I placed my squid.conf at the end of this post.
Squid forward proxy works fine for all third party http and https sites, but
fails when I try to proxy this specific portal that I put up on tomcat.

This is the failure:
2011/03/22 07:02:03| Accepting  bumpy HTTP connections at [::]:3128, FD 15.
2011/03/22 07:02:03| HTCP Disabled.
2011/03/22 07:02:03| Squid modules loaded: 0
2011/03/22 07:02:03| Adaptation support is on
2011/03/22 07:02:03| Ready to serve requests.
2011/03/22 07:02:04| storeLateRelease: released 0 objects
-----BEGIN SSL SESSION PARAMETERS-----
MHECAQECAgMBBAIANQQgKd/gfAJ8PhKA+JjxkCPjZf11uL6J1DKxC1vWtAgtntAE
MLqexrqhHJDzrd3AH5V71jhuFf/e7HInhIzUKsjlxKRmJowAAyvZzCUCpwUPYyRQ
NaEGAgRNiIG5ogQCAgEspAIEAA==
-----END SSL SESSION PARAMETERS-----
2011/03/22 07:02:17| SSL unknown certificate error 19 in
/C=IL/ST=Haifa/O=IBM/OU=HRL/CN=Tomcat
2011/03/22 07:02:17| fwdNegotiateSSL: Error negotiating SSL connection on FD
13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (1/-1/0)
2011/03/22 07:02:17| SSL unknown certificate error 19 in
/C=IL/ST=Haifa/O=IBM/OU=HRL/CN=Tomcat
2011/03/22 07:02:17| SSL unknown certificate error 19 in
/C=IL/ST=Haifa/O=IBM/OU=HRL/CN=Tomcat
2011/03/22 07:02:17| fwdNegotiateSSL: Error negotiating SSL connection on FD
13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (1/-1/0)
2011/03/22 07:02:17| SSL unknown certificate error 19 in
/C=IL/ST=Haifa/O=IBM/OU=HRL/CN=Tomcat
2011/03/22 07:02:17| SSL unknown certificate error 19 in
/C=IL/ST=Haifa/O=IBM/OU=HRL/CN=Tomcat
2011/03/22 07:02:17| fwdNegotiateSSL: Error negotiating SSL connection on FD
13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (1/-1/0)
2011/03/22 07:02:17| SSL unknown certificate error 19 in
/C=IL/ST=Haifa/O=IBM/OU=HRL/CN=Tomcat

Please advise,
Thanks, Ariel.

--------------------------------
squid.conf
--------------------------------
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443 8443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
always_direct allow all
http_access allow all

http_port 3128 ssl-bump key=squidkey.pem cert=squidcert.pem
ssl_bump allow all

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

icap_log /var/log/squid/icap.log icap_squid
icap_enable on
icap_send_client_ip on
icap_service_failure_limit -1
icap_service_revival_delay 30 
icap_service guardium respmod_precache bypass=0
icap://127.0.0.1:1344/guardium
adaptation_access guardium allow all

request_header_access Accept-Encoding deny all
append_domain .haifa.ibm.com


--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-as-forward-proxy-for-portal-run-on-tomcat-tp3383986p3395677.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Reply via email to