On Apr 29, 2012, at 10:36 PM, Amos Jeffries wrote: > On 28/04/2012 10:37 a.m., Squid Tiz wrote: >> I am kinda new to squid. Been looking over the documentation and I just >> wanted a sanity check on what I am trying to do. >> >> I have a web client that hits my squid server. The squid connects to an >> apache server via ssl. >> >> Here are the lines of interest from my squid.conf for version 3.1.8 >> >> http_port 80 accel defaultsite=123.123.123.123 >> cache_peer 123.123.123.123 parent 443 0 no-query originserver ssl >> sslflags=DONT_VERIFY_PEER name=apache1 >> >> The good news is, that works just as I hoped. I get a connection. >> >> But I am questioning the DONT_VERIFY_PEER. Don't I want to verify peer? > > Ideally yes. It is better security. But up to you whether you need it or not. > It means having available to OpenSSL on the squid box (possibly via > squid.conf settings) the CA certificate which signed the peers certificate, > so that verification will not fail. > >> >> I simply hacked up a self signed cert on the apache server. Installed >> mod_ssl and restarted apache and everything started to work on 443. >> >> On the command line for the squid server I can curl the apache box with: >> >> curl --cacert _the_signed_cert_from_the_apache_node_ https://apache.server >> >> Is there a way with sslcert and sslkey to setup a keypair that will verify? > > They are for configuring the *client* certificate and key sent by Squid to > Apache. For when Apache is doing the verification of its clients. > > Squid has a sslcacert= option which does the same as curl --cacert option. > For validating the Apache certificate(s). > >> Do I need a signed cert? > > Yes, TLS requires signing. Your self-signing CA will do however, so long as > both ends of the connection are in agreement on the CA trust. > >> >> I tried to add the cert and key to the cach_peer line in the config. Squid >> did restart. But no connection. Why would curl work but not squid? >> > see above. > > Amos
Amos, Thanks for the reply. I was just curious to see if I good get this to fly. The goal is to attach to the squid server via http and have squid verify and attach to the SSL server using a self signed cert. This seems to work. Squid starts OK and my logs are clean. No validation errors. Comments appreciated. Create the CA stuff on the apache server: Key openssl genrsa -des3 -out ca.key 4096 CRT openssl req -new -x509 -days 3650 -key ca.key -out ca.crt Create a server cert: Key openssl genrsa -des3 -out server.key 4096 CSR openssl req -new -key server.key -out server.csr CRT openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt Then go a head and install these certs on the server. Test the server on port 443/SSL etc. Then create a client cert: Key openssl genrsa -des3 -out client.key 2048 CSR openssl req -new -key client.key -out client.csr CRT openssl ca -in client.csr -cert ca.crt -keyfile ca.key -out client.crt Touch up the key - don't want to enter the password on start-up. openssl rsa -in client.key -out client.key.insure mv client.key client.key.secure mv client.key.insecure client.key Then take the ca.crt, the client.key and the client.crt and deploy them on the squid server. Update the /etc/hosts file: ip-address cn-name-of-apache-server Then the squid.conf: http_port 8080 accel defaultsite=cn-name-of-apache-server cache_peer cn-name-of-apache-server parent 443 0 no-query originserver ssl \ sslcafile=/path/ca.crt sslcert=/path/client.crt sslkey=/path/client.key name=yum1 -- Regs -Dean
