subject:"\[squid\-users\] squid HTTPs as reverse proxy problem"

[squid-users] squid HTTPs as reverse proxy problem

2015-04-20 Thread snakeeyes

Hi all , I need a help in setting up squid for https reverse proxy 

I mean I want to  authorize the certificate on my pc so that be able to
acces https using http not tunnel method

I have searched a lot and most of docs mention ssl pump , but again im here
don't want ssl pump feature and all I need is just reverse proxy.

 

Here is steps that I did :

cd /etc/squid

 

openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -subj
'/C=dsa/ST=asd/L=aaa/O=abcv/CN=abc' -keyout /etc/squid/abc.pem -out 

/etc/squid/abc.pem

 

openssl x509 -in /etc/squid/abc.pem -outform DER -out /etc/squid/abc.der

 

whereis ssl_crtd

 

chown squid:squid /var/lib/ssl_db

 

after that  edited squid.conf with :

 

https_port 443 cert=/etc/squid/abc.pem key=/etc/squid/abc.pem

 

 

 

then went to my browser and added abc.der as authorized certificates

 

when I connect to proxy I have erros logs :

 

2015/04/20 15:44:18 kid1| Error negotiating SSL connection on FD 11: Success
(0)

2015/04/20 15:44:19 kid1| Error negotiating SSL connection on FD 11: Success
(0)

2015/04/20 15:44:21 kid1| Error negotiating SSL connection on FD 11: Success
(0)

2015/04/20 15:44:23 kid1| Error negotiating SSL connection on FD 11: Success
(0)

2015/04/20 15:45:33 kid1| Error negotiating SSL connection on FD 11: Success
(0)

2015/04/20 15:45:33 kid1| Error negotiating SSL connection on FD 11: Success
(0)

2015/04/20 15:47:01 kid1| Error negotiating SSL connection on FD 11: Success
(0)

2015/04/20 15:53:44 kid1| Error negotiating SSL connection on FD 11: Success
(0)

2015/04/20 15:53:46 kid1| Error negotiating SSL connection on FD 11: Success
(0)

2015/04/20 15:53:47 kid1| Error negotiating SSL connection on FD 11: Success
(0)

 

 

Where could be the problem ?

 

 

Here is my squid config :

 

 

squid -v

Squid Cache: Version 3.5.1

Service Name: squid

configure options:  '--prefix=/usr' '--includedir=/include'
'--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
'--enable-cachemgr-hostname=drx' '--localstatedir=/var'
'--libexecdir=/lib/squid' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules' '--srcdir=.'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
'--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam
,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-esi'
'--disable-translation' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=131072'
'--with-large-files' '--with-default-user=squid' '--enable-linux-netfilter'
'--enable-ltdl-convenience' '--enable-ssl' '--enable-ssl-crtd'
'--enable-arp-acl' 'CXXFLAGS=-DMAXTCPLISTENPORTS=2' '--with-openssl'
'--enable-snmp'

 

 

 

 

 

cheers

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid HTTPs as reverse proxy problem

2015-04-20 Thread Yuri Voinov


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Man,

self-signed sertificate required only for SSL Bump (not pump :)).

For SSL reverse proxy you need CA's signed server certificate.

Feel the difference.

21.04.15 5:16, snakeeyes пишет:
> Hi all , I need a help in setting up squid for https reverse proxy
>
> I mean I want to  authorize the certificate on my pc so that be able to
> acces https using http not tunnel method
>
> I have searched a lot and most of docs mention ssl pump , but again im
here
> don't want ssl pump feature and all I need is just reverse proxy.
>
> 
>
> Here is steps that I did :
>
> cd /etc/squid
>
> 
>
> openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -subj
> '/C=dsa/ST=asd/L=aaa/O=abcv/CN=abc' -keyout /etc/squid/abc.pem -out
>
> /etc/squid/abc.pem
>
> 
>
> openssl x509 -in /etc/squid/abc.pem -outform DER -out /etc/squid/abc.der
>
> 
>
> whereis ssl_crtd
>
> 
>
> chown squid:squid /var/lib/ssl_db
>
> 
>
> after that  edited squid.conf with :
>
> 
>
> https_port 443 cert=/etc/squid/abc.pem key=/etc/squid/abc.pem
>
> 
>
> 
>
> 
>
> then went to my browser and added abc.der as authorized certificates
>
> 
>
> when I connect to proxy I have erros logs :
>
> 
>
> 2015/04/20 15:44:18 kid1| Error negotiating SSL connection on FD 11:
Success
> (0)
>
> 2015/04/20 15:44:19 kid1| Error negotiating SSL connection on FD 11:
Success
> (0)
>
> 2015/04/20 15:44:21 kid1| Error negotiating SSL connection on FD 11:
Success
> (0)
>
> 2015/04/20 15:44:23 kid1| Error negotiating SSL connection on FD 11:
Success
> (0)
>
> 2015/04/20 15:45:33 kid1| Error negotiating SSL connection on FD 11:
Success
> (0)
>
> 2015/04/20 15:45:33 kid1| Error negotiating SSL connection on FD 11:
Success
> (0)
>
> 2015/04/20 15:47:01 kid1| Error negotiating SSL connection on FD 11:
Success
> (0)
>
> 2015/04/20 15:53:44 kid1| Error negotiating SSL connection on FD 11:
Success
> (0)
>
> 2015/04/20 15:53:46 kid1| Error negotiating SSL connection on FD 11:
Success
> (0)
>
> 2015/04/20 15:53:47 kid1| Error negotiating SSL connection on FD 11:
Success
> (0)
>
> 
>
> 
>
> Where could be the problem ?
>
> 
>
> 
>
> Here is my squid config :
>
> 
>
> 
>
> squid -v
>
> Squid Cache: Version 3.5.1
>
> Service Name: squid
>
> configure options:  '--prefix=/usr' '--includedir=/include'
> '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
> '--enable-cachemgr-hostname=drx' '--localstatedir=/var'
> '--libexecdir=/lib/squid' '--disable-maintainer-mode'
> '--disable-dependency-tracking' '--disable-silent-rules' '--srcdir=.'
> '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
> '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8'
> '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap'
> '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
> '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth'
>
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam
> ,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm'
> '--enable-digest-auth-helpers=ldap,password'
> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-esi'
> '--disable-translation' '--with-logdir=/var/log/squid'
> '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=131072'
> '--with-large-files' '--with-default-user=squid'
'--enable-linux-netfilter'
> '--enable-ltdl-convenience' '--enable-ssl' '--enable-ssl-crtd'
> '--enable-arp-acl' 'CXXFLAGS=-DMAXTCPLISTENPORTS=2' '--with-openssl'
> '--enable-snmp'
>
> 
>
> 
>
> 
>
> 
>
> 
>
> cheers
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJVNP1qAAoJENNXIZxhPexGA7QIAKGDJIOUiKxo0iemYhT2b+dz
YEVjuOMcjOu643MzUpFNJEezD0spQrGk01Lrj9DLJrlTv6fH5CWEAJJcsy/ieyAV
KN/SVxS6v98N5KitIhNGbeSO3OKMASJVvgaSi/MpTEl2snRUNaSSiJDKvu9oJqje
fo19qw+Ce4tH1QjnvRX+v1IHYlBcqBroGnQAR/kNnW1QdC0kXWy2X/hv0eJ5Lmyd
kSLtiSaOVl6qJ64S1UuQWL9mW8phPI/mYJBOZ3AGe535VO+15pXsFrsxfeIIF8ra
DmV6cEKEtMVDikI8n9DvlRvJV/vFMmrtI2vqWgXE6HEjmr1WNiYDqkQVczYXeQk=
=Pb8X
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid HTTPs as reverse proxy problem

2015-04-20 Thread snakeeyes

Thankx , I will tell u wt I did so far abd hope u help me in the directive 
squid needed :

Mkdir /etc/openvpn/
wget https://github.com/OpenVPN/easy-rsa-old/archive/master.zip

unzip master

cd easy-rsa-old-master/

 

cp -R easy-rsa/ /etc/openvpn/

 

cd /etc/openvpn/easy-rsa/2.0

chmod 755 *

source ./vars

./vars

./clean-all

 

./build-ca

 

./build-key-server server

 

./build-dh

 

Now I have the files :

[root@squid keys]# ls -l

total 76

-rw-r--r-- 1 root root 4120 Apr 20 17:51 01.pem

-rw-r--r-- 1 root root 4006 Apr 20 17:52 02.pem

-rw-r--r-- 1 root root 1383 Apr 20 17:51 ca.crt

-rw--- 1 root root  912 Apr 20 17:51 ca.key

-rw-r--r-- 1 root root  245 Apr 20 17:51 dh1024.pem

-rw-r--r-- 1 root root  276 Apr 20 17:52 index.txt

-rw-r--r-- 1 root root   21 Apr 20 17:52 index.txt.attr

-rw-r--r-- 1 root root   21 Apr 20 17:51 index.txt.attr.old

-rw-r--r-- 1 root root  136 Apr 20 17:51 index.txt.old

-rw-r--r-- 1 root root3 Apr 20 17:52 serial

-rw-r--r-- 1 root root3 Apr 20 17:51 serial.old

-rw-r--r-- 1 root root 4120 Apr 20 17:51 server.crt

-rw-r--r-- 1 root root  729 Apr 20 17:51 server.csr

-rw--- 1 root root  920 Apr 20 17:51 server.key

 

 

 

 

What do I need for squid directive ?

 

Is what I did above is okay ?

 

 

cheers

 

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Yuri Voinov
Sent: Monday, April 20, 2015 6:22 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid HTTPs as reverse proxy problem

 


-BEGIN PGP SIGNED MESSAGE- 
Hash: SHA256 
 
Man,

self-signed sertificate required only for SSL Bump (not pump :)).

For SSL reverse proxy you need CA's signed server certificate.

Feel the difference.

21.04.15 5:16, snakeeyes пишет:
> Hi all , I need a help in

  setting up squid for https reverse proxy 



  >



  > I mean I want to  authorize the certificate on my pc so that

  be able to



  > acces https using http not tunnel method



  >



  > I have searched a lot and most of docs mention ssl pump , but

  again im here



  > don't want ssl pump feature and all I need is just reverse

  proxy.



  >



  >  



  >



  > Here is steps that I did :



  >



  > cd /etc/squid



  >



  >  



  >



  > openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509

  -subj



  > '/C=dsa/ST=asd/L=aaa/O=abcv/CN=abc' -keyout

  /etc/squid/abc.pem -out 



  >



  > /etc/squid/abc.pem



  >



  >  



  >



  > openssl x509 -in /etc/squid/abc.pem -outform DER -out

  /etc/squid/abc.der



  >



  >  



  >



  > whereis ssl_crtd



  >



  >  



  >



  > chown squid:squid /var/lib/ssl_db



  >



  >  



  >



  > after that  edited squid.conf with :



  >



  >  



  >



  > https_port 443 cert=/etc/squid/abc.pem key=/etc/squid/abc.pem



  >



  >  



  >



  >  



  >



  >  



  >



  > then went to my browser and added abc.der as authorized

  certificates



  >



  >  



  >



  > when I connect to proxy I have erros logs :



  >



  >  



  >



  > 2015/04/20 15:44:18 kid1| Error negotiating SSL connection on

  FD 11: Success



  > (0)



  >



  > 2015/04/20 15:44:19 kid1| Error negotiating SSL connection on

  FD 11: Success



  > (0)



  >



  > 2015/04/20 15:44:21 kid1| Error negotiating SSL connection on

  FD 11: Success



  > (0)



  >



  > 2015/04/20 15:44:23 kid1| Error negotiating SSL connection on

  FD 11: Success



  > (0)



  >



  > 2015/04/20 15:45:33 kid1| Error negotiating SSL connection on

  FD 11: Success



  > (0)



  >



  > 2015/04/20 15:45:33 kid1| Error negotiating SSL connection on

  FD 11: Success



  > (0)



  >



  > 2015/04/20 15:47:01 kid1| Error negotiating SSL connection on

  FD 11: Success



  > (0)



  >



  > 2015/04/20 15:53:44 kid1| Error negotiating SSL connection on

  FD 11: Success



  > (0)



  >



  > 2015/04/20 15:53:46 kid1| Error negotiating SSL connection on

  FD 11: Success



  > (0)



  >



  > 2015/04/20 15:53:47 kid1| Error negotiating SSL connection on

  FD 11: Success



  > (0)



  >



  >  



  >



  >  



  >



  > Where could be the problem ?



  >



  >  



  >



  >  



  >



  > Here is my squid con

Re: [squid-users] squid HTTPs as reverse proxy problem

2015-04-20 Thread Yuri Voinov


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
What does OpenVPN to SQUID ?!

21.04.15 7:17, snakeeyes пишет:
> Thankx , I will tell u wt I did so far abd hope u help me in the directive 
> squid needed :
>
> Mkdir /etc/openvpn/
> wget https://github.com/OpenVPN/easy-rsa-old/archive/master.zip
>
> unzip master
>
> cd easy-rsa-old-master/
>
> 
>
> cp -R easy-rsa/ /etc/openvpn/
>
> 
>
> cd /etc/openvpn/easy-rsa/2.0
>
> chmod 755 *
>
> source ./vars
>
> ./vars
>
> ./clean-all
>
> 
>
> ./build-ca
>
> 
>
> ./build-key-server server
>
> 
>
> ./build-dh
>
> 
>
> Now I have the files :
>
> [root@squid keys]# ls -l
>
> total 76
>
> -rw-r--r-- 1 root root 4120 Apr 20 17:51 01.pem
>
> -rw-r--r-- 1 root root 4006 Apr 20 17:52 02.pem
>
> -rw-r--r-- 1 root root 1383 Apr 20 17:51 ca.crt
>
> -rw--- 1 root root  912 Apr 20 17:51 ca.key
>
> -rw-r--r-- 1 root root  245 Apr 20 17:51 dh1024.pem
>
> -rw-r--r-- 1 root root  276 Apr 20 17:52 index.txt
>
> -rw-r--r-- 1 root root   21 Apr 20 17:52 index.txt.attr
>
> -rw-r--r-- 1 root root   21 Apr 20 17:51 index.txt.attr.old
>
> -rw-r--r-- 1 root root  136 Apr 20 17:51 index.txt.old
>
> -rw-r--r-- 1 root root3 Apr 20 17:52 serial
>
> -rw-r--r-- 1 root root3 Apr 20 17:51 serial.old
>
> -rw-r--r-- 1 root root 4120 Apr 20 17:51 server.crt
>
> -rw-r--r-- 1 root root  729 Apr 20 17:51 server.csr
>
> -rw--- 1 root root  920 Apr 20 17:51 server.key
>
> 
>
> 
>
> 
>
> 
>
> What do I need for squid directive ?
>
> 
>
> Is what I did above is okay ?
>
> 
>
> 
>
> cheers
>
> 
>
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
On Behalf Of Yuri Voinov
> Sent: Monday, April 20, 2015 6:22 AM
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] squid HTTPs as reverse proxy problem
>
> 
>
>
> Man,
>
> self-signed sertificate required only for SSL Bump (not pump :)).
>
> For SSL reverse proxy you need CA's signed server certificate.
>
> Feel the difference.
>
> 21.04.15 5:16, snakeeyes пишет:
> > Hi all , I need a help in
>
>   setting up squid for https reverse proxy
>
>
>
>
>
>
>
>   > I mean I want to  authorize the certificate on my pc so that
>
>   be able to
>
>
>
>   > acces https using http not tunnel method
>
>
>
>
>
>
>
>   > I have searched a lot and most of docs mention ssl pump , but
>
>   again im here
>
>
>
>   > don't want ssl pump feature and all I need is just reverse
>
>   proxy.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>   > Here is steps that I did :
>
>
>
>
>
>
>
>   > cd /etc/squid
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>   > openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509
>
>   -subj
>
>
>
>   > '/C=dsa/ST=asd/L=aaa/O=abcv/CN=abc' -keyout
>
>   /etc/squid/abc.pem -out
>
>
>
>
>
>
>
>   > /etc/squid/abc.pem
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>   > openssl x509 -in /etc/squid/abc.pem -outform DER -out
>
>   /etc/squid/abc.der
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>   > whereis ssl_crtd
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>   > chown squid:squid /var/lib/ssl_db
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>   > after that  edited squid.conf with :
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>   > https_port 443 cert=/etc/squid/abc.pem key=/etc/squid/abc.pem
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>   > then went to my browser and added abc.der as authorized
>
>   certificates
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>   > when I connect to proxy I have erros logs :
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>   > 2015/04/20 15:44:18 kid1| Error negotiating SSL connection on
>
>   FD 11: Success
>
>
>
>   > (0)
>
>
>
>
>
>
>
>   > 2015/04/20 15:44:19 kid1| Error negotiating SSL connection on
>
>   FD 11: Success
>
>
>
>   > (0)
>
>
>
>

Re: [squid-users] squid HTTPs as reverse proxy problem

2015-04-20 Thread Amos Jeffries

On 21/04/2015 1:17 p.m., snakeeyes wrote:
> Thankx , I will tell u wt I did so far abd hope u help me in the directive 
> squid needed :
> 

Squid does not perform SNI based certificate selection for HTTPS
virtual-hosting. You need an IP address for every top level domain being
served, sub-domains can use wildcard certificates.

For use of self-signed certificates in https:// reverse-proxy it is
worth ensuring that you have DNSSEC and TLS DANE configured in the
website DNS records.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid HTTPs as reverse proxy problem

Re: [squid-users] squid HTTPs as reverse proxy problem

Re: [squid-users] squid HTTPs as reverse proxy problem

Re: [squid-users] squid HTTPs as reverse proxy problem

Re: [squid-users] squid HTTPs as reverse proxy problem

5 matches

Site Navigation

Mail list logo

Footer information