[squid-users] Chain SSL Cert files
Hello, I am running 2.5.STABLE4 as a reverse proxy. I would like to know how to use SSL Chain certs. I currently am using SSL certs from Thawte and can use them with the following line in my conf file https_port 10.10.1.1:443 cert =/certfile key=/keyfile version=1 Now I am in need of using chain certs but don't know how to incorporate both the domain and the CA cert. Thanks in advance for the help Dan
Re: [squid-users] Chain SSL Cert files
Applied the patch and all is well. Thanks ! Dan - Original Message - From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "Dan DeLong" <[EMAIL PROTECTED]> Cc: Sent: Friday, May 27, 2005 4:30 AM Subject: Re: [squid-users] Chain SSL Cert files On Thu, 26 May 2005, Dan DeLong wrote: Hello, I am running 2.5.STABLE4 as a reverse proxy. I would like to know how to use SSL Chain certs. I currently am using SSL certs from Thawte and can use them with the following line in my conf file https_port 10.10.1.1:443 cert =/certfile key=/keyfile version=1 Now I am in need of using chain certs but don't know how to incorporate both the domain and the CA cert. The SSL update patch for Squid-2.5 adds certificate chain support. With this patch just add the CA cert to your domain cert file after the domain cert. There is also a one-line patch floating around for this. Should be available in the squid-users archives. But I recommend the SSL update. Regards Henrik
Re: [squid-users] Reverse Proxy Multiple IP Addresses
You can easily do this by starting multiple squid instances on your 1 squid box. Start squid with the -f option to point to a unique squid.conf for each IP address. Make sure each squid.conf has the correct http_port tag which is the ip address squid is listening on and the correct httpd_accel_host and httpd_accel_port for where its passing the info (to the real server) What I've done is create a ./conf/squid.conf ./cache ./logs for each squid instance and make sure all the tags in my squid.conf point to the correct ./cache ./logs etc. This keeps the cache and logs separate for each instance. - Original Message - From: "Brad Taylor" <[EMAIL PROTECTED]> To: "Squid Users" Sent: Wednesday, August 24, 2005 11:05 AM Subject: [squid-users] Reverse Proxy Multiple IP Addresses I'd like to know how to reverse proxy multiple IP addresses or run multiple squids on one box to do this. They are not different domains so I can't use host headers. Basically I'd like Squid to accept http requests on 3 different IP addresses and proxy for 3 different IP addresses (3 real servers). The 3 real servers have the same content so I would like to not have to have 3 separate squid boxes. Can Squid do this, I'm not able to find it anywhere in the FAQ or the Squid book. Thanks your any help.
Re: [squid-users] RE: [SPAM] - Re: [squid-users] Reverse Proxy Multiple IP Addresses - Email found in subject
Brad, I think you're all set on the http_port tag (xx.xx.xx.xx:port) and yes you have to have multiple IP addresses on the box to handle the multiple squid instances. As far as sharing the cache directory, I don't know of any reason you can't. The best answer I can give you for why we have them separate is that "we've always done it that way". Poor answer but the best I can give you. - Original Message - From: "Brad Taylor" <[EMAIL PROTECTED]> To: "Dan DeLong" <[EMAIL PROTECTED]>; "Squid Users" Sent: Thursday, August 25, 2005 11:15 AM Subject: [squid-users] RE: [SPAM] - Re: [squid-users] Reverse Proxy Multiple IP Addresses - Email found in subject I do see now that http_port allows an IP address in addition to a port. Thanks for the help. -Original Message- From: Dan DeLong [mailto:[EMAIL PROTECTED] Sent: Thursday, August 25, 2005 8:54 AM To: Squid Users Subject: [SPAM] - Re: [squid-users] Reverse Proxy Multiple IP Addresses - Email found in subject You can easily do this by starting multiple squid instances on your 1 squid box. Start squid with the -f option to point to a unique squid.conf for each IP address. Make sure each squid.conf has the correct http_port tag which is the ip address squid is listening on and the correct httpd_accel_host and httpd_accel_port for where its passing the info (to the real server) What I've done is create a ./conf/squid.conf ./cache ./logs for each squid instance and make sure all the tags in my squid.conf point to the correct ./cache ./logs etc. This keeps the cache and logs separate for each instance. - Original Message - From: "Brad Taylor" <[EMAIL PROTECTED]> To: "Squid Users" Sent: Wednesday, August 24, 2005 11:05 AM Subject: [squid-users] Reverse Proxy Multiple IP Addresses I'd like to know how to reverse proxy multiple IP addresses or run multiple squids on one box to do this. They are not different domains so I can't use host headers. Basically I'd like Squid to accept http requests on 3 different IP addresses and proxy for 3 different IP addresses (3 real servers). The 3 real servers have the same content so I would like to not have to have 3 separate squid boxes. Can Squid do this, I'm not able to find it anywhere in the FAQ or the Squid book. Thanks your any help.
[squid-users] PATCH failure
I tried to apply patch squid-2.5.STABLE10-STORE_PENDING.patch due to the recent news of the potential DoS vulnerability but when I apply the patch I see the following message: Hunk #1 succeeded at 250 (offset -1 lines). patching file src/ftp.c Hunk #1 FAILED at 369. The other 10 Hunks of this patch succeeded. Should I be concerned that this "Hunk" failed ? Does this mean that the patch is bad ?
[squid-users] Re: PATCH failure
Pedro, Thanks for the help.. That seemed to work. Dan - Original Message - From: "Pedro Timoteo" <[EMAIL PROTECTED]> To: Sent: Friday, September 09, 2005 12:34 PM Subject: Re: [squid-users] PATCH failure Dan DeLong wrote: I tried to apply patch squid-2.5.STABLE10-STORE_PENDING.patch due to the recent news of the potential DoS vulnerability but when I apply the patch I see the following message: Hunk #1 succeeded at 250 (offset -1 lines). patching file src/ftp.c Hunk #1 FAILED at 369. The other 10 Hunks of this patch succeeded. Should I be concerned that this "Hunk" failed ? Does this mean that the patch is bad ? Usually, in these cases you can simply look at the .rej file, see what it tried to do, then edit the appropriate file and do the changes yourself. I've done it a bunch of times, it's usually easy to spot.
[squid-users] reverse proxy / virtual hosting
Hello, I currently have squid running as a reverse proxy. I have a number of squid instances running to handle a number of different websites. Each squid instance listens on it's own ip address and handles the SSL cert for the incoming web request. My goal is to have squid listen on one address to handle multiple websites in essence do virtual hosting. Can this be done with squid ? If so, can you provide any direction on how to set squid up to do this ? Thanks.
Re: [squid-users] reverse proxy / virtual hosting
I am setup in a similar way, Internet-end-user> SSL (serviced by squid) > RP ---> backend webserver. But I am hosting sites where each have their own SSL cert. So I think what I'm hearing is that I will not be able to start one Squid instance that can handle multiple different SSL certs ? My goal is to be able to host multiple websites with 1 ip address. Your suggestions are welcome. Thanks. - Original Message - From: "Chris Perreault" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 22, 2004 9:07 AM Subject: RE: [squid-users] reverse proxy / virtual hosting > Further thought...on how we are setting it up. > > One ssl cert for www.mycompany.com, resides on the proxy. > > Internet-end-user -->ssl-->rp-->non-ssl ldap-authenticated traffic --> back > end webserver > > With the redirect for each of the back end webservers, you can have a single > cert. You can not have a single cert for two different domains though, > (mycompany.com and mycompany2.com need different certs) > mycompany.com/intranet and mycompany.com/extranet can use the same cert. > > Chris Perreault > > -Original Message- > From: Francois Liot [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 22, 2004 8:49 AM > To: Dan DeLong > Cc: [EMAIL PROTECTED] > Subject: Re: [squid-users] reverse proxy / virtual hosting > > > As far as I know SSL standart it's unfortunatelly impossible. > > Apache is suffering of the same limitation. > > Regards > > Francois Liot > > On Tue, 2004-06-22 at 14:42, Dan DeLong wrote: > > Hello, > > > > I currently have squid running as a reverse proxy. I have a number of > > squid instances running to handle a number of different websites. > > Each squid instance listens on it's own ip address and handles the SSL > > cert for the incoming web request. My goal is to have squid listen on > > one address to handle multiple websites in essence do virtual hosting. > > Can this be done with squid ? If so, can you provide any direction on > > how to set squid up to do this ? > > > > Thanks. > > > > >
Re: [squid-users] reverse proxy / virtual hosting
Thank you all for your suggestions, unfortunately the SSL certs I use are for domain names and websites owned by separate companies so I don't believe sharing a cert is going to solve my problem. There were a lot of good suggestions posted so thank you very much for the help. Dan - Original Message - From: "Sunil S" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, June 22, 2004 6:01 PM Subject: RE: [squid-users] reverse proxy / virtual hosting > I had run several backend servers (wth different hostnames under the > same domain) to do : > (client)https -> RP(squid 2.5) -> http(servers) > some time back. And ofcourse ran into the technical non-possibility of > running all domain names on same IP/port with separate certificates. > > Work around used then was, using a single wild-card certificate for > domain and use it for all sites/sub-domains . if it is acceptable > for you to use shared certificates. Wild card certificates should not > trigger errors at client side. > > Sunil > > > >>> Francois Liot <[EMAIL PROTECTED]> 06/22/04 06:51PM >>> > I will try to be a bit clearer. > > Here is the picture : > --TCP-SSL--Encapsulated protocol > (could be HTTP...) > > --IP:Port--Certificate used for handshakedecyphered protocol > > in case of HTTP, once decyphered you could indeed retrieve all HTTP > headers variables (as HTTP_HOST...). > > The problem is the following > You can map a single certificate (by IP:Port) to try to obtain an SSL > handshake. > > Then having on a single IP:Port (let's say yourmachine:443) several > HTTPS answser possible is SSL non compliant (in fact doing hugly job, > you will do it, but using the same certificate for all your website - > user will see an error https://mysite1 is encrypted by https://mysite2 > > certificate...) > > Just like I told you, Apache is suffring the same limitation > (impossible > to have HTTPS virtual servers on a single IP/Port) > > Regards > > Francois Liot > > On Tue, 2004-06-22 at 15:02, Chris Perreault wrote: > > -Original Message- > > From: Dan DeLong [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, June 22, 2004 8:42 AM > > To: [EMAIL PROTECTED] > > Subject: [squid-users] reverse proxy / virtual hosting > > > > > > Hello, > > > > I currently have squid running as a reverse proxy. I have a number > of squid > > instances running to handle a number of different websites. Each > squid > > instance listens on it's own ip address and handles the SSL cert for > the > > incoming web request. My goal is to have squid listen on one address > to > > handle multiple websites in essence do virtual hosting. Can this be > done > > with squid ? If so, can you provide any direction on how to set > squid up to > > do this ? > > > > Thanks. > > > > > > ~~ > > ~~ > > > > We are looking to set up the same environment here. Multiple back > end > > webservers being handled by a reverse proxy. Users would go to > > www.ourcompany.com/extranet www.ourcompany.com/intranet > > www.ourcompany.com/web2 etc, with a mapping created for each of > those > > various webservers. By default, www.ourcompany.com would send them to > the > > main webserver, a homegrown portal type web interface, with links to > the > > other webservers. > > > > On 2.5stable5 I accomplished this using squidguard as a redirector. > The > > problem we ran into was when we tried to add in ssl and ldap > authentication, > > so right now are messing with squid-3.0.pre3. Yesterday we made good > > progress (ie: no other issues got in the way and I got to work on > this:)) > > and got the ldap authentication and ssl working, with it connecting > to one > > back end webserver...having defined that in the cache_peer and acl > conf > > lines. I'm hoping to have time, over the next few days, to get > squidguard > > working with this configuration. I'm sure what you want to do can be > done, > > and am pretty sure people have done it before. Documentation seems to > be > > lacking on exactly what steps were taken to do so though. Once I get > this > > figured out I'll post the conf file and what steps were taken so it > aids > > others. I've spent a lot of time researching this, over the last > month or > > two, but having only spent 2 months with squid I am
Re: [squid-users] Complex reverse proxy issues
To run multiple instances of squid on one server simply run squid -f /path_to_squid.conf. Configure each squid.conf to listen on a different IP address. Virtual hosting may be an option but with using SSL I'm not sure that you can. I'm also having some difficulty setting up squid to use 1 ip address for multiple websites due to the need for SSL. Hope this helps. - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 24, 2004 8:46 AM Subject: [squid-users] Complex reverse proxy issues > > I'm a total newbie to squid, and am having to relearn Unix for this > project. Reading through the msgs on this list, I've run into a road > block while planning my squid implementation. I have a fairly complex > problem with a reverse proxy application. I need to set up a reverse > proxy system that allows users in our network to see http servers in > other networks across the public internet. Initially this does not > seem to be so complex, and in fact I have some parts of this working. > Details of the implementation are as follows: > > Users will need reverse proxy access to many http servers, most on > port 80, some on port 8080 - Users of the system do not need > encryption (no SSL for the clients) - The origin http servers will be > on private networks across the public internet - The many, different > owners of the origin servers will insist on encrypting the traffic > between the reverse proxy and the origin http servers - The many > different owners may insist on different types of encryption (some > may accept SSL, others may require SSH or other) - It would be > preferable to give each owner their own SSL cert if required > > In short, it would look like this: > > user(80) <---> (squid)(80) <-- (SSL) --> (www1) >(8080) <-- (SSL) --> (www2) >(80)<-- (SSH(http)) ---> (www3) >(8080) <-- (SSH(http)) ---> (www4) > > Currently, I have made squid work as a reverse proxy to many hosts > with some running on either port by using a perl redirector script. > But I can't see any way to accomplish this with one Squid instance. > Given that all outbound squid connections may need separate SSL certs > and some outbound connections will need SSH or other protocols, it's > looking like I will be better off just having a separate Squid > instance, each with its' own squid.conf, for each outbound > connection. I'm assuming that I would have to give each instance > its' own IP, but I can do that. > > Comments, corrections? I have no idea how I would run multiple > instances of Squid on a server, each with a different squid.conf. Any > comments? > > > >
[squid-users] reverse proxy / virtual hosting
I currently run multiple squid instances (on 1 machine) as a reverse proxies for multiple websites I'm hosting. The backend server is the same server for my sites but the port number is different. My squid.conf files are setup as follows: squid.conf for www.abc.com http_port 1.1.1.1:80 httpd_accel_host 2.2.2.2 httpd_accel_port 9000 squid.conf for www.xzy.com http_port 1.1.1.2:80 httpd_accel_host 2.2.2.2 httpd_accel_port 8000 Is it possible to setup squid for virtual hosting so that it can listen on one address (http_port 1.1.1.1:80) yet based on the URL can go to my httpd_accel_host of 2.2.2.2 but to the httpd_accel_port that will serve up the proper web pages ? Thanks for the help
[squid-users] reverse proxy and https
I'm am attempting to setup up squid as a reverse proxy to handle https requests. ie client-ssl -> squid -> web server. I've added the following to a default squid.conf https_port 10.1.1.2:443 cert=cerfile key=keyfile With this line added I get the following error in cache.log: 2003/10/22 12:45:32| Using private key in keyfile FATAL: Failed to acquire SSL private key: error:0906406D:PEM routines:DEF_CALLB\ ACK:problems getting password I'm using a cert and key file that are valid and I do know the key file password but how do I tell squid what that password is ? Are there problems in setting squid up to work in this manner ? Thanks, Dan
Re: [squid-users] reverse proxy and https
Henrik: Thank you for the quick reply. Unencrypting the key seemed the best solution so that I could still run squid as a daemon. Thanks, Dan - Original Message - From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "Dan DeLong" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, October 22, 2003 2:34 PM Subject: Re: [squid-users] reverse proxy and https > On Wed, 22 Oct 2003, Dan DeLong wrote: > > > I'm am attempting to setup up squid as a reverse proxy to handle https > > requests. ie client-ssl -> squid -> web server. I've added the following > > to a default squid.conf > > > ACK:problems getting password > > > > I'm using a cert and key file that are valid and I do know the key file > > password but how do I tell squid what that password is ? > > You don't. > > You either give Squid an unencrypted key file, or start it with the -N > option to allow entry of the password using the keyboard. > > To decrypt a RSA key file you can use the openssl rsa command. > > Regards > Henrik > > > >
[squid-users] Changing Squid Error Files
I am running squid2.5.STABLE4. In my squid.conf file I have the following line that points to my error files. error_directory /squid/share/errors/English I have a site that is getting the Zero Sized Reply error that, to the best of my knowledge, is being called from the ERR_ZERO_SIZE_OBJECT file. I want to change this error file to a more generic error before I fix the cause of the error. However, I have changed this error file to be a generic html file (keeping the file name the same of course) yet I still keep getting the same Zero Sized Reply error page instead of my new generic error page. I have no idea how this is happening as I have no file now containing the text "Zero Sized Reply" I have completely cleared any cache folders and restarted squid but nothing changes. What am I missing ?? Any help is greatly appreaciated as I am pulliing out what little hair I have left.!! Thanks, Dan
Re: [squid-users] Changing Squid Error Files
Unfortunately that was not the issue. I've not seen anything like this. I no longer have any files that even contain the text "Zero Sized File" yet that is the message that is still displayed. I'm still digging. Any other ideas are welcome. Thanks, Dan - Original Message ----- From: To: "Dan DeLong" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, November 19, 2003 1:18 PM Subject: Re: [squid-users] Changing Squid Error Files > > Could it be a permission issue? Does the file you created have the same > permission as the other error files that squid generated when it was > installed? > > > > Jim > > > > > Henrik > NordstromTo: Dan DeLong <[EMAIL PROTECTED]> > <[EMAIL PROTECTED] cc: [EMAIL PROTECTED] > he.org> Subject: Re: [squid-users] Changing Squid Error Files > > 11/19/2003 > 10:14 AM > > > > > > > On Wed, 19 Nov 2003, Dan DeLong wrote: > > > I am running squid2.5.STABLE4. In my squid.conf file I have the > following > > line that points to my error files. > > error_directory /squid/share/errors/English > > I have a site that is getting the Zero Sized Reply error that, to the > best > > of my knowledge, is being called from the ERR_ZERO_SIZE_OBJECT file. > > It is, assuming you do get the Squid error message and not an error > message from your browser. The Squid error message is seen if the server > closes the connection before sending any response at all, while some > browsers give a such error message if the server sends a 0 bytes response > (valid headers but no data). > > > I want to change this error file to a more generic error before I fix the > > cause of the error. However, I have changed this error file to be a > generic > > html file (keeping the file name the same of course) yet I still keep > > getting the same Zero Sized Reply error page instead of my new generic > error > > page. > > Odd. Works here. > > Exacly what does the error message you see in your browser look like? > > Regards > Henrik > > > > > > > >
