On 17/03/11 22:05, arielf wrote:
Hi all,
I am trying to use squid as a forward proxy for target applications using
both http and https sites
I added the following lines to my squid.conf
http_port 3128 ssl-bump key=/path/mykey.pem cert=/path/mycert.pem
ssl_bump allow all
Now I tested on third party http and https sites, and it works nicely :)
However when I try to proxy a portal that I configured the security keys for
it does not work
Please correct me if this is wrong but I suspect your understanding of
the terminology is incorrect.
I have not heard tomcat being used as a proxy gateway, so I'm assuming
you actually mean it is used as the web app service "server".
"Forward proxy" is a proxy being used by a residential ISP or business
to gateway their users out to the general Internet. (there are other
uses, but that is the general usage case)
"Reverse proxy" (sometimes called "accelerator proxy") is the type used
act as the front interface for a web service.
The setup description reads bit like you are struggling to setup Squid
as a reverse proxy for tomcat. Possibly as a forward-proxy for some
local clients at the same time. Correct?
From cache.log:
-----BEGIN SSL SESSION PARAMETERS-----
MHECAQECAgMBBAIANQQg0b4mR/aJ5Vez5HNh6dSwUL4vs/d+v+ceEwKpWxHdFoME
MI3ZqOI/+MjpLLsjIoFchf9dxA/wD9aoZZgrbiq6GRtvOTWRRFeaQA1KFfVgmFo7
FaEGAgRNgfR5ogQCAgEspAIEAA==
-----END SSL SESSION PARAMETERS-----
2011/03/17 07:46:01| SSL unknown certificate error 18 in
/C=IL/ST=NA/L=NA/O=IBM/OU=HRL/CN=Magen
2011/03/17 07:46:01| fwdNegotiateSSL: Error negotiating SSL connection on FD
13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (1/-1/0)
I actually configured my tomcat and squid with the same security keystore.
Of course tomcat used JKS and squid uses PEM, so I created a self signed JKS
keystore for tomcat and then exported key and cert in PEM format from it to
use for squid.
This is how I did it:
keytool -genkey -keyalg RSA -alias mykey -keystore keystore.jks -storepass
"password" -validity 365
keytool -export -alias mykey -keystore keystore.jks -file mycert.crt
keytool -import -trustcacerts -alias mycert -file mycert.crt -keystore
keystore.jks
keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS
-deststoretype PKCS12 -destkeystore keystore.p12
openssl pkcs12 -in keystore.p12 -out keystore.pem
openssl rsa -in keystore.pem -out mykey.pem
openssl x509 -in keystore.pem -out mycrt.pem
Then I use: keystore.jks for tomcat, and mykey.pem/mycert.pem for squid
Of course if any of have made this type of configuration work, I am willing
to create any key/cert/keystore for both squid/tomcat since they are both
under my control.
If anyone has an idea how to make this work, I'd be VERY grateful.
Thanks, Ariel.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.11
Beta testers wanted for 3.2.0.5
