between the TLS/HTTPS client
and Squid, not Squid and cache_peer. Squid has not yet contacted the
cache_peer at the time of this error.
HTH,
Alex.
> - I have done that, copied the ca to
> /etc/pki/ca-trust/source/anchors/
> ran update-ca-trust extract,
> confirmed the CA is in the file
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
>
> however no change. I have seen references to the ssl_crtd project however
> from the examples I've seen that isn't required. is this my issue?
>
> Contents of my squid.conf file are below, would appreciate
> # reverse proxy site
> #
> acl localnet src 10.0.0.0/8
> # - debug options
> # 0 client database
> # 1 start up and main loop
> # 2 Unlink Daemon
> # 3 configuration file parsing
> # 4 error generation
> # 5 socket functions
> # 11 HTTP
> # 23 URL parsing
> debug_options All,1 9
>
>
> acl SSL_ports port 5443
> acl Safe_ports port 80
> acl Safe_ports port 21
> acl Safe_ports port 443
> acl Safe_ports port 8902
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl Safe_ports port 5443
> acl Safe_ports port 1025-65535
> acl CONNECT method CONNECT
>
>
> http_port 3128 transparent
>
> http_access allow Safe_ports
> #http_access deny !Safe_ports
>
> http_access allow localnet
>
>
>
>
> https_port 5443 accel defaultsite=10.234.48.183
> cert=/etc/squid/tls/devi_public.pem key=/etc/squid/tls/devi_private.key
> cafile=/etc/squid/tls/devi_ca.crt vhost
>
>
> sslproxy_options NO_SSLv2:NO_SSLv3:NO_TLSv1:NO_TLSv1_1
>
>
>
>
> cache_peer 10.234.49.188 parent 5443 0 no-query originserver ssl
> sslflags=DONT_VERIFY_PEER connection-auth=off name=dev-api
>
> acl BrokenButTrustedServers dstdomain 10.234.49.188 devi.mlms.cms.gov
> #sslproxy_cert_error allow BrokenButTrustedServers
> sslproxy_cert_error allow all
> #sslproxy_cert_error deny all
> sslproxy_flags DONT_VERIFY_PEER
>
> #ssl_bump splice #localhost
> # configure backend
>
> acl our_sites dstdomain dev.app.lb.local 10.234.49.188
> http_access allow our_sites
> cache_peer_access dev-int allow our_sites
> cache_peer_access dev-api allow our_sites
>
>
>
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list