Re: [squid-users] squid reverse proxy and client certs
Hi Thanks I thought that might be the issue. could you point me to an example for requesting client certs for a directory Thanks Alex On 30 December 2015 at 21:56, Matus UHLAR - fantomaswrote: > On 30.12.15 15:11, Alex Samad wrote: >> >> I have squid 3.5.12 working as a reverse proxy >> >> cache_peer 127.0.0.1 \ >> parent 443 0 proxy-only no-query no-digest originserver \ >> login=PASS \ >> ssl \ >> sslcafile=/etc/pki/tls/certs/ca-bundle.crt \ >> sslflags=DONT_VERIFY_PEER \ >> name=webServer >> >> This points to httpd which has a >> >>DirectoryIndex index.shtml index.html >>Options -Indexes -Includes +IncludesNOEXEC >> -SymLinksIfOwnerMatch -ExecCGI -FollowSymLinks >> >>SSLOptions +StdEnvVars +ExportCertData >>SSLVerifyClient optional_no_ca >>SSLVerifyDepth 4 >> >> >> Unfortunately the request for a client cert never makes it to the client. >> >> How can I change this to allow client certs to work > > > client certs will only work when you pass the connection directly to web > server without unbundling SSL. > That means, it's useless to use reverse proxy for HTTPS server when it needs > client certificates. > > The workaround you could be in verifying client certificates by squid, > pushing that info to server and webserver trusting that info... > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Chernobyl was an Windows 95 beta test site. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid reverse proxy and client certs
On 30.12.15 15:11, Alex Samad wrote: I have squid 3.5.12 working as a reverse proxy cache_peer 127.0.0.1 \ parent 443 0 proxy-only no-query no-digest originserver \ login=PASS \ ssl \ sslcafile=/etc/pki/tls/certs/ca-bundle.crt \ sslflags=DONT_VERIFY_PEER \ name=webServer This points to httpd which has a DirectoryIndex index.shtml index.html Options -Indexes -Includes +IncludesNOEXEC -SymLinksIfOwnerMatch -ExecCGI -FollowSymLinks SSLOptions +StdEnvVars +ExportCertData SSLVerifyClient optional_no_ca SSLVerifyDepth 4 Unfortunately the request for a client cert never makes it to the client. How can I change this to allow client certs to work client certs will only work when you pass the connection directly to web server without unbundling SSL. That means, it's useless to use reverse proxy for HTTPS server when it needs client certificates. The workaround you could be in verifying client certificates by squid, pushing that info to server and webserver trusting that info... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid reverse proxy and client certs
Hi I have squid 3.5.12 working as a reverse proxy cache_peer 127.0.0.1 \ parent 443 0 proxy-only no-query no-digest originserver \ login=PASS \ ssl \ sslcafile=/etc/pki/tls/certs/ca-bundle.crt \ sslflags=DONT_VERIFY_PEER \ name=webServer This points to httpd which has a DirectoryIndex index.shtml index.html Options -Indexes -Includes +IncludesNOEXEC -SymLinksIfOwnerMatch -ExecCGI -FollowSymLinks SSLOptions +StdEnvVars +ExportCertData SSLVerifyClient optional_no_ca SSLVerifyDepth 4 Unfortunately the request for a client cert never makes it to the client. How can I change this to allow client certs to work Alex ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users