Re: [squid-users] https questions
On lör, 2008-06-07 at 18:29 +0800, Ken W. wrote: > 2008/06/07 14:37:02| httpsAccept: Error allocating handle: > error:0906A068:PEM routines:PEM_do_header:bad password read Your SSL key is encrypted and you have not given the encryption key to Squid so it can not set up the SSL proper. Decrypt the SSL key and it should work better. openssl rsa -in key.pem -out unencrypted_key.pem Regards Henrik
Re: [squid-users] https questions
Hello members, My squid's config for https looks as below: http_port 80 accel vhost https_port 443 accel vhost cert=/usr/local/squid/etc/ssl/server.cert key=/usr/local/squid/etc/ssl/server.key cache_peer 12.34.56.78 parent 80 0 no-query front-end-https=auto originserver name=origin_1 acl service_1 dstdomain .abc.com cache_peer_access origin_1 allow service_1 When I access to squid with: https://www.abc.com I got no success and cache.log show: 2008/06/07 14:37:02| httpsAccept: Error allocating handle: error:0906A068:PEM routines:PEM_do_header:bad password read 2008/06/07 14:37:02| httpsAccept: Error allocating handle: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib 2008/06/07 14:37:02| httpsAccept: Error allocating handle: error:140BA0C3:SSL routines:SSL_new:null ssl ctx This is the info for my squid: Squid Cache: Version 3.0.STABLE6 configure options: '--prefix=/usr/local/squid3.0' '--disable-carp' '--enable-async-io=128' '--enable-removal-policies=heap lru' '--disable-wccp' '--disable-wccpv2' '--enable-kill-parent-hack' '--disable-snmp' '--disable-htcp' '--disable-poll' '--disable-select' '--disable-ident-lookups' '--with-aio' '--with-large-files' '--with-filedescriptors=51200' '--enable-ssl' I'm running it under redhat linux AS5. Please help, thanks. --Ken 2008/6/7 Henrik Nordstrom <[EMAIL PROTECTED]>: > On lör, 2008-06-07 at 09:58 +0800, Ken W. wrote: >> 2008/6/7 Henrik Nordstrom <[EMAIL PROTECTED]>: >> >> > >> > But you are quite likely to run into issues with the server sending out >> > http:// URLs in it's responses unless the server has support for running >> > behind an SSL frontend. See for example the front-end-https cache_peer >> > option. >> > >> >> Thanks Henrik. >> Under my setting, can squid work correctly for this flow? >> >> clients --https--> squid --http--> webserver >> webserver --http--> squid --https--> clients > > Again, yes, provided your web server application has support for being > used in this manner. > > > >
Re: [squid-users] https questions
2008/6/7 Henrik Nordstrom <[EMAIL PROTECTED]>: >> >> Thanks Henrik. >> Under my setting, can squid work correctly for this flow? >> >> clients --https--> squid --http--> webserver >> webserver --http--> squid --https--> clients > > Again, yes, provided your web server application has support for being > used in this manner. > Thanks Henrik. We use apache-2.0.59 standard installtion for web servers. We didn't have https port opened on Apache. Then, can Squid run well with https frontend under this case? thanks again.
Re: [squid-users] https questions
On lör, 2008-06-07 at 09:58 +0800, Ken W. wrote: > 2008/6/7 Henrik Nordstrom <[EMAIL PROTECTED]>: > > > > > But you are quite likely to run into issues with the server sending out > > http:// URLs in it's responses unless the server has support for running > > behind an SSL frontend. See for example the front-end-https cache_peer > > option. > > > > Thanks Henrik. > Under my setting, can squid work correctly for this flow? > > clients --https--> squid --http--> webserver > webserver --http--> squid --https--> clients Again, yes, provided your web server application has support for being used in this manner.
Re: [squid-users] https questions
2008/6/7 Henrik Nordstrom <[EMAIL PROTECTED]>: > > But you are quite likely to run into issues with the server sending out > http:// URLs in it's responses unless the server has support for running > behind an SSL frontend. See for example the front-end-https cache_peer > option. > Thanks Henrik. Under my setting, can squid work correctly for this flow? clients --https--> squid --http--> webserver webserver --http--> squid --https--> clients Thank you again.
Re: [squid-users] https questions
On fre, 2008-06-06 at 22:59 +0800, Ken W. wrote: > I want to set squid, which accepts https from clients, then forward the > request to original server with http protocal. > > This is the setting I considered: > > https_port 443 accel vhost cert=/squid/etc/xxx.crt key=/squid/etc/xxx.key > protocol=http Don't use protocol= unless you absolutely need it. > cache_peer 10.0.0.1 parent 80 0 no-query originserver name=origin_1 > acl service_1 dstdomain .xxx.com > cache_peer_access origin_1 allow service_1 Looks fine. > Then I access to squid with this way: > https://www.xxx.com/ > > Can squid accept this https request and forward it to original server with > http correctly? Yes. But you are quite likely to run into issues with the server sending out http:// URLs in it's responses unless the server has support for running behind an SSL frontend. See for example the front-end-https cache_peer option. > btw, what's the usage of "protocol=http"? I can't understand for it > enough. It's the protocol Squid should internally assign to the requested URL. When acting as a web server / accelerator the request does not contain information on the protocol used, just the request-path. It has only marginal practical importance, and is best left at the default automatic setting unless you have very special reasons to change it. Regards Henrik
RE: [squid-users] HTTPS questions
On Tue, 27 Jan 2004, Derek Winkler wrote: > cache_peer owahost.algorithmics.com parent 443 0 no-query ssl proxy-only > originserver login=PASS sslcert=/opt/squid/etc/owahost.algorithmics.com.crt > sslkey=/opt/squid/etc/owahost.algorithmics.com.key sslflags=DONT_VERIFY_PEER You don't need the certificate information in the cache_peer. This certificate is for use as a optional client certificate when connecting to the server, not the server certificate. Regards Henrik
Re: [squid-users] HTTPS questions
On Tue, 27 Jan 2004, Loc Nguyen wrote: > I have few questions, I hope that you can help: > > I want to setup a HTTPS accelerator using squid. The > environment is: > Client -> HTTPS -> Squid accelerator -> HTTPS > webserver Then you need Squid-3, or alternatively Squid-2.5 + SSL update patch from devel.squid-cache.org. Please note that the 2.5 patch is currently unavailable due to SourceForge server issues but should be back in a few days at worst. The base Squid-2.5 distribution does not know how to initiate SSL connections and can not fulfill your requirements. > 2) Any one has a complete list of https_port option ? > I can't find any document explaining how to setup > https_port. All the options are documented in squid.conf.default after you install your Squid.. > 3) Did anyone setup squid as the HTTPS accelerator > for HTTPS Outlook Web Access? Please point me to any > document shows how to configure the squid.conf to > support HTTPS OWA. Should work with Squid-2.5+SSL update + a small redirector to rewrite the accelerated URLs back into https. Should also work with Squid-3. Or you could look into the eMARA product from MARA Systems AB from where a lot of this functionality is originating. > 4) At this time, I use openssl to generate certiciate for the HTTPS > I just need to know what format do I need to request from Verisign for > the certificate so the certificate will work with Squid. I am appreciate > any advices and comments about this. Same as for Apache mod_ssl which is more well known to the CAs. Or in short an OpenSSL PEM formatted certificate. If you get the certificate in any other form from your CA or when migrating existing certificates then OpenSSL has built in tools for converting to/from the required PEM format. But I think most understands that a PEM style certificate is requested if they get a PEM formatted certificate request.. Regards Henrik
RE: [squid-users] HTTPS questions
I posted this earlier... I was doing something similar. Browser --SSL-> Squid --SSL--> OWA I ran into a bug with the RSA SecurID pages but other than that it worked. Might need to tighten up the ACLs. Here's my config... visible_hostname squidhost.algorithmics.com cache_mgr [EMAIL PROTECTED] https_port 443 cert=/opt/squid/etc/owahost.algorithmics.com.crt key=/opt/squid/etc/owahost.algorithmics.com.key cafile=/opt/squid/etc/cacert.crt defaultsite=owa.algorithmics.com cache_peer owahost.algorithmics.com parent 443 0 no-query ssl proxy-only originserver login=PASS sslcert=/opt/squid/etc/owahost.algorithmics.com.crt sslkey=/opt/squid/etc/owahost.algorithmics.com.key sslflags=DONT_VERIFY_PEER ssl_unclean_shutdown on acl owa-exchange urlpath_regex \/exchange(\/|$) acl owa-webid urlpath_regex \/WebID\/ acl all src 0.0.0.0/0.0.0.0 acl all-dst dst 0.0.0.0/0.0.0.0 acl owa-host dst owaipaddress/255.255.255.255 http_access allow owa-host owa-exchange http_access allow owa-host owa-webid http_reply_access allow all-dst http_access deny all http_access deny all-dst You need to use the latest version of Squid to do this, unstable version 3, patch uneeded. The squid.conf.default describes all of the https_port options but doesn't give in depth details of what they do. Verisign gives specific intructions on how to generate a request using openssl, follow instructions for Apache w/ Openssl or Apache w/ mod_ssl. -Original Message- From: Loc Nguyen [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 27, 2004 3:23 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [squid-users] HTTPS questions Hi everyone, I have few questions, I hope that you can help: I want to setup a HTTPS accelerator using squid. The environment is: Client -> HTTPS -> Squid accelerator -> HTTPS webserver I am using squid version 2.5. I configure the squid with the Openssl certificate. The squid accelerator fails. It seems to me that squid accelerator use HTTP to connect to the webserver instead of HTTPS. My questions are: 1) Does anyone setup this type of HTTPS accelerator ? I search on Goole and there is a document mentioning that I need to download a patch to support this HTTPS accelerator but I can't find this patch at squid-cache.org download site. Can you point me to where I can download this patch ? 2) Any one has a complete list of https_port option ? I can't find any document explaining how to setup https_port. 3) Did anyone setup squid as the HTTPS accelerator for HTTPS Outlook Web Access? Please point me to any document shows how to configure the squid.conf to support HTTPS OWA. 4) At this time, I use openssl to generate certiciate for the HTTPS website. I would like to use the commercial certificate (ie. Verisign, etc..) so my customer doesn't have to call me about the "can not verify" certificate windows problem. I know how to generate key-pair and submit a certificate request with Verisign. I just need to know what format do I need to request from Verisign for the certificate so the certificate will work with Squid. I am appreciate any advices and comments about this. Thanks in advance. Loc Nguyen __ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/
