[squid-users] Client-Side Certificates at the Directory Level?
I have 2 applications that resides on the same Web Site and shares the same URL prefix (i.e. www.whatever.com), but lives within different virtual directories. Each of those applications has different security requirements: One REQUIRES a client-side certificate and the other one doesn't. Below are example URLs of what the client would enter: DOESN'T require a Client-Side certificate: https://www.whatever.com/NoClientCertRequred/ DOES require a Client-Side certificate: https://www.whatever.com/ClientCertRequred/ In a Squid reverse proxy configurations, in order to use client certificates, the respective CA signer of the client-side certificates must be installed on the Squid server (not the web server) level so the end-user get challenged to present a client-side certificate by Squid instead of by the web server. Correct? The question I have is this: Can Squid be configured to define client-side certificate requirements at the DIRECTORY level (like the aforementioned "/ClientCertRequred/") or does the requirements have to be set based on the web site as a whole (i.e. "www.whatever.com")? If this is possible, any example squid.conf configurations of this set-up would be great. Any insight you can offer would be greatly appreciated! Thanks.
Re: [squid-users] Client-Side Certificates at the Directory Level?
I am utilizing Squid 2.6-13 in a reverse-proxy configuration. I have an application on a web server that requires client side certificates that is fronted by the Squid proxy. One of the properties of a client-side certificate is the serial number. Question #1 Even if I installed the client-certificate's CA on the Squid proxy for it to validate the certificate, there is no way for Squid to then pass on the request to the back-end web server with the client-side certificate. In essence, the certificate presented by the client to Squid is lost in translation as the back-end web server never sees it because Squid makes its own connection on behalf of the initial request but WITHOUT the client-certificate. Correct? Question #2 In a reverse-proxy set-up, the requests sent to the back-end web server fronted by the Squid proxy will ALWAYS appear with the source IP of the Squid proxy server, NOT the client IP. Correct? Is there no way to change this so it appears to come from the client's IP rather than Squid. I appreciate the assistance. Thanks! --- Henrik Nordström <[EMAIL PROTECTED]> wrote: > mån 2007-09-10 klockan 10:13 -0700 skrev > [EMAIL PROTECTED]: > > > In a Squid reverse proxy configurations, in order > to > > use client certificates, the respective CA signer > of > > the client-side certificates must be installed on > the > > Squid server (not the web server) level so the > > end-user get challenged to present a client-side > > certificate by Squid instead of by the web server. > > > Correct? > > Correct. > > > Can Squid be configured to define client-side > > certificate requirements at the DIRECTORY level > (like > > the aforementioned "/ClientCertRequred/") or does > the > > requirements have to be set based on the web site > as a > > whole (i.e. "www.whatever.com")? > > Currently it's per https_port only. Renegotiation of > the SSL connection > by ACL requirements is not yet supported. > > Regards > Henrik > >
[squid-users] Client-Side Certificates
Thanks Henrik for your guidance however I still cannot seem to get client certificates to work with Squid 2.6.13 running on RHEL 4.2. Below is the config and steps I am performing. Any insight as to what I am doing wrong would be greatly appreciated. # Squid Config # https_port 192.168.0.2:443 protocol=https accel vhost cert=/apps/squid2.6.13/etc/ssl/syt-squid.test.com.pem cafile=/apps/squid2.6.13/etc/ssl/intcatrustedroot.pem defaultsite=syt-squid.test.com clientca=/apps/squid2.6.13/etc/ssl/clientca_trusted_root.pem # Non-SSL Cache Peer cache_peer 172.16.4.1 parent 80 0 proxy-only originserver name=test_syt # ACL acl test_syt_syt dstdomain syt-squid.test.com # Non-SSL Cache Peer Access cache_peer_access test_syt allow test_syt_syt - # Actions Performed # 1) Verified client-side cert is valid via openssl: bash-3.00$ openssl verify -CAfile clientca_trusted_root.pem joe-clientcert.pem joe-clientcert.pem: OK 2a) Opened Internet Explorer 6 and connected to the Squid proxy. 2b) IE prompts to select the client-side certificate. 2c) Select the client-side certificate and click OK in the web browser. Squid Logs show: 2007/09/13 14:54:55| SSL unknown certificate error 20 in /O=Company, Inc./OU=Services/OU=Company Name - Something/OU=GroupID - TestTeam/OU=UserID - JoeSmoe/CN=Joe Smoe/[EMAIL PROTECTED] 2007/09/13 14:54:55| clientNegotiateSSL: Error negotiating SSL connection on FD 20: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned (1/-1) 2007/09/13 14:54:55| SSL unknown certificate error 20 in /O=Company, Inc./OU=Services/OU=Company Name - Something/OU=GroupID - TestTeam/OU=UserID - JoeSmoe/CN=Joe Smoe/[EMAIL PROTECTED] 2d) IE prompts AGAIN to select the client-side certificate. Squid Logs show: 2007/09/13 14:54:57| SSL unknown certificate error 20 in /O=Company, Inc./OU=Services/OU=Company Name - Something/OU=GroupID - TestTeam/OU=UserID - JoeSmoe/CN=Joe Smoe/[EMAIL PROTECTED] 2007/09/13 14:54:57| clientNegotiateSSL: Error negotiating SSL connection on FD 20: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned (1/-1) 2007/09/13 14:54:57| SSL unknown certificate error 20 in /O=Company, Inc./OU=Services/OU=Company Name - Something/OU=GroupID - TestTeam/OU=UserID - JoeSmoe/CN=Joe Smoe/[EMAIL PROTECTED] I tried the same process with FireFox 2.0.0.6 browser and got the exact same error messages in the Squid log file. I am at a loss as I'm not sure where the problem is. According to the Squid 2.6 docs, it should be as simple as adding in the CA cert for the signer of the client-cert and adding the "clientca=" directive to the squid.conf file. The same squid server utilizing normal SSL server certificates works great! It just seems to be the client-side certificates that is the issue. Any help would be appreciated! Thanks!
[squid-users] HTTP Header Manipulation Question
I have an application that passes a value back to the client using the HTTP Status string: Response.Status = Response.Status & " " & FileSize This would return an HTTP status to the client looking like below, which says 200 for success and 5632 for the number of bytes uploaded to the server. 200 5632 Unfortunately, Squid doesn't see that as a valid HTTP status (and rightfully so) and trims off the 5632 and replaces it with "OK". Therefore, the application errors on the client side because its expecting a value back in the HTTP Header. Below is what I found in testing: Through the Squid proxy: HTTP/1.0 200 OK Direct to Web Server: HTTP/1.1 200 5632 The developers are working on fixing this, but for the time-being, is there any setting in Squid that I can set to allow it to pass the value back after the "200" status code (i.e. replace the "OK" with a value)? What I'd like Squid to pass back is: HTTP/1.0 200 Example: HTTP/1.0 200 5632 Any assistance would be appreciated.
[squid-users] Squid Error Then Can't Connect To Web Site
I have an Squid proxy configured as a reverse proxy that serves about 10 web sites via SSL. One of the web sites randomly becomes unavailable and the only way to make it work again is to restart the squid process. The following error message in the cache.log is repeated lots of times when the problem occurs: 2007/09/28 10:06:09| fwdNegotiateSSL: Error negotiating SSL connection on FD 148: error::lib(0):func(0):reason(0) (5/-1/104) 2007/09/28 10:06:09| TCP connection to 1.2.3.4/443 failed I check the backend web server directly and it is alive so technically the cache_peer is available, but squid doesn't seem to think so. The other odd item is in the access.log, normally I would expect to see a "TCP_MISS/200" and the matching cache_peer name at the end of the request line : 1190984166.734 32 11.12.33.44 TCP_MISS/200 280 GET https://www.domain.com/c3.gif - FIRST_UP_PARENT/website_ssl - But when the problem happens, I get "TCP_MISS/503" and NO matching cache_peer: 1190983242.734 32 11.12.33.44 TCP_MISS/503 280 GET https://www.domain.com/c3.gif - NONE When this event is happening, all the other web sites are just fine. It seems to be specific to this web site. I restart the squid process, and the site resumes working. Any ideas? Thanks.
