Re: [squid-users] SSL Reverse Proxy Domain Mismatch

[Amos Jeffries]

On 1/05/2013 8:56 a.m., Paul Carew wrote:

Hi

I have Squid 3.3.4 setup as an SSL reverse proxy for web based mail.
The domain name on the outside is something like mail.example.org and
the domain name on the inside is something like webmail.example.local.
I am getting a TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH error when
trying to connect.

My https_port line looks like so:

https_port 443 accel cert=/etc/squid/ssl_certs/mail.crt
key=/etc/squid/ssl_certs/mail.key cafile=/etc/squid/ssl_certs/mail.ca
defaultsite=webmail.example.local

The cache_peer line:

cache_peer 192.168.0.42 parent 443 0 no-query originserver login=PASS
ssl front-end-https=on name=webmailServer

The certificate on the web based mail server, inside, is issued to
webmail.example.local with a SAN of mail.example.org. The certificate
used on the Squid https_port config line is issued to mail.example.com
with no SAN.

I can understand why the DOMAIN_MISMATCH is occurring but was hoping
someone could recommend a work around?


Because webmail.example.local != mail.example.org. Your clients will be 
requesting one and Squid relays the client request with as few changes 
as possible.


You can use forcedomain=mail.example.com on the peer line, or make the 
domain mail.example.com point at Squid for clients to use in their URLs 
(the best way).


Amos

[squid-users] SSL Reverse Proxy Domain Mismatch

[Paul Carew]

Hi

I have Squid 3.3.4 setup as an SSL reverse proxy for web based mail.
The domain name on the outside is something like mail.example.org and
the domain name on the inside is something like webmail.example.local.
I am getting a TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH error when
trying to connect.

My https_port line looks like so:

https_port 443 accel cert=/etc/squid/ssl_certs/mail.crt
key=/etc/squid/ssl_certs/mail.key cafile=/etc/squid/ssl_certs/mail.ca
defaultsite=webmail.example.local

The cache_peer line:

cache_peer 192.168.0.42 parent 443 0 no-query originserver login=PASS
ssl front-end-https=on name=webmailServer

The certificate on the web based mail server, inside, is issued to
webmail.example.local with a SAN of mail.example.org. The certificate
used on the Squid https_port config line is issued to mail.example.com
with no SAN.

I can understand why the DOMAIN_MISMATCH is occurring but was hoping
someone could recommend a work around?

Many thanks


Paul

Re: [squid-users] SSL reverse proxy for phpmyadmin problems

[Amos Jeffries]

On Mon, 31 Jan 2011 19:59:55 +0100, Tobias Reckhard
 wrote:
> Hi
> 
> I'm having a bit of trouble implementing a Squid3 reverse HTTPS proxy
> for, among others, phpmyadmin. The initial connection to the phpmyadmin
> login page using HTTPS works fine, but after I enter my credentials,
> phpmyadmin redirects my browser to http://, using a "302 Moved
> Temporarily" code and a "Location: http://" header. Although that
> succeeds, since the Apache web server hosting phpmyadmin is in fact
> accessible unencrypted via port 80, it's not what I want.
> 
> Does anyone here know how I can keep phpmyadmin from redirecting the
> browser away from HTTPS to HTTP?
> 
> Cheers,
> Tobias

That would be a configuration issue on your server:

http://www.phpmyadmin.net/localized_docs/en_GB/Documentation.html#faq1_39

Amos

[squid-users] SSL reverse proxy for phpmyadmin problems

[Tobias Reckhard]

Hi

I'm having a bit of trouble implementing a Squid3 reverse HTTPS proxy
for, among others, phpmyadmin. The initial connection to the phpmyadmin
login page using HTTPS works fine, but after I enter my credentials,
phpmyadmin redirects my browser to http://, using a "302 Moved
Temporarily" code and a "Location: http://" header. Although that
succeeds, since the Apache web server hosting phpmyadmin is in fact
accessible unencrypted via port 80, it's not what I want.

Does anyone here know how I can keep phpmyadmin from redirecting the
browser away from HTTPS to HTTP?

Cheers,
Tobias

Re: [squid-users] SSL Reverse Proxy to Support Multiple Web Site WITHOUT wildcard crt

[Henrik Nordström]

mån 2010-09-20 klockan 13:02 +0100 skrev Nikolaos Pavlidis:

> Unfortunately that did not work! If I define an IP address on the port
> it just stops working for some reason! squid reloads with no errors but
> access to the host times out.

Odd. Works for me, and is needed to be able to specify the right
certificate for each site.

Try again, and pay attention to error outputs on the console when
starting squid and in cache.log.

and check your config with "squid -k parse".

Regards
Henrik

Re: [squid-users] SSL Reverse Proxy to Support Multiple Web Site WITHOUT wildcard crt

[Amos Jeffries]

On 21/09/10 00:02, Nikolaos Pavlidis wrote:

Hello Amos, all,

Many thanks for taking a look at my config!

Comments inline (easier)

On Fri, 2010-09-17 at 23:17 +1200, Amos Jeffries wrote:

On 17/09/10 19:32, Nikolaos Pavlidis wrote:

Hello Amos, all,

Thank you for your response. As far as understanding what you mean I do
(thats something at least) but I fail to see how this will be syntaxed


Answers inline.



My config is as follows please advise(this is not working of course):

# NETWORK OPTIONS
#
-
http_port 80 accel defaultsite=www.domain.com vhost
https_port 443 cert=/etc/squid/uob/sid_domain.crt
key=/etc/squid/uob/sid_domain.key cafile=/etc/squid/uob/sid_domain.ca
defaultsite=sid.domain.com vhost

  >
  >  https_port 443 cert=/etc/squid/uob/helpdesk_domain.crt
  >  key=/etc/squid/uob/helpdesk_domain.key
  >  cafile=/etc/squid/uob/helpdesk_domain.ca defaultsite=helpdesk.domain.com
  >  vhost

The pubic-facing IP address is needed to open multiple same-numbered ports.

(wrapped for easy reading)

https_port 10.0.0.1:443 accel vhost defaultsite=sid.domain.com
 cert=/etc/squid/uob/sid_domain.crt
 key=/etc/squid/uob/sid_domain.key
 cafile=/etc/squid/uob/sid_domain.ca

https_port 10.0.0.2:443 accel vhost defaultsite=helpdesk.domain.com
 cert=/etc/squid/uob/helpdesk_domain.crt
 key=/etc/squid/uob/helpdesk_domain.key
 cafile=/etc/squid/uob/helpdesk_domain.ca



Unfortunately that did not work! If I define an IP address on the port
it just stops working for some reason! squid reloads with no errors but
access to the host times out.



SSL is on the edge of my knowledge field. This is a bit of a black box 
to me now.


Hopefully someone else here knows more details of what to test.


To me it sounds a little like the SSL layer is failing to be setup or 
something. For example if the IP does not match the certificate info 
domain rDNS, or Host: domain matching the cert, etc.
debug_options 83,6 may have something relevant if it's something 
detected by Squid.






# OPTIONS FOR TUNING THE CACHE
#
-
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.css 1440 50% 2880 override-expire
refresh_pattern -i \.swf 1440 50% 2880 ignore-reload override-expire


Missing:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0


That is actually not suggested for our CMS at the moment :/



huh? it specifies that dynamic pages are not to be cached unless they 
have Cache-Control/Expires. Not having this causes dynamic pages to be 
stored for maybe long periods after they should have been updated.


If there are parts of the site that it matches and are supposed to be 
cached for a while, add rules above it for those specific site parts.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.8
  Beta testers wanted for 3.2.0.2

Re: [squid-users] SSL Reverse Proxy to Support Multiple Web Site WITHOUT wildcard crt

[Nikolaos Pavlidis]

Hello Amos, all,

Many thanks for taking a look at my config!

Comments inline (easier)

On Fri, 2010-09-17 at 23:17 +1200, Amos Jeffries wrote:
> On 17/09/10 19:32, Nikolaos Pavlidis wrote:
> > Hello Amos, all,
> >
> > Thank you for your response. As far as understanding what you mean I do
> > (thats something at least) but I fail to see how this will be syntaxed
> 
> Answers inline.
> 
> >
> > My config is as follows please advise(this is not working of course):
> >
> > # NETWORK OPTIONS
> > #
> > -
> > http_port 80 accel defaultsite=www.domain.com vhost
> > https_port 443 cert=/etc/squid/uob/sid_domain.crt
> > key=/etc/squid/uob/sid_domain.key cafile=/etc/squid/uob/sid_domain.ca
> > defaultsite=sid.domain.com vhost
>  >
>  > https_port 443 cert=/etc/squid/uob/helpdesk_domain.crt
>  > key=/etc/squid/uob/helpdesk_domain.key
>  > cafile=/etc/squid/uob/helpdesk_domain.ca defaultsite=helpdesk.domain.com
>  > vhost
> 
> The pubic-facing IP address is needed to open multiple same-numbered ports.
> 
> (wrapped for easy reading)
> 
> https_port 10.0.0.1:443 accel vhost defaultsite=sid.domain.com
> cert=/etc/squid/uob/sid_domain.crt
> key=/etc/squid/uob/sid_domain.key
> cafile=/etc/squid/uob/sid_domain.ca
> 
> https_port 10.0.0.2:443 accel vhost defaultsite=helpdesk.domain.com
> cert=/etc/squid/uob/helpdesk_domain.crt
> key=/etc/squid/uob/helpdesk_domain.key
> cafile=/etc/squid/uob/helpdesk_domain.ca
> 
> 
Unfortunately that did not work! If I define an IP address on the port
it just stops working for some reason! squid reloads with no errors but
access to the host times out.

> > visible_hostname *MailScanner has detected a possible fraud attempt from
> > "www.beds.ac.uk" claiming to be* www. domain.
> > com
> > unique_hostname cache1.domain.com
> > offline_mode off
> > icp_port 3130
> > request_body_max_size 32 MB
> >
> > # OPTIONS WHICH AFFECT THE CACHE SIZE
> > #
> > -
> > cache_mem 4096 MB
> > maximum_object_size 8 MB
> > maximum_object_size_in_memory 256 KB
> >
> > # LOGFILE PATHNAMES AND CACHE DIRECTORIES
> > #
> > -
> > cache_dir aufs /var/cache/squid 61440 16 256
> > emulate_httpd_log on
> > logfile_rotate 100
> > logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs % > "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
> > access_log /var/log/squid/access.log combined
> 
> Just for my interest how does forcing apache "common" format with 
> emulate_httpd_log mix with explicitly forcing a locally defined 
> "combined" format?
>   Which one do you expect to be used in the log?
> 
Good spot! DOH! :)

> > cache_log /var/log/squid/cache.log
> > cache_store_log /var/log/squid/store.log
> 
> Only if you need it. Otherwise:
>   cache_store_log none
> 
> > debug_options ALL,1,33,3,20,3
> 
> (space needed between each section,level option pair.)
> debug_options ALL,1 33,3 20,3
> 
Another good one!

> >
> > # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
> > #
> > -
> > auth_param basic children 10
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> > auth_param basic casesensitive off
> >
> > # OPTIONS FOR TUNING THE CACHE
> > #
> > -
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern -i \.css 1440 50% 2880 override-expire
> > refresh_pattern -i \.swf 1440 50% 2880 ignore-reload override-expire
> 
> Missing:
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> 
That is actually not suggested for our CMS at the moment :/


The rest were spot on as usual and I applied all of them in the running
configuration.

Any suggestions on how to proceed with the SSL?
Many thanks in advance.

Kind regards,

Nik

-- 
Nikolaos Pavlidis BSc (Hons) MBCS NCLP CEH CHFI
Systems Administrator
University Of Bedfordshire
Park Square LU1 3JU
Luton, Beds, UK
Tel: +441582489277 (Ext 2277)

Re: [squid-users] SSL Reverse Proxy to Support Multiple Web Site WITHOUT wildcard crt

[Amos Jeffries]

On 17/09/10 19:32, Nikolaos Pavlidis wrote:

Hello Amos, all,

Thank you for your response. As far as understanding what you mean I do
(thats something at least) but I fail to see how this will be syntaxed


Answers inline.



My config is as follows please advise(this is not working of course):

# NETWORK OPTIONS
#
-
http_port 80 accel defaultsite=www.domain.com vhost
https_port 443 cert=/etc/squid/uob/sid_domain.crt
key=/etc/squid/uob/sid_domain.key cafile=/etc/squid/uob/sid_domain.ca
defaultsite=sid.domain.com vhost

>
> https_port 443 cert=/etc/squid/uob/helpdesk_domain.crt
> key=/etc/squid/uob/helpdesk_domain.key
> cafile=/etc/squid/uob/helpdesk_domain.ca defaultsite=helpdesk.domain.com
> vhost

The pubic-facing IP address is needed to open multiple same-numbered ports.

(wrapped for easy reading)

https_port 10.0.0.1:443 accel vhost defaultsite=sid.domain.com
   cert=/etc/squid/uob/sid_domain.crt
   key=/etc/squid/uob/sid_domain.key
   cafile=/etc/squid/uob/sid_domain.ca

https_port 10.0.0.2:443 accel vhost defaultsite=helpdesk.domain.com
   cert=/etc/squid/uob/helpdesk_domain.crt
   key=/etc/squid/uob/helpdesk_domain.key
   cafile=/etc/squid/uob/helpdesk_domain.ca



visible_hostname *MailScanner has detected a possible fraud attempt from
"www.beds.ac.uk" claiming to be* www. domain.
com
unique_hostname cache1.domain.com
offline_mode off
icp_port 3130
request_body_max_size 32 MB

# OPTIONS WHICH AFFECT THE CACHE SIZE
#
-
cache_mem 4096 MB
maximum_object_size 8 MB
maximum_object_size_in_memory 256 KB

# LOGFILE PATHNAMES AND CACHE DIRECTORIES
#
-
cache_dir aufs /var/cache/squid 61440 16 256
emulate_httpd_log on
logfile_rotate 100
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined


Just for my interest how does forcing apache "common" format with 
emulate_httpd_log mix with explicitly forcing a locally defined 
"combined" format?

 Which one do you expect to be used in the log?


cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log


Only if you need it. Otherwise:
 cache_store_log none


debug_options ALL,1,33,3,20,3


(space needed between each section,level option pair.)
debug_options ALL,1 33,3 20,3



# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
#
-
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

# OPTIONS FOR TUNING THE CACHE
#
-
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.css 1440 50% 2880 override-expire
refresh_pattern -i \.swf 1440 50% 2880 ignore-reload override-expire


Missing:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0


refresh_pattern . 1440 50% 4320 override-expire

# ACCESS CONTROLS
#
-

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl purge method PURGE
acl CONNECT method CONNECT
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

# reverce-proxy configuration
#
-

cache_peer 194.80.213.28 sibling 80 3130 proxy-only no-digest
no-netdb-exchange


(this is where the deny from itself comes in handy to block looping)

cache_peer_access 194.80.213.28 deny from_cache2
cache_peer_access 194.80.213.28 allow all



cache_peer 10.1.62.230 parent 80 0 no-query originserver no-digest
name=lhdl_cst_srv login=PASS
acl sites_lhdl_cst dstdomain lhdl.cst.domain.com
http_access allow sites_lhdl_cst
cache_peer_access lhdl_cst_srv allow sites_lhdl_cst
cache_peer_access lhdl_cst_srv deny from_cache2


missing "deny all" there.




cache_peer 212.219.119.48 parent 443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER no-digest name=beweb_srv_ssl login=PASS
acl sites_beweb_ssl dstdomain sid.domain.com
http_access allow sites_beweb_ssl
cache_peer_access beweb_srv_ssl allow sites_beweb_ssl
cache_peer_access 

Re: [squid-users] SSL Reverse Proxy to Support Multiple Web Site WITHOUT wildcard crt

[Nikolaos Pavlidis]

Hello Amos, all,

Thank you for your response. As far as understanding what you mean I do
(thats something at least) but I fail to see how this will be syntaxed 

My config is as follows please advise(this is not working of course):

# NETWORK OPTIONS
#
-
http_port 80 accel defaultsite=www.domain.com vhost
https_port 443 cert=/etc/squid/uob/sid_domain.crt
key=/etc/squid/uob/sid_domain.key cafile=/etc/squid/uob/sid_domain.ca
defaultsite=sid.domain.com vhost
https_port 443 cert=/etc/squid/uob/helpdesk_domain.crt
key=/etc/squid/uob/helpdesk_domain.key
cafile=/etc/squid/uob/helpdesk_domain.ca defaultsite=helpdesk.domain.com
vhost
visible_hostname www.domain.com
unique_hostname cache1.domain.com
offline_mode off
icp_port 3130
request_body_max_size 32 MB

# OPTIONS WHICH AFFECT THE CACHE SIZE
#
-
cache_mem 4096 MB
maximum_object_size 8 MB
maximum_object_size_in_memory 256 KB

# LOGFILE PATHNAMES AND CACHE DIRECTORIES
#
-
cache_dir aufs /var/cache/squid 61440 16 256
emulate_httpd_log on
logfile_rotate 100
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
debug_options ALL,1,33,3,20,3

# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
#
-
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

# OPTIONS FOR TUNING THE CACHE
#
-
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i \.css144050% 2880 override-expire
refresh_pattern -i \.swf144050% 2880 ignore-reload
override-expire
refresh_pattern .   144050% 4320 override-expire

# ACCESS CONTROLS
#
-

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl purge method PURGE
acl CONNECT method CONNECT
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

# reverce-proxy configuration
#
-

cache_peer 194.80.213.28 sibling 80 3130 proxy-only no-digest
no-netdb-exchange

cache_peer 10.1.62.230 parent 80 0 no-query originserver no-digest
name=lhdl_cst_srv login=PASS
acl sites_lhdl_cst dstdomain lhdl.cst.domain.com
http_access allow sites_lhdl_cst
cache_peer_access lhdl_cst_srv allow sites_lhdl_cst
cache_peer_access lhdl_cst_srv deny from_cache2
cache_peer_access lhdl_cst_srv deny all

cache_peer 212.219.119.48 parent 443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER no-digest name=beweb_srv_ssl login=PASS
acl sites_beweb_ssl dstdomain sid.domain.com
http_access allow sites_beweb_ssl
cache_peer_access beweb_srv_ssl allow sites_beweb_ssl
cache_peer_access beweb_srv_ssl deny from_cache2
cache_peer_access beweb_srv_ssl deny all

cache_peer 10.1.108.15 parent 443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER no-digest name=helpdesk_srv_ssl login=PASS
acl sites_helpdesk_ssl dstdomain helpdesk.domain.com
http_access allow sites_helpdesk_ssl
cache_peer_access helpdesk_srv_ssl allow sites_helpdesk_ssl
cache_peer_access helpdesk_srv_ssl deny from_cache2
cache_peer_access helpdesk_srv_ssl deny all

# forward-proxy security restrictions
#
-

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

http_reply_access allow all
acl from_cache2 src 194.80.213.28
icp_access allow from_cache2
icp_access deny all

# ADMINISTRATIVE PARAMETERS
#
-

shutdown_lifetime 15 second
httpd_suppress_version_string on
cache_mgr cache...@d

Re: [squid-users] SSL Reverse Proxy to Support Multiple Web Site WITHOUT wildcard crt

[Amos Jeffries]

Nikolaos Pavlidis wrote:

Hello all,

As the subject suggests, I am looking to support multiple ssl sites with
different certificates for each one. The only doc that I manage to find
is
http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate

which was very helpful to setup the first host but did not provide much
on the addition of a second or third one.Any help will be much
appreciated. Thank you in advance.


The wildcard certificate handles multiple sites with one certificate. So 
 the that config is not what you want. The final part about squid 
configuration is loosely relevant, but...


To use separate certificates for each site configure an https_port on a 
different IP for each site and generate a non-wildcard certificate for 
 each of the domain+IP pairs.


After the https_port are setup its normal virtual hosting setup of 
cache_peer and related entries to source the requests. You can follow 
the config on that wildcard cert page, or the VirtualHosting config page.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.5

[squid-users] SSL Reverse Proxy to Support Multiple Web Site WITHOUT wildcard crt

[Nikolaos Pavlidis]

Hello all,

As the subject suggests, I am looking to support multiple ssl sites with
different certificates for each one. The only doc that I manage to find
is
http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate

which was very helpful to setup the first host but did not provide much
on the addition of a second or third one.Any help will be much
appreciated. Thank you in advance.

Kind regards,

Nik

-- 
Nikolaos Pavlidis BSc (Hons) MBCS NCLP CEH CHFI
Systems Administrator
University Of Bedfordshire
Park Square LU1 3JU
Luton, Beds, UK
Tel: +441582489277 (Ext 2277)

RE: [squid-users] SSL Reverse Proxy testing With Invalid Certificate, can it be done.

[Dean Weimer]

> -Original Message-
> From: Henrik Nordstrom [mailto:hen...@henriknordstrom.net]
> Sent: Monday, October 05, 2009 4:48 AM
> To: Dean Weimer
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] SSL Reverse Proxy testing With Invalid
> Certificate, can it be done.
> 
> fre 2009-09-25 klockan 10:57 -0500 skrev Dean Weimer:
> 
> > 2009/09/25 11:38:07| SSL unknown certificate error 18 in...
> > 2009/09/25 11:38:07| fwdNegotiateSSL: Error negotiating SSL
> connection on FD 15: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
(1/-1/0)
> 
> This is your Squid trying to use SSL to connect to the requested
> server.
> Not related to the http_port certificate settings.
> 
> validation requirements on peer certificates is set in cache_peer.
> 
> Regards
> Henrik

I was running Squid 3.0.STABLE19 on the test system.  Here are the
configuration lines from the original test. At one point I had added
cert lines on the cache_peer before realizing that those were only for
use when certificate authentication was needed on the parent.  I can't
remember for sure if the log was copied form when I had those options on
or not, I still had an invalid certificate error after removing them but
it may have been a different error number.

https_port 443 accel cert=/usr/local/squid/etc/certs/server.crt
key=/usr/local/squid/etc/certs/server.key defaultsite=mysite vhost

cache_peer 1.2.3.4 parent 443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=secure_mysite

My production server is a couple revisions behind, currently running
STABLE17, it will be updated to 19 this coming weekend.  I did not test
it with the fake certificate.

Thanks,
 Dean Weimer
 Network Administrator
 Orscheln Management Co

RE: [squid-users] SSL Reverse Proxy testing With Invalid Certificate, can it be done.

[Henrik Nordstrom]

tis 2009-09-29 klockan 07:54 -0500 skrev Dean Weimer:

> I didn't see that one, though I have the real certificate now and
> everything is working with it.  I figure the sslflags on the cache peer
> settings should accomplish the same thing, but they didn't seem to make
> a difference whether I included them or not.

It should.

Which versions of Squid are you running?

Regards
Henrik

Re: [squid-users] SSL Reverse Proxy testing With Invalid Certificate, can it be done.

[Henrik Nordstrom]

fre 2009-09-25 klockan 10:57 -0500 skrev Dean Weimer:

> 2009/09/25 11:38:07| SSL unknown certificate error 18 in...
> 2009/09/25 11:38:07| fwdNegotiateSSL: Error negotiating SSL connection on FD 
> 15: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
> verify failed (1/-1/0)

This is your Squid trying to use SSL to connect to the requested server.
Not related to the http_port certificate settings.

validation requirements on peer certificates is set in cache_peer.

Regards
Henrik

RE: [squid-users] SSL Reverse Proxy testing With Invalid Certificate, can it be done.

[Dean Weimer]

> -Original Message-
> From: Chris Robertson [mailto:crobert...@gci.net]
> Sent: Monday, September 28, 2009 4:16 PM
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] SSL Reverse Proxy testing With Invalid
> Certificate, can it be done.
> 
> Dean Weimer wrote:
> > I am trying to setup a test with an SSL reverse proxy on an intranet
> site, I currently have a fake self signed certificate and the server
is
> answering on the HTTP side just fine, and answering on the HTTPS
> however I get a (92) protocol error returned from the proxy when
trying
> to access it through HTTPS.
> >
> > I have added the following lines for the HTTPS option
> >
> > https_port 443 accel cert=/usr/local/squid/etc/certs/server.crt
> key=/usr/local/squid/etc/certs/server.key defaultsite=mysite vhost
> >
> > cache_peer 10.20.10.76 parent 443 0 no-query originserver ssl
> sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=secure_mysite
> >
> > From the log I can see the error is caused by the invalid
> certificate.
> >
> > 2009/09/25 11:38:07| SSL unknown certificate error 18 in...
> > 2009/09/25 11:38:07| fwdNegotiateSSL: Error negotiating SSL
> connection on FD 15: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
(1/-1/0)
> >
> > Is there a way that I can tell it to go ahead and trust this fake
> certificate during testing while I wait for the actual certificate
that
> is valid, to be issued.
> >
> 
> Perhaps http://www.squid-cache.org/Doc/config/sslproxy_flags/
> 
> >
> > Thanks,
> >  Dean Weimer
> >  Network Administrator
> >  Orscheln Management Co
> >
> 
> Chris

I didn't see that one, though I have the real certificate now and
everything is working with it.  I figure the sslflags on the cache peer
settings should accomplish the same thing, but they didn't seem to make
a difference whether I included them or not.

Thanks,
 Dean Weimer
 Network Administrator
 Orscheln Management Co

Re: [squid-users] SSL Reverse Proxy testing With Invalid Certificate, can it be done.

[Chris Robertson]

Dean Weimer wrote:

I am trying to setup a test with an SSL reverse proxy on an intranet site, I 
currently have a fake self signed certificate and the server is answering on 
the HTTP side just fine, and answering on the HTTPS however I get a (92) 
protocol error returned from the proxy when trying to access it through HTTPS.

I have added the following lines for the HTTPS option

https_port 443 accel cert=/usr/local/squid/etc/certs/server.crt 
key=/usr/local/squid/etc/certs/server.key defaultsite=mysite vhost

cache_peer 10.20.10.76 parent 443 0 no-query originserver ssl 
sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=secure_mysite

From the log I can see the error is caused by the invalid certificate.

2009/09/25 11:38:07| SSL unknown certificate error 18 in...
2009/09/25 11:38:07| fwdNegotiateSSL: Error negotiating SSL connection on FD 
15: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify 
failed (1/-1/0)

Is there a way that I can tell it to go ahead and trust this fake certificate 
during testing while I wait for the actual certificate that is valid, to be 
issued.
  


Perhaps http://www.squid-cache.org/Doc/config/sslproxy_flags/



Thanks,
 Dean Weimer
 Network Administrator
 Orscheln Management Co
  


Chris

[squid-users] SSL Reverse Proxy testing With Invalid Certificate, can it be done.

[Dean Weimer]

I am trying to setup a test with an SSL reverse proxy on an intranet site, I 
currently have a fake self signed certificate and the server is answering on 
the HTTP side just fine, and answering on the HTTPS however I get a (92) 
protocol error returned from the proxy when trying to access it through HTTPS.

I have added the following lines for the HTTPS option

https_port 443 accel cert=/usr/local/squid/etc/certs/server.crt 
key=/usr/local/squid/etc/certs/server.key defaultsite=mysite vhost

cache_peer 10.20.10.76 parent 443 0 no-query originserver ssl 
sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=secure_mysite

>From the log I can see the error is caused by the invalid certificate.

2009/09/25 11:38:07| SSL unknown certificate error 18 in...
2009/09/25 11:38:07| fwdNegotiateSSL: Error negotiating SSL connection on FD 
15: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify 
failed (1/-1/0)

Is there a way that I can tell it to go ahead and trust this fake certificate 
during testing while I wait for the actual certificate that is valid, to be 
issued.


Thanks,
 Dean Weimer
 Network Administrator
 Orscheln Management Co

Re: [squid-users] SSL Reverse Proxy

[Michael Alger]

On Fri, Aug 01, 2008 at 12:15:53AM -0700, elsergio wrote:
> I am trying to see all the reverse proxy features that Squid
> offers and I have a question about SSL. I am sure you can help me.
> 
> I have seen in the forum that it seems to be something like this:
> 
> acl http protocol http
> acl https protocol https
> http_port public.ip:80 accel defaultsite=your.main.sitename vhost
> acl servergroup_domains dstdomain your.main.sitename other.sitename ...
> cache_peer ip.of.web.server parent 80 0 no-query originserver 
> name=servername_http
> cache_peer_access servername_http http servergroup_domains
> https_port public.ip:443 accel defaultsite=your.main.sitename 
> sslcert=/path/to/main.sitename.pem
> cache_peer ip.of.web.server parent 443 0 no-query originserver ssl 
> name=servername_https
> cache_peer_access servername_https https servergroup_domains
> 
> The problem is that I cannot figure out de differences between
> creating an SSL connection (the case above I think) and Squid
> being the end of an SSL connection.

The configuration example you have there does both.

http_port configures a port for squid itself to accept connections
on. If you use https_port, it will be an SSL endpoint; which is why
you need to specify the certificate file to use.

cache_peer configures either an upstream proxy or defines an origin
server (conceptually these are the same thing, the only difference
is how you make requests to them). I suppose specifying the "ssl"
option to it tells squid to make SSL connections when requesting
content from it.

Does that help at all?

[squid-users] SSL Reverse Proxy

[elsergio]

Hi,

I am trying to see all the reverse proxy features that Squid offers and I
have a question about SSL. I am sure you can help me.

I have seen in the forum that it seems to be something like this:

acl http protocol http
acl https protocol https
http_port public.ip:80 accel defaultsite=your.main.sitename vhost
acl servergroup_domains dstdomain your.main.sitename other.sitename ...
cache_peer ip.of.web.server parent 80 0 no-query originserver
name=servername_http
cache_peer_access servername_http http servergroup_domains
https_port public.ip:443 accel defaultsite=your.main.sitename
sslcert=/path/to/main.sitename.pem
cache_peer ip.of.web.server parent 443 0 no-query originserver ssl
name=servername_https
cache_peer_access servername_https https servergroup_domains

The problem is that I cannot figure out de differences between creating an
SSL connection (the case above I think) and Squid being the end of an SSL
connection.

Can you help me?

Best Regards,

Sergio 
-- 
View this message in context: 
http://www.nabble.com/SSL-Reverse-Proxy-tp18769374p18769374.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] SSL Reverse Proxy

[Henrik Nordstrom]

On tor, 2007-10-11 at 12:53 +0530, Shekhar Gupta wrote:

> In the above config i am hosting 2 website which is running in my LAN
> to publish outside using SSL proxy . Also in /etc/hosts i am making 2
> entries for this
> 
> 10.112.62.20websiteA.mydomain.com  websiteA
> 10.112.143.112 wywebsite.mydomain.com mywebsite

Instead of using /etc/hosts you can specify the IPs in cache_peer.

Regards
Henrik


signature.asc
Description: This is a digitally signed message part

RE: [squid-users] SSL Reverse Proxy

[Dwyer, Simon]

Thanks Amos, Matus and Shekhar.

It seems I forgot to put in the login=PASS which may have caused the error.
I also fixed up my host file and started squid with -D.  

Thanks again,

Simon Dwyer

-Original Message-
From: Amos Jeffries [mailto:[EMAIL PROTECTED] 
Sent: Thursday, 11 October 2007 11:11 PM
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] SSL Reverse Proxy

Shekhar Gupta wrote:
> Hi Simon,
> 
> I am just sharing my config which i have done it for my SSL Reverse
> Proxy for one of the site which is hosted on port 80 , One more thing
> is i am runni ng squid with
> -D option whcih tells squid not use DNS for name resolution , at the
> same time i am making the entries in /ets/hosts  file for the site .
> 
> https_port 443 cert=/Path to Certificate/testcert.cert key=/Path to
> Key/testkey.pem  defaultsite=mywebsite.mydomain.com vhost
> 
> cache_peer 10.112.62.20 parent 80 0 no-query originserver login=PASS
> name=websiteA.mydomain.com
> acl sites_server_1 dstdomain websiteA.mydomain.com
> cache_peer_access websiteA.mydomain.com allow sites_server_1
> cache_peer 10.112.143.112 parent 80 0 no-query originserver login=PASS
> name=mywebsite.mydomain.com
> acl sites_server_2 dstdomain mywebsite.mydomain.com
> cache_peer_access mywebsite.mydomain.com allow sites_server_2
> acl webserver dst 10.112.62.20 10.112.143.112
> http_access allow webserver
> http_access allow all
> miss_access allow webserver
> miss_access deny all

Try without this miss_access.

Also, try with general http(s) access permitted to the accelerated sites.

Amos

> http_access allow manager localhost
> http_access deny manager
> http_access deny all
> 
> In the above config i am hosting 2 website which is running in my LAN
> to publish outside using SSL proxy . Also in /etc/hosts i am making 2
> entries for this
> 
> 10.112.62.20websiteA.mydomain.com  websiteA
> 10.112.143.112 wywebsite.mydomain.com mywebsite
> 
> Let me know if you need any other help .
> 
> Regards,
> Sudhir Gupta
> On 10/11/07, Dwyer, Simon <[EMAIL PROTECTED]> wrote:
>> Ok I have worked out the first issue which was a firewall rule issue.
>>
>> The http version is working fine now but the https one is still having
>> issues.  This is what I am getting when browsing to it.
>>
>> ERROR
>> The requested URL could not be retrieved
>>
>> While trying to retrieve the URL: https:// /
>>
>> The following error was encountered:
>>
>>* Unable to forward this request at this time.
>>
>> This request could not be forwarded to the origin server or to any parent
>> caches. The most likely cause for this error is that:
>>
>>* The cache administrator does not allow this cache to make direct
>> connections to origin servers, and
>>* All configured parent caches are currently unreachable.
>>
>> Your cache administrator is [EMAIL PROTECTED]
>> Generated Thu, 11 Oct 2007 05:21:58 GMT by .federalit.net
>> (squid/2.6.STABLE10)
>>
>>
>>
>> -Original Message-
>> From: Dwyer, Simon
>> Sent: Thursday, 11 October 2007 4:13 PM
>> To: 'squid-users@squid-cache.org'
>> Subject: [squid-users] SSL Reverse Proxy
>>
>> Hi everyone,
>>
>> First time doing this so if I mess it up don't flame too much ☺
>>
>> I have an internal web server that needs to be reached from the outside
>> world.
>>
>> | Internal web server | <--> | Firewall | <--> | Squid Proxy | <--> |
>> Firewall | <--> Internet
>>
>> Between the web server and the proxy it will be standard http but from
the
>> proxy to the internet it will be https.  I have purchased a cert for the
>> domain used and generated all the stuff needed on the squid server for
that
>> using openssl.
>>
>> I think these are the two relevant lines in my config.
>>
>> https_port 443 accel cert=//cert.crt key=/> key>/key.key defaultsite= vhost
>>
>> cache_peer reports2.federalit.net parent 2002 0 no-query originserver
>> name=reports.federalit.net
>>
>> I know 2002 is a funny port but that's what the windows people have this
>> site running on.
>>
>> I also added the line
>>
>> http_port 80 accel defaultsite=reports.federalit.net vhost
>>
>> to see if I could get it working over just HTTP but that does the same
>> thing.
>>
>> It just sits there and times out very slowly...
>>
>> Any ideas would be great,
>>
>> Cheers,
>>
>> Simon Dwyer
>> Technology Services Group
>>

Re: [squid-users] SSL Reverse Proxy

[Amos Jeffries]

Shekhar Gupta wrote:

Hi Simon,

I am just sharing my config which i have done it for my SSL Reverse
Proxy for one of the site which is hosted on port 80 , One more thing
is i am runni ng squid with
-D option whcih tells squid not use DNS for name resolution , at the
same time i am making the entries in /ets/hosts  file for the site .

https_port 443 cert=/Path to Certificate/testcert.cert key=/Path to
Key/testkey.pem  defaultsite=mywebsite.mydomain.com vhost

cache_peer 10.112.62.20 parent 80 0 no-query originserver login=PASS
name=websiteA.mydomain.com
acl sites_server_1 dstdomain websiteA.mydomain.com
cache_peer_access websiteA.mydomain.com allow sites_server_1
cache_peer 10.112.143.112 parent 80 0 no-query originserver login=PASS
name=mywebsite.mydomain.com
acl sites_server_2 dstdomain mywebsite.mydomain.com
cache_peer_access mywebsite.mydomain.com allow sites_server_2
acl webserver dst 10.112.62.20 10.112.143.112
http_access allow webserver
http_access allow all
miss_access allow webserver
miss_access deny all


Try without this miss_access.

Also, try with general http(s) access permitted to the accelerated sites.

Amos


http_access allow manager localhost
http_access deny manager
http_access deny all

In the above config i am hosting 2 website which is running in my LAN
to publish outside using SSL proxy . Also in /etc/hosts i am making 2
entries for this

10.112.62.20websiteA.mydomain.com  websiteA
10.112.143.112 wywebsite.mydomain.com mywebsite

Let me know if you need any other help .

Regards,
Sudhir Gupta
On 10/11/07, Dwyer, Simon <[EMAIL PROTECTED]> wrote:

Ok I have worked out the first issue which was a firewall rule issue.

The http version is working fine now but the https one is still having
issues.  This is what I am getting when browsing to it.

ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: https:// /

The following error was encountered:

   * Unable to forward this request at this time.

This request could not be forwarded to the origin server or to any parent
caches. The most likely cause for this error is that:

   * The cache administrator does not allow this cache to make direct
connections to origin servers, and
   * All configured parent caches are currently unreachable.

Your cache administrator is [EMAIL PROTECTED]
Generated Thu, 11 Oct 2007 05:21:58 GMT by .federalit.net
(squid/2.6.STABLE10)



-Original Message-
From: Dwyer, Simon
Sent: Thursday, 11 October 2007 4:13 PM
To: 'squid-users@squid-cache.org'
Subject: [squid-users] SSL Reverse Proxy

Hi everyone,

First time doing this so if I mess it up don't flame too much ☺

I have an internal web server that needs to be reached from the outside
world.

| Internal web server | <--> | Firewall | <--> | Squid Proxy | <--> |
Firewall | <--> Internet

Between the web server and the proxy it will be standard http but from the
proxy to the internet it will be https.  I have purchased a cert for the
domain used and generated all the stuff needed on the squid server for that
using openssl.

I think these are the two relevant lines in my config.

https_port 443 accel cert=//cert.crt key=//key.key defaultsite= vhost

cache_peer reports2.federalit.net parent 2002 0 no-query originserver
name=reports.federalit.net

I know 2002 is a funny port but that's what the windows people have this
site running on.

I also added the line

http_port 80 accel defaultsite=reports.federalit.net vhost

to see if I could get it working over just HTTP but that does the same
thing.

It just sits there and times out very slowly...

Any ideas would be great,

Cheers,

Simon Dwyer
Technology Services Group

Re: [squid-users] SSL Reverse Proxy

[Matus UHLAR - fantomas]

On 11.10.07 16:22, Dwyer, Simon wrote:
> Ok I have worked out the first issue which was a firewall rule issue.
> 
> The http version is working fine now but the https one is still having
> issues.  This is what I am getting when browsing to it.
> 
> ERROR
> The requested URL could not be retrieved
> 
> While trying to retrieve the URL: https:// /

I guess there's something broken in your setup. 

> Between the web server and the proxy it will be standard http but from the
> proxy to the internet it will be https.

do you want users from outside to connect back to the net via https?

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.

Re: [squid-users] SSL Reverse Proxy

[Shekhar Gupta]

Hi Simon,

I am just sharing my config which i have done it for my SSL Reverse
Proxy for one of the site which is hosted on port 80 , One more thing
is i am runni ng squid with
-D option whcih tells squid not use DNS for name resolution , at the
same time i am making the entries in /ets/hosts  file for the site .

https_port 443 cert=/Path to Certificate/testcert.cert key=/Path to
Key/testkey.pem  defaultsite=mywebsite.mydomain.com vhost

cache_peer 10.112.62.20 parent 80 0 no-query originserver login=PASS
name=websiteA.mydomain.com
acl sites_server_1 dstdomain websiteA.mydomain.com
cache_peer_access websiteA.mydomain.com allow sites_server_1
cache_peer 10.112.143.112 parent 80 0 no-query originserver login=PASS
name=mywebsite.mydomain.com
acl sites_server_2 dstdomain mywebsite.mydomain.com
cache_peer_access mywebsite.mydomain.com allow sites_server_2
acl webserver dst 10.112.62.20 10.112.143.112
http_access allow webserver
http_access allow all
miss_access allow webserver
miss_access deny all
http_access allow manager localhost
http_access deny manager
http_access deny all

In the above config i am hosting 2 website which is running in my LAN
to publish outside using SSL proxy . Also in /etc/hosts i am making 2
entries for this

10.112.62.20websiteA.mydomain.com  websiteA
10.112.143.112 wywebsite.mydomain.com mywebsite

Let me know if you need any other help .

Regards,
Sudhir Gupta
On 10/11/07, Dwyer, Simon <[EMAIL PROTECTED]> wrote:
> Ok I have worked out the first issue which was a firewall rule issue.
>
> The http version is working fine now but the https one is still having
> issues.  This is what I am getting when browsing to it.
>
> ERROR
> The requested URL could not be retrieved
>
> While trying to retrieve the URL: https:// /
>
> The following error was encountered:
>
>* Unable to forward this request at this time.
>
> This request could not be forwarded to the origin server or to any parent
> caches. The most likely cause for this error is that:
>
>* The cache administrator does not allow this cache to make direct
> connections to origin servers, and
>* All configured parent caches are currently unreachable.
>
> Your cache administrator is [EMAIL PROTECTED]
> Generated Thu, 11 Oct 2007 05:21:58 GMT by .federalit.net
> (squid/2.6.STABLE10)
>
>
>
> -Original Message-
> From: Dwyer, Simon
> Sent: Thursday, 11 October 2007 4:13 PM
> To: 'squid-users@squid-cache.org'
> Subject: [squid-users] SSL Reverse Proxy
>
> Hi everyone,
>
> First time doing this so if I mess it up don't flame too much ☺
>
> I have an internal web server that needs to be reached from the outside
> world.
>
> | Internal web server | <--> | Firewall | <--> | Squid Proxy | <--> |
> Firewall | <--> Internet
>
> Between the web server and the proxy it will be standard http but from the
> proxy to the internet it will be https.  I have purchased a cert for the
> domain used and generated all the stuff needed on the squid server for that
> using openssl.
>
> I think these are the two relevant lines in my config.
>
> https_port 443 accel cert=//cert.crt key=/ key>/key.key defaultsite= vhost
>
> cache_peer reports2.federalit.net parent 2002 0 no-query originserver
> name=reports.federalit.net
>
> I know 2002 is a funny port but that's what the windows people have this
> site running on.
>
> I also added the line
>
> http_port 80 accel defaultsite=reports.federalit.net vhost
>
> to see if I could get it working over just HTTP but that does the same
> thing.
>
> It just sits there and times out very slowly...
>
> Any ideas would be great,
>
> Cheers,
>
> Simon Dwyer
> Technology Services Group
>

RE: [squid-users] SSL Reverse Proxy

[Dwyer, Simon]

Ok I have worked out the first issue which was a firewall rule issue.

The http version is working fine now but the https one is still having
issues.  This is what I am getting when browsing to it.

ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: https:// /

The following error was encountered:

* Unable to forward this request at this time. 

This request could not be forwarded to the origin server or to any parent
caches. The most likely cause for this error is that:

* The cache administrator does not allow this cache to make direct
connections to origin servers, and
* All configured parent caches are currently unreachable. 

Your cache administrator is [EMAIL PROTECTED]
Generated Thu, 11 Oct 2007 05:21:58 GMT by .federalit.net
(squid/2.6.STABLE10)



-Original Message-
From: Dwyer, Simon 
Sent: Thursday, 11 October 2007 4:13 PM
To: 'squid-users@squid-cache.org'
Subject: [squid-users] SSL Reverse Proxy

Hi everyone,

First time doing this so if I mess it up don’t flame too much ☺

I have an internal web server that needs to be reached from the outside
world.  

| Internal web server | <--> | Firewall | <--> | Squid Proxy | <--> |
Firewall | <--> Internet

Between the web server and the proxy it will be standard http but from the
proxy to the internet it will be https.  I have purchased a cert for the
domain used and generated all the stuff needed on the squid server for that
using openssl.

I think these are the two relevant lines in my config.

https_port 443 accel cert=//cert.crt key=//key.key defaultsite= vhost

cache_peer reports2.federalit.net parent 2002 0 no-query originserver
name=reports.federalit.net

I know 2002 is a funny port but that’s what the windows people have this
site running on.

I also added the line 

http_port 80 accel defaultsite=reports.federalit.net vhost

to see if I could get it working over just HTTP but that does the same
thing. 

It just sits there and times out very slowly...

Any ideas would be great,

Cheers,

Simon Dwyer
Technology Services Group

[squid-users] SSL Reverse Proxy

[Dwyer, Simon]

Hi everyone,

First time doing this so if I mess it up don’t flame too much ☺

I have an internal web server that needs to be reached from the outside
world.  

| Internal web server | <--> | Firewall | <--> | Squid Proxy | <--> |
Firewall | <--> Internet

Between the web server and the proxy it will be standard http but from the
proxy to the internet it will be https.  I have purchased a cert for the
domain used and generated all the stuff needed on the squid server for that
using openssl.

I think these are the two relevant lines in my config.

https_port 443 accel cert=//cert.crt key=//key.key defaultsite= vhost

cache_peer reports2.federalit.net parent 2002 0 no-query originserver
name=reports.federalit.net

I know 2002 is a funny port but that’s what the windows people have this
site running on.

I also added the line 

http_port 80 accel defaultsite=reports.federalit.net vhost

to see if I could get it working over just HTTP but that does the same
thing. 

It just sits there and times out very slowly...

Any ideas would be great,

Cheers,

Simon Dwyer
Technology Services Group

Re: [squid-users] SSL Reverse Proxy

[Henrik Nordstrom]

tor 2007-07-05 klockan 11:03 +0200 skrev Paulo Andre:

> Is it possible or viable to have a Squid server running as a reverse 
> proxy with one SSL cert to different webservers?

> As an example if you browse https://url.squidserver/webserver1 then it 
> would display contents from "webserver1" encrypted, and 
> https://url.squidserver/webserver2 from webserver2.

Yes, that's possible, but works best if the content actually are in such
unique directories on the web servers, making each web server capable of
accepting it's part of the url.squidserver URL namespace as if it was
the server on the Internet for that request (i.e. proxy not needing to
rewrite stuff).

It's possible even with rewrites, but the internal URLs might leak and
additionally there will be problems with any absolute links in the
content..

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

[squid-users] SSL Reverse Proxy

[Paulo Andre]

We have multiple windows webservers that are available to the WWW. On 
all the servers we have different SSL certs for various apps.


Is it possible or viable to have a Squid server running as a reverse 
proxy with one SSL cert to different webservers?
As an example if you browse https://url.squidserver/webserver1 then it 
would display contents from "webserver1" encrypted, and 
https://url.squidserver/webserver2 from webserver2.


I am trying to rather have one SSL cert  for all our apps on various 
servers.

Hope this makes sense.


Paulo

Re: [squid-users] ssl reverse proxy self signed cert

[Peter Meier]

Hi

thanks for your answer. unfortunately it took me some time to try out.


maybe i understood something wrong but I'm trying to do the following
setup with squid 2.6.STABLE7 and couldn't find anything related to my
errors and problems:

wished setup:
client --ssl (cacert signed)--> squid (reverse) --ssl (selfsigned)--> apache


When using self-signed certificates you need to either add the
certificate as a ca for the cache_peer, or tell Squid to not verify the
certificate of the peer at all.


this i thought so however it wasn't clear for me that a host accessed  
over a reverse proxy is also a peer.



well for me it is clear that squid cannot verify the cert as it is
self signed. however i'd like to tell squid that it should accept this
cert, not try to verify it or whatever to be possible to use it. But I
couldn't find such an option for the https_port option.


It's the cache_peer option you need to look at..


with the following line

cache_peer $ip parent 443 0 ssl no-query originserver  
sslflags=DONT_VERIFY_PEER


and

sslproxy_flags DONT_VERIFY_PEER
(hint from here:  
http://www1.uk.squid-cache.org/mail-archive/squid-users/200611/0038.html  
)


it is now working like i wanted it. :)

thanks! and greetings pete

Re: [squid-users] ssl reverse proxy self signed cert

[Henrik Nordstrom]

fre 2007-03-09 klockan 15:59 +0100 skrev Peter Meier:
> Hi
> 
> maybe i understood something wrong but I'm trying to do the following
> setup with squid 2.6.STABLE7 and couldn't find anything related to my
> errors and problems:
> 
> wished setup:
> client --ssl (cacert signed)--> squid (reverse) --ssl (selfsigned)--> apache

When using self-signed certificates you need to either add the
certificate as a ca for the cache_peer, or tell Squid to not verify the
certificate of the peer at all.


> well for me it is clear that squid cannot verify the cert as it is
> self signed. however i'd like to tell squid that it should accept this
> cert, not try to verify it or whatever to be possible to use it. But I
> couldn't find such an option for the https_port option.

It's the cache_peer option you need to look at..

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

[squid-users] ssl reverse proxy self signed cert

[Peter Meier]

Hi

maybe i understood something wrong but I'm trying to do the following
setup with squid 2.6.STABLE7 and couldn't find anything related to my
errors and problems:

wished setup:
client --ssl (cacert signed)--> squid (reverse) --ssl (selfsigned)--> apache

however i always get the squid error page with:

"(71) protocol error"

and that the connection to the apache couldn't be established.

while accessing this setup with the browser. In the squid cache.log i
get this error several times:

2007/03/09 13:39:43| SSL unknown certificate error 18 in
/C=CH/ST=Some-State/L=World/O=foo/OU=bar/CN=some.host.com/[EMAIL PROTECTED]
2007/03/09 13:39:43| fwdNegotiateSSL: Error negotiating SSL connection
on FD 15: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)

however if I use on the apache the cacert signed cert as I have it on
the reverse squid host it works perfectly and i can access the sites
through the squid.
so this setup works:
client --ssl (cacert signed)--> squid (reverse) --ssl (cacert signed
(same cert))--> apache

(except this error in cache.log:
2007/03/09 13:41:53| fwdNegotiateSSL: Error negotiating SSL connection
on FD 16: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol (1/-1/0)
)

to create the self signed cert i used:
openssl req -new -newkey rsa:1024 -nodes -x509 -keyout foo_key.pem
-out foo.pem -days 3600
and accessing this directly is no problem except the normal warning
due to the self signed cert. so https works with that cert on apache.

well for me it is clear that squid cannot verify the cert as it is
self signed. however i'd like to tell squid that it should accept this
cert, not try to verify it or whatever to be possible to use it. But I
couldn't find such an option for the https_port option.

I also tried to make an own CA and then use a cert signed by this and
add the own CA cert to the https_port with the cafile=/path/ option.
However this changes only the unknown ssl error from 18 to 20.

For me also the following setup would work:
client --ssl (cacert signed)--> squid (reverse) ---http--> apache
by using the protocol=http option, which is also working.

However this makes it impossible to have different sites served by
https or http as well it makes the site that should be https-only also
accessible by http-only. If i could change this behaviour with any
other options/tricks this would be nice.

As I mentioned at the beginning it might be that I understood reverse,
https and certs wrong. However in my opinion the first wished setup
should work and I only have that problem of self signed certs. Is it
possible to avoid this problem, and use a different (self signed) cert
on the apache?

thanks for your answers and greets pete

ps: please cc me, as i'm currently not on the list, so I get anyway
the mails till I subscribed. thanks.

RE: [squid-users] SSL reverse-proxy questions (was "redirect")

[Henrik Nordstrom]

On Mon, 23 May 2005, Discussion Lists wrote:


Okay, I'll just start over.  First of all, I should never have used the
term "redirect"  That is more of a firewall term, and it should have
been left out.  All I want to do is reverse-proxy SSL connections,
hopefully several of them.  Each time you set up one of these
connections, you have to add in a line similar to below into squid.conf:

"https_port 443 cert=/path/to/cert.cert key=/path/to/key.key accel
your.site.name protocol http"


For squid-3 you would use something like the above yes. Correct syntax is

https_port 443 cert=/path/to/cert.cert key=/path/to/key.key accel 
defaultsite=your.site.name protocol=http

in addition you need to specify the server(s) to connect to

cache_peer address.of.server 80 0 no-query originserver
or for an https server
cache_peer address.of.server 443 0 no-query originserver ssl

and when you have multiple sites use cache_peer_access (or 
cache_peer_domain) to indicate what requests should be sent to each 
server.



In Squid-2.5 the situation is somewhat different, and the support for 
accelerating more than one site is not as easy to configure. There is no 
options to https_port other than the certificate info and you instead use 
the httpd_accel_* directives to control reverse proxy function. Depending 
on your servers you may be able to use the cache_peer based forwarding 
outlined above in combination with never_direct but not to all servers and 
not very efficiently (no support for persistent connections in such 
accelerator configuration of 2.5). The more efficient method for Squid-2.5 
is to specify the server addresses in /etc/hosts or a private DNS.


In both cases need you to set up access controls indicating which domains 
is allowed to be requested via the accelerator / reverse proxy. This is 
similar to the client based access controls in a normal proxy but using 
the dstdomain acl instead of src.


acl mydomains dstdomain accelerated.domain1 accelerated.domain2 ...
acl http protocol http https
acl httpport port 80 443
http_access allow mydomains http httpport
http_access deny all


This will reverse-proxy any request for "your.site.name" from what I
understand.  But that is just one site.  Suppose I have another site
that I want available for SSL?  Could I just add another line similar to
the above, but for the second, third or more sites?


You add as many as you have sites. Each certificate needs to specify a 
unique [ip:]port. Or in other words as you normally run https sites on 
port 443 each site needs it's own IP. The exception is is you have a 
wildcard certificate covering all/several of the sites. These can then 
share the same https_port as they share the same certificate.



Okay here's the second question.  The above line is an example of how to
reverse-proxy from SSL to http, or port 443, to port 80 right?  Now,
suppose I want to reverse-proxy several SSL connections, similar to
above, but instead of changing from SSL to http, (443 -> 80 as above) I
am reverse-proxying straight SSL (443 -> 443).


If you want straight SSL where the SSL is between the browser and the 
server then you need to publish the server port directly to the client, 
either by direct connection, NAT or TCP plug.


Squid(3) can act as an https proxy, decrypting the requests and then 
re-encrypting them again. You do this by not specifying the 
protocol=http on the https_line  (or specifying protocol=https) and use 
the ssl option to cache_peer.


Squid-2.5 as shipped does not have https proxy capabilities, but support 
can be added by the SSL update patch available from devel.squid-cache.org. 
The support in reverse-proxy mode is however somewhat limited and you in 
practice must use the cache_peer forwarding method described above.



Is this possible for multiple sites?


Yes.

If it is, is there some way that I could make it so I would not need a 
certificate on the firewall for each connection and just have the 
backend server handle certificate requests?


Yes, but not by using Squid. See above.


Lastly, I found information on the internet about how to create your own
certificates, but nothing about how to import them from somewhere else.
Anyone know of any tutorials that deal with this?


You need to find methods to export them from your servers into PEM format.

If the servers are already using PEM format certificate files (for example 
Apache mod_ssl) then all you need is to copy the certificate+key over to 
your Squid.


If the servers use some other format for their exported certificates you 
need to find a way to convert them to PEM format. Some servers exports 
certificates in DER format and you then convert them using the openssl 
tool. Some such as IIS has their own formats.. If you look for guides on 
how to move the certificate from the type of server you have to Apache 
mod_ssl then you should find the required steps. The certificate 
requirements for mod_ssl and Squid is the same (as is it for most other 

RE: [squid-users] SSL reverse-proxy questions (was "redirect")

[Discussion Lists]

Okay, I'll just start over.  First of all, I should never have used the
term "redirect"  That is more of a firewall term, and it should have
been left out.  All I want to do is reverse-proxy SSL connections,
hopefully several of them.  Each time you set up one of these
connections, you have to add in a line similar to below into squid.conf:

"https_port 443 cert=/path/to/cert.cert key=/path/to/key.key accel
your.site.name protocol http"

This will reverse-proxy any request for "your.site.name" from what I
understand.  But that is just one site.  Suppose I have another site
that I want available for SSL?  Could I just add another line similar to
the above, but for the second, third or more sites?

Okay here's the second question.  The above line is an example of how to
reverse-proxy from SSL to http, or port 443, to port 80 right?  Now,
suppose I want to reverse-proxy several SSL connections, similar to
above, but instead of changing from SSL to http, (443 -> 80 as above) I
am reverse-proxying straight SSL (443 -> 443).  Is this possible for
multiple sites?  If it is, is there some way that I could make it so I
would not need a certificate on the firewall for each connection and
just have the backend server handle certificate requests?

Lastly, I found information on the internet about how to create your own
certificates, but nothing about how to import them from somewhere else.
Anyone know of any tutorials that deal with this?

Thanks,
Mark

> -Original Message-
> From: Matus UHLAR - fantomas [mailto:[EMAIL PROTECTED] 
> Sent: Monday, May 23, 2005 2:55 AM
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] SSL redirect questions
> 
> 
> On 22.05 12:35, Discussion Lists wrote:
> > I have some general questions about reverse-proxying SSL.
> > 
> > 1. What is the best way to do it using Squid:
> > a. Do a straight redirect from port 443 to port 443 
> from server to 
> > server with no certificate presented from the firewall, but rather 
> > from the server that the connection is redirected to (is this even 
> > possible with Squid?).
> > b. Redirect port 443 to port 80 on the destination 
> server(s), and use 
> > the firewall to present each of the certificates.
> 
> Are you talking about reverse-proxying or redirecting?
> when reverse proxying, you do not redirect anything. If 
> redirecting, you do not care about certificates.
> 
> what I understand under "reverse ssl proxy" is that squid 
> listens for SSL requests on port 443 and forwards plain HTTP 
> requests to HTTP server.
> 
> There is of course possibility to forward https requests with 
> different key/certificate, but It has meaning only in some 
> special cases.
> 
> > 2. If the answer is B, I have several backend SSL servers, all of 
> > which I want to redirect connections to.
> 
> why? Why do you want push one level of servers before backends?
> 
> > This is an aspect of proxying/reverse-proxying where my 
> knowledge is 
> > weak, maybe some of you have some suggestions.
> 
> I do not understand why do you need reverse proxying at all...
> -- 
> Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu 
> postu. Your mouse has moved. Windows NT will now restart for 
> changes to take to take effect. [OK]
> 

Re: [squid-users] SSL Reverse Proxy to Exchange 2003 OWA - SQUID just shutsdown by itself.

[Rakesh Kumar]

1. No idea. Can be anything from a bug in Squid to a configuration error
>>>>I am using the same configuration what I used with Squid-3-PRE3. The
mail and mailbox opened perfectly ok except that Squid process was stopping
after getting 16-17 error messages - "clientNegotiateSSL: Error negotiating
SSL connection on FD 12: error::lib(0):func(0):reason(0)
(5/0)"<<<<<<<<<
> Anything in cache.log? >>>>>>>cache.log entries I had sent
yesterday<<<<<<<<
>
> What does access.log say?>>>>access.log entries I had sent
yesterday<<<<<<<<<
>
> And what URL did you request in your browser?>>>>>>>default site -
mail.xyz.om>>>>>
Any sugegstion..

Thanks & regards,

Rakesh Jha

- Original Message - 
From: "Henrik Nordstrom" <[EMAIL PROTECTED]>
To: "Rakesh Kumar" <[EMAIL PROTECTED]>
Cc: "Henrik Nordstrom" <[EMAIL PROTECTED]>; "Squid Users"

Sent: Thursday, January 20, 2005 01:20 AM
Subject: Re: [squid-users] SSL Reverse Proxy to Exchange 2003 OWA - SQUID
just shutsdown by itself.


>
>
> On Sun, 16 Jan 2005, Rakesh Kumar wrote:
>
> > I have installed now Squid-3.0-PRE3-20050111. Now squid porcess is seems
to
> > be stable as I have not restarted for last 4-5 days but facing an other
> > problem, now opening a box or a mail takes very long time (may be 10
> > minutes). We keep on seeing 'Loading' on the screen.
> > What is the problem
>
> No idea. Can be anything from a bug in Squid to a configuration error.
> Anything in cache.log?
>
> What does access.log say?
>
> And what URL did you request in your browser?
>
> Regards
> Henrik
>



##
Attention: 
This e-mail message is privileged and confidential. If you are not the 
intended recipient please delete the message and notify the sender. 
Any views or opinions presented are solely those of the author.
##

Re: [squid-users] SSL Reverse Proxy to Exchange 2003 OWA - SQUID just shutsdown by itself.

[Rakesh Kumar]

- Original Message - 
From: "Henrik Nordstrom" <[EMAIL PROTECTED]>
To: "Rakesh Kumar" <[EMAIL PROTECTED]>
Cc: "Henrik Nordstrom" <[EMAIL PROTECTED]>; "Squid Users"

Sent: Thursday, January 20, 2005 01:20 AM
Subject: Re: [squid-users] SSL Reverse Proxy to Exchange 2003 OWA - SQUID
just shutsdown by itself.


>
>
> On Sun, 16 Jan 2005, Rakesh Kumar wrote:
>
> > I have installed now Squid-3.0-PRE3-20050111. Now squid porcess is seems
to
> > be stable as I have not restarted for last 4-5 days but facing an other
> > problem, now opening a box or a mail takes very long time (may be 10
> > minutes). We keep on seeing 'Loading' on the screen.
> > What is the problem
>
> No idea. Can be anything from a bug in Squid to a configuration error.
>
> Anything in cache.log? >>>>>Nothing in cache.log.
>
> What does access.log say? >>>>>>>>>I am attching access.log,
>
> And what URL did you request in your browser? >>>https://mail.xyz.com
>
> Regards
> Henrik
>
Some time mail box are opened quickly and at some other time it will not
open even after 10 minLike once a mailbox opened after 15 min of wait.

ACCESS.LOG Entries---
*When inbox opened successfully and a mail content is displayed*

1106564515.881 31 168.187.x.y TCP_MISS/401 391 GET
http://mail.xyz.com/ - FIRST_UP_PARENT/mail.xyz.com text/html
1106564527.505 36 168.187.x.y TCP_MISS/200 1535 GET
http://mail.xyz.com/ - FIRST_UP_PARENT/mail.xyz.com text/html
1106564530.637   2015 168.187.x.y TCP_MISS/200 24495 GET
http://mail.xyz.com/rakesh/? - FIRST_UP_PARENT/mail.xyz.com text/html
1106564534.751   4529 168.187.x.y TCP_MISS/200 20264 GET
http://mail.xyz.com/rakesh/Inbox/? - FIRST_UP_PARENT/mail.xyz.com text/html
1106564539.483 11 168.187.x.y TCP_MISS/200 11990 GET
http://mail.xyz.com/exchweb/6.5.7226.0/controls/tf_Messages.xsl -
FIRST_UP_PARENT/mail.xyz.co
m text/xml
1106564543.217880 168.187.x.y TCP_MISS/207 13590 SEARCH http://mail.xyz.
com/rakesh/Inbox/ - FIRST_UP_PARENT/mail.xyz.com text/xml
1106564546.507 24 168.187.x.y TCP_MISS/200 430 SUBSCRIBE
http://mail.xyz.com/rakesh/Calendar - FIRST_UP_PARENT/mail.xyz.com -
1106564546.642 15 168.187.x.y TCP_MISS/200 427 SUBSCRIBE
http://mail.xyz.com/rakesh/Tasks - FIRST_UP_PARENT/mail.xyz.com -
1106564547.567605 168.187.x.y TCP_MISS/207 424 SEARCH
http://mail.xyz.com/rakesh/Calendar - FIRST_UP_PARENT/mail.xyz.com text/xml
1106564547.783338 168.187.x.y TCP_MISS/207 424 SEARCH
http://mail.xyz.com/rakesh/Tasks - FIRST_UP_PARENT/mail.xyz.com text/xml
1106564547.973 34 168.187.x.y TCP_MISS/200 8512 GET
http://mail.xyz.com/rakesh/Inbox/RE:-116.EML? - FIRST_UP_PARENT/mail.xyz.com
text/html
1106564597.865  6 168.187.x.y TCP_MISS/200 475 SUBSCRIBE
http://mail.xyz.com/rakesh/Inbox - FIRST_UP_PARENT/mail.xyz.com -



Mail box ipool & IT-sec did not open, loading on screen kept
dsiplaying*

1106564635.216 83 168.187.x.y TCP_MISS/207 809 PROPFIND
http://mail.xyz.com/rakesh/ipool/ - FIRST_UP_PARENT/mail.xyz.com text/xml
1106564635.452   1039 168.187.x.y TCP_MISS/200 19856 GET
http://mail.xyz.com/rakesh/ipool/? - FIRST_UP_PARENT/mail.xyz.com text/html
1106564637.535 81 168.187.x.y TCP_MISS/207 795 BPROPPATCH
http://mail.xyz.com/rakesh/ - FIRST_UP_PARENT/mail.xyz.com text/xml
1106564719.196  6 168.187.x.y TCP_MISS/207 567 POLL
http://mail.xyz.com/rakesh/Inbox - FIRST_UP_PARENT/mail.xyz.com text/xml


1106564793.252 24 168.187.x.y TCP_MISS/207 812 PROPFIND
http://mail.xyz.com/rakesh/IT-Sec/ - FIRST_UP_PARENT/mail.xyz.com text/xml
1106564840.064  7 168.187.x.y TCP_MISS/207 567 POLL
http://mail.xyz.com/rakesh/Inbox - FIRST_UP_PARENT/mail.xyz.com text/xml
1106564959.217  5 168.187.x.y TCP_MISS/207 567 POLL
http://mail.xyz.com/rakesh/Inbox - FIRST_UP_PARENT/mail.xyz.com text/xml
1106565079.203  4 168.187.x.y TCP_MISS/207 567 POLL
http://mail.xyz.com/rakesh/Inbox - FIRST_UP_PARENT/mail.xyz.com text/xml


***After above nail box nokia opened successfully and mail is displayed

1106565101.240  7 168.187.x.y TCP_MISS/207 816 PROPFIND
http://mail.xyz.com/rakesh/nokia/ - FIRST_UP_PARENT/mail.xyz.com text/xml
1106565102.725   1680 168.187.x.y TCP_MISS/200 19865 GET
http://mail.xyz.com/rakesh/nokia/? - FIRST_UP_PARENT/mail.xyz.com text/html
1106565105.846575 168.187.x.y TCP_MISS/200 11057 GET
http://mail.xyz.com/exchweb/6.5.7226.0/controls/tf_TwoLine.xsl -
FIRST_UP_PARENT/mail.xyz.com
text/xml
1106565108.307348 168.187.x.y TCP_MISS/207 6168 SEARCH
http://mail.xyz.com/rakesh/nokia/ - FIRST_UP_PARENT/mail.xyz.com text/xml
1106565110.620 20 168.187.x.y TCP_MISS/200 6326 GET
http://mail.xyz.com/rakesh/nokia/[UserCenter]%20Your%20Password-3.EML? -
FIRST_UP_PARENT/mail.
xyz.com text/html


***Again now this mail box PRG did not 

Re: [squid-users] SSL Reverse Proxy to Exchange 2003 OWA - SQUID just shutsdown by itself.

[Henrik Nordstrom]

On Sun, 16 Jan 2005, Rakesh Kumar wrote:
I have installed now Squid-3.0-PRE3-20050111. Now squid porcess is seems to
be stable as I have not restarted for last 4-5 days but facing an other
problem, now opening a box or a mail takes very long time (may be 10
minutes). We keep on seeing 'Loading' on the screen.
What is the problem
No idea. Can be anything from a bug in Squid to a configuration error.
Anything in cache.log?
What does access.log say?
And what URL did you request in your browser?
Regards
Henrik

[squid-users] SSL Reverse Proxy to Exchange 2003 OWA - SQUID just shutsdown by itself.

[Rakesh Kumar]

I have installed now Squid-3.0-PRE3-20050111. Now squid porcess is seems to
be stable as I have not restarted for last 4-5 days but facing an other
problem, now opening a box or a mail takes very long time (may be 10
minutes). We keep on seeing 'Loading' on the screen.
What is the problem

Thanks in advance.

Rakesh
- Original Message - 
From: "Henrik Nordstrom" <[EMAIL PROTECTED]>
To: "Rakesh Kumar" <[EMAIL PROTECTED]>
Cc: "Squid Users" 
Sent: Monday, January 10, 2005 02:41 PM
Subject: [squid-users] Re: SSL Reverse Proxy to Exchange 2003 OWA - SQUID
just shutsdown by itself.


>
>
> On Mon, 10 Jan 2005, Rakesh Kumar wrote:
>
> > Now I have installed a fresh RH9 and Squid-3 PRE3
>
> Don't use 3.0.PRE3, if you run Squid-3 you should run a recent snapshot
> release.
>
> Regards
> Henrik
>



##
Attention: 
This e-mail message is privileged and confidential. If you are not the 
intended recipient please delete the message and notify the sender. 
Any views or opinions presented are solely those of the author.
##

Re: [squid-users] SSL Reverse Proxy to Exchange 2003 OWA - SQUID just shutsdown by itself.

[Henrik Nordstrom]

On Mon, 3 Jan 2005, Rakesh Kumar wrote:
2004/12/29 12:53:26| clientNegotiateSSL: Error negotiating SSL connection
on
FD
91: error::lib(0):func(0):reason(0) (5/0)
FATAL: Received Segment Violation...dying.
2004/12/29 14:55:27| storeDirWriteCleanLogs: Starting...
For the "Segment Violation" these indicate bugs in Squid. See the Squid 
FAQ on how to report bugs, including what information is required in the 
bug report.

2004/12/30 19:39:36| clientNegotiateSSL: Error negotiating SSL connection
on
FD
15: error::lib(0):func(0):reason(0) (5/-1)
2004/12/30 19:46:40| Preparing for shutdown after 1285 requests
This is a normal shutdown of Squid by either SIGINT (Control-C / squid -k 
interrupt) or SIGTERM (plain kill / squid -k shutdown).

2004/12/30 19:46:40| Waiting 0 seconds for active connections to finish
Unless you have set shutdown_lifetime to 0 seconds this indicates the 
shutdown request was by a SIGINT.

Regards
Henrik

[squid-users] SSL Reverse Proxy to Exchange 2003 OWA - SQUID just shutsdown by itself.

[Rakesh Kumar]

Today agin squid shutsdown by itself after working almost four days
perfectly, though during this period ther were eighteen "2005/01/03
02:46:04| clientNegotiateSSL: Error negotiating SSL connection on FD10:
error::lib(0):func(0):reason(0) (5/0)" such messages.

Any sugeestion by squid stops/shutsdown...

Rakesh Jha

- Original Message - 
From: "Rakesh Jha" <[EMAIL PROTECTED]>
To: "Henrik Nordstrom" <[EMAIL PROTECTED]>
Cc: ; "Henrik Nordstrom" <[EMAIL PROTECTED]>
Sent: Friday, December 31, 2004 05:12 AM
Subject: Re: [squid-users] Re: SSL Reverse Proxy to Exchange 2003 OWA


> Dear Squid GURU,
> There are many such error meessages in cache.log. SQUID does not shut down
> with each such message. I see at least 15-16 such eeror messages after
which
> squid is stopped. I am sure no body issued "Control-C" though I was
starting
> squid with -DYNCd3 options.
> I have tried starting squid like  /usr/local/squid/sbin/squid  but no
> process starts.  I could start squid with -N option only. Though in
> squid-2.5STABLE7 I could start squid only with ./squid command. Am I doing
> anything wrong? Attaching squid.conf.
>
> Please see the cahce.log entries (summarised)-
>
> 2004/12/29 12:53:26| clientNegotiateSSL: Error negotiating SSL connection
on
> FD
> 91: error::lib(0):func(0):reason(0) (5/0)
> FATAL: Received Segment Violation...dying.
> 2004/12/29 14:55:27| storeDirWriteCleanLogs: Starting...
> 2004/12/29 14:55:27| WARNING: Closing open FD   11
> 2004/12/29 14:55:27|   Finished.  Wrote 6 entries.
>
>
>
> 2004/12/29 17:14:05| storeLateRelease: released 0 objects
> FATAL: Received Segment Violation...dying.
> 2004/12/29 21:12:40| storeDirWriteCleanLogs: Starting...
> 2004/12/29 21:12:40| WARNING: Closing open FD   11
> 2004/12/29 21:12:40|   Finished.  Wrote 6 entries
>
>
>
> 2004/12/30 19:39:36| clientNegotiateSSL: Error negotiating SSL connection
on
> FD
> 15: error::lib(0):func(0):reason(0) (5/-1)
> 2004/12/30 19:46:40| Preparing for shutdown after 1285 requests
> 2004/12/30 19:46:40| Waiting 0 seconds for active connections to finish
> 2004/12/30 19:46:40| FD 11 Closing HTTP connection
> 2004/12/30 19:46:40| FD 12 Closing HTTP connection
> 2004/12/30 19:46:41| Shutting down...
> 2004/12/30 19:46:41| FD 13 Closing ICP connection
> 2004/12/30 19:46:41| Closing unlinkd pipe on FD 9
>
> Please help to solve this problem.
>
> Rakesh Jha
>
> - Original Message - 
> From: "Henrik Nordstrom" <[EMAIL PROTECTED]>
> To: "Rakesh Kumar" <[EMAIL PROTECTED]>
> Cc: ; "Henrik Nordstrom"
<[EMAIL PROTECTED]>
> Sent: Tuesday, December 28, 2004 04:12 PM
> Subject: [squid-users] Re: SSL Reverse Proxy to Exchange 2003 OWA
>
>
> >
> >
> > On Tue, 28 Dec 2004, Rakesh Kumar wrote:
> >
> > > With Squid-3 I have strated working well with OWA but now facing
another
> > > problem. After some two-three conenction I am getting following error
in
> > > cache.log -
> > >
> > > 2004/12/28 12:42:11| clientNegotiateSSL: Error negotiating SSL
> connection on
> > > FD
> > > 36: error::lib(0):func(0):reason(0) (5/0)
> >
> > This is usually seen when the client aborts the connection during the
> > initial SSL negotiations.
> >
> > > 2004/12/28 12:43:17| Preparing for shutdown after 236 requests
> >
> > This is someone terminating Squid, either with "Control-C" if run
> > interactively or by "squid -k shutdown".
> >
> > Regards
> > Henrik
> >
>
>


begin 666 rkjsquid.txt
M:'1T<%]P;W)T([EMAIL PROTECTED] -"FAT='!S7W!O<[EMAIL PROTECTED]>CHT-#,@9&5F875L
M='-I=&4];6%I;"YX>7HN8V]M('!R;W1O8V]L/6AT=' @8V5R=#TO=7-R+VQO
M#0IC86PO'EZ+F-O;2YC'EZ+F-O;2YK97D-"@T*'EZ+F-O;2!P
M87)E;[EMAIL PROTECTED] @,"!N;RUQ=65R>2!P2UO;FQY(&]R:6=I;G-E5]S
M=&]P;&ES="!C9VDM8FEN(#\-"@T*86-L(%%515)9('5R;'!A=&A?2!1545260T*#0IC86-H95]D:7(@
M=69S("]U'DM8V%C:&EN
M9R!W96(@2 A4V%F95]P;W)T2!#3TY.14-4("%34TQ?<&]R=',-"@T*:'1T<%]A8V-E2!A;&P-"@T*:'1T<%]R97!L>5]A8V-E

[squid-users] SSL Reverse Proxy to Exchange 2003 OWA

[Rakesh Kumar]

With Squid-3 I have strated working well with OWA but now facing another
problem. After some two-three conenction I am getting following error in
cache.log -

2004/12/28 12:42:11| clientNegotiateSSL: Error negotiating SSL connection on
FD
36: error::lib(0):func(0):reason(0) (5/0)
2004/12/28 12:43:17| Preparing for shutdown after 236 requests
2004/12/28 12:43:17| Waiting 0 seconds for active connections to finish
2004/12/28 12:43:17| FD 11 Closing HTTP connection
2004/12/28 12:43:17| FD 12 Closing HTTP connection
2004/12/28 12:43:18| Shutting down...
2004/12/28 12:43:18| FD 13 Closing ICP connection
2004/12/28 12:43:18| Closing unlinkd pipe on FD 9
2004/12/28 12:43:18| storeDirWriteCleanLogs: Starting...
2004/12/28 12:43:18|   Finished.  Wrote 6 entries.
2004/12/28 12:43:18|   Took 0.0 seconds (3934.4 entries/sec).
CPU Usage: 1.010 seconds = 0.880 user + 0.130 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 868
Memory usage for squid via mallinfo():
   total space in arena:3709 KB
   Ordinary blocks: 3381 KB 43 blks
   Small blocks:   0 KB  6 blks
   Holding blocks:  2228 KB 12 blks
   Free Small blocks:  0 KB
   Free Ordinary blocks: 328 KB
   Total in use:5609 KB 151%
   Total free:   328 KB 9%
2004/12/28 12:43:18| Squid Cache (Version 3.0-PRE3): Exiting normally.

Why I am getting this error.

Thanks

Rakesh Jha



##
Attention: 
This e-mail message is privileged and confidential. If you are not the 
intended recipient please delete the message and notify the sender. 
Any views or opinions presented are solely those of the author.
##

Re: [squid-users] SSL reverse proxy/*caching* of SSL encrypted website

[Henrik Nordstrom]

On Tue, 21 Dec 2004, Reuben Farrelly wrote:
Their request involves changes to create a setup like this:
Origin website (Serves https)
 |
 |
Squid proxy (Serves https to clients and requests https to origin servers)
 |
 |
Client browser (requests https)
This requires either Squid-3, or Squid-2.5 + SSL update patch and some 
tweaking.

With Squid-3 it is a fairly straight forward setup
  https_port to make Squid listen for client requests
  cache_peer to make Squid forward to the web server
What won't be possible with a setup like this is the use of client side 
certificates for authentication to the application server, but pretty much 
anything else imagineable is possible.

The contraints are that as the clients are unmanaged we cannot alter the 
config of them easily.  However we can get the SSL certificates that are used 
to sign the site, and have control of DNS (thinking maybe we could forge the 
identity of the origin box, just for this local network).
Good plan.
What patches are recommended to 2.5STABLE7 for this - I'm a bit wary of 
squid-3 even though it appears to have better SSL support and config 
directives seem to fit more with what I'm looking to do..

Documentation on this particular combination of circumstances seems to be a 
bit sparse, unfortunately :(
Squid-2.5 is not intended to be used like this. The standard release lacks 
the capability of initiating ssl connections, and even with the SSL patch 
it lacks a bit of flexibility in how to configure reverse proxies to make 
the setup reasonable.

In Squid-3 there is not much to say about it as it is just a standard 
reverse proxy configuration with https on both sides and there should not 
be any major problems figuring out the required configuration from the 
squid.conf documentation and release notes.

As you already figured out you need a good server certificate (+ key) to 
give to Squid to accept the https requests.

Regards
Henrik

[squid-users] SSL reverse proxy/*caching* of SSL encrypted website

[Reuben Farrelly]

Hi,
One of our customers at work is requesting changes to speed up access to 
their intranet website, which is hosted in another country and has some 
fancy SAP application running behind it.  They already have a Squid proxy 
running 2.5STABLE1 (will upgrade to STABLE7) which is currently a forward 
proxy to clients connecting into their network.  Clients to the corporate 
intranet website

Their request involves changes to create a setup like this:
Origin website (Serves https)
  |
  |
Squid proxy (Serves https to clients and requests https to origin servers)
  |
  |
Client browser (requests https)
The contraints are that as the clients are unmanaged we cannot alter the 
config of them easily.  However we can get the SSL certificates that are 
used to sign the site, and have control of DNS (thinking maybe we could 
forge the identity of the origin box, just for this local 
network).  Someone not so clever in another country who hosts the web site 
has also decided that the entire site, graphics, html and everything is all 
https encrypted, bit of a silly idea but I have no control over 
it.   Obviously the SAP backend contents will not be cacheable but 
hopefully the rest of the site should be.

Choices are to use the apache proxy module (somehow) or better still, 
squid.  Given they already have one installed, untuned and working, it 
would be good to be able to reuse it and not bring another box into the 
network with all the associated change control and reconfig etc.

The big question is, will squid be able to retrieve *and* cache any of the 
content even if it is setup to run SSL to the clients, and SSL to the 
origin web server?  ie is the content at any point completely decrypted and 
cacheable?   There is no point in me suggesting this setup if squid cannot 
do this sort of caching...the clients might as well have their connections 
as per normal through the forward proxy using the CONNECT method to talk to 
the origin server.

What patches are recommended to 2.5STABLE7 for this - I'm a bit wary of 
squid-3 even though it appears to have better SSL support and config 
directives seem to fit more with what I'm looking to do..

Documentation on this particular combination of circumstances seems to be a 
bit sparse, unfortunately :(

Thanks,
Reuben

RE: [squid-users] SSL Reverse Proxy of multiple hosts

[Henrik Nordstrom]

On Thu, 2 Sep 2004, R. Benjamin Kessler wrote:
I do have another question; what's the best way to configure automatic
startup of squid (i.e. what do I need to do so that I don't get prompted for
the PEM password for each of the certs on startup?)
The simplest way to not be asked for SSL PEM passwords on startup is to 
store your SSL keys unencrypted.

openssl rsa -in encrypted.pem -out decrypted.pem
The other option if using the Squid-2.5 ssl update patch is to specify a 
program supplying the password using the sslpassword_program directive.

Regards
Henrik

RE: [squid-users] SSL Reverse Proxy of multiple hosts

[R. Benjamin Kessler]

Excellent help Henrik; thanks!

I do have another question; what's the best way to configure automatic
startup of squid (i.e. what do I need to do so that I don't get prompted for
the PEM password for each of the certs on startup?)

Thanks again.

Ben

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 02, 2004 6:36 PM
To: R. Benjamin Kessler
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] SSL Reverse Proxy of multiple hosts

On Thu, 2 Sep 2004, R. Benjamin Kessler wrote:

> I'd like to have something like the following:
>
> public site1 xx.yy.133.201
> public site2 xx.yy.133.202
> public site3 xx.yy.133.203
>
> all serviced by proxy1
>
> internal site1 192.168.133.201
> internal site2 192.168.133.202
> internal site3 192.168.133.203
>
> Do I have to run three different instances of squid to do this?

No, but you you need one https_port specification per certificate, each 
bound to their public IP.

> If they're all xxx.foo.com can I use a singel "wild card" SSL 
> certificate?

Then you can run them all on a single public IP address.


squid.conf:


https_port ...
https_port ...
https_port ...

httpd_accel_host your.primary.website
httpd_accel_port 80
httpd_accel_with_proxy on

acl port80 port 80

never_direct allow all

cache_peer server1 parent 80 0 no-query
acl site1 dstdomain www.site1.com
http_access allow site1 port80
cache_peer_access server1 allow site1

cache_peer server2 parent 80 0 no-query
acl site2 dstdomain www.site2.com
http_access allow site2 port80
cache_peer_access server2 allow site2

[etc].


Alternatively you can take out the cache_peer, cahce_peer_access and 
never_direct lines and place the IP addresses of the web server for each 
accelerated web server into /etc/hosts.


Regards
Henrik

RE: [squid-users] SSL Reverse Proxy of multiple hosts

[R. Benjamin Kessler]

Excellent help Henrik; thanks!

I do have another question; what's the best way to configure automatic
startup of squid (i.e. what do I need to do so that I don't get prompted for
the PEM password for each of the certs on startup?)

Thanks again.

Ben

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 02, 2004 6:36 PM
To: R. Benjamin Kessler
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] SSL Reverse Proxy of multiple hosts

On Thu, 2 Sep 2004, R. Benjamin Kessler wrote:

> I'd like to have something like the following:
>
> public site1 xx.yy.133.201
> public site2 xx.yy.133.202
> public site3 xx.yy.133.203
>
> all serviced by proxy1
>
> internal site1 192.168.133.201
> internal site2 192.168.133.202
> internal site3 192.168.133.203
>
> Do I have to run three different instances of squid to do this?

No, but you you need one https_port specification per certificate, each 
bound to their public IP.

> If they're all xxx.foo.com can I use a singel "wild card" SSL 
> certificate?

Then you can run them all on a single public IP address.


squid.conf:


https_port ...
https_port ...
https_port ...

httpd_accel_host your.primary.website
httpd_accel_port 80
httpd_accel_with_proxy on

acl port80 port 80

never_direct allow all

cache_peer server1 parent 80 0 no-query
acl site1 dstdomain www.site1.com
http_access allow site1 port80
cache_peer_access server1 allow site1

cache_peer server2 parent 80 0 no-query
acl site2 dstdomain www.site2.com
http_access allow site2 port80
cache_peer_access server2 allow site2

[etc].


Alternatively you can take out the cache_peer, cahce_peer_access and 
never_direct lines and place the IP addresses of the web server for each 
accelerated web server into /etc/hosts.


Regards
Henrik

Re: [squid-users] SSL Reverse Proxy of multiple hosts

[Henrik Nordstrom]

On Thu, 2 Sep 2004, R. Benjamin Kessler wrote:
I'd like to have something like the following:
public site1 xx.yy.133.201
public site2 xx.yy.133.202
public site3 xx.yy.133.203
all serviced by proxy1
internal site1 192.168.133.201
internal site2 192.168.133.202
internal site3 192.168.133.203
Do I have to run three different instances of squid to do this?
No, but you you need one https_port specification per certificate, each 
bound to their public IP.

If they're all xxx.foo.com can I use a singel "wild card" SSL 
certificate?
Then you can run them all on a single public IP address.
squid.conf:
https_port ...
https_port ...
https_port ...
httpd_accel_host your.primary.website
httpd_accel_port 80
httpd_accel_with_proxy on
acl port80 port 80
never_direct allow all
cache_peer server1 parent 80 0 no-query
acl site1 dstdomain www.site1.com
http_access allow site1 port80
cache_peer_access server1 allow site1
cache_peer server2 parent 80 0 no-query
acl site2 dstdomain www.site2.com
http_access allow site2 port80
cache_peer_access server2 allow site2
[etc].
Alternatively you can take out the cache_peer, cahce_peer_access and 
never_direct lines and place the IP addresses of the web server for each 
accelerated web server into /etc/hosts.

Regards
Henrik

[squid-users] SSL Reverse Proxy of multiple hosts

[R. Benjamin Kessler]

Hi All,

I'm trying to protect multiple web servers via a squid reverse proxy 
(version Version 2.5.STABLE5).  I've got the rev. proxy working for a single 
host but am having difficulty finding out how to configure reverse proxying 
for the other hosts.

I'd like to have something like the following:

public site1 xx.yy.133.201
public site2 xx.yy.133.202
public site3 xx.yy.133.203

all serviced by proxy1

internal site1 192.168.133.201
internal site2 192.168.133.202
internal site3 192.168.133.203

Do I have to run three different instances of squid to do this?  If they're 
all xxx.foo.com can I use a singel  "wild card" SSL certificate?

I thought I googled the answer to this once but now I can't find it again; 
direct answers to the above and/or pointers to docs on the web would be much 
appreciated.

Thanks,

Ben