Re: Rif: Re: [squid-users] squid in accellerated mode and edirectory and certificates

From: Amos Jeffries <squid3@dont-contact.us>
Date: Sat, 17 Nov 2007 11:57:08 +1300

i.linty@regione.vda.it wrote:
> Thank's
>
> But how I can do this ?
>
>
> My squid release:
> Name : squid-beta Relocations: (not relocatable)
> Version : 3.0 Vendor: SUSE LINUX
> Products GmbH, Nuernberg, Germany
> Release : 282 Build Date: Sun 26 Nov 2006
> 12:11:00 PM CET
> Install Date: Fri 16 Nov 2007 10:08:52 AM CET Build Host:
> Fatou.suse.de
> Group : Productivity/Networking/Web/Proxy Source RPM:
> squid-beta-3.0-282.src.rpm
> Size : 4912996 License: GNU General Public
> License (GPL)
> Signature : DSA/SHA1, Sun 26 Nov 2006 12:19:56 PM CET, Key ID
> a84edae89c800aca
> Packager : http://bugs.opensuse.org
> URL : http://www.squid-cache.org
> Summary : Squid V3.0 WWW Proxy Server (new version)
> Description : A recent development snapshot of the squid V3.0 WWW proxy
> server.
> Authors: Duane Wessels <wessels@ircache.net>
> Distribution: openSUSE 10.2 (i586)
>
> This is my squid.conf:
>
>
> https_port 443 cert=/home/ilinty/pingu.cert key=/home/ilinty/pingu.pem
> capath=/home/ilinty/pingu/ vhost

ALL traffic entering squid at port 443 for any site use these certs.
To have multiple websites using this port the cert apparently needs to
be a multi-site cert.

>
> cache_peer 10.1.0.180 parent 80 0 no-query originserver login=PASS
> name=www
> cache_peer_domain www 10.1.1.53 sslname=10.1.1.53
>
> cache_peer 10.1.0.199 parent 80 0 no-query originserver front-end-https
> proxy-only no-digest login=PASS name=itaca
> cache_peer_domain itaca pingu.regione.vda.it
>
>
> acl all src 0.0.0.0/0.0.0.0

If the dev release you are using is recent enough you should be getting
WARNING:'s about this acl. They mean its now pre-defined from 10th Nov
and does not go in squid.conf :-)

> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl portatile src 10.1.70.69/255.255.255.255
> acl reteravda src 10.0.0.0/255.0.0.0
>
> #acl certabilitati user_cert O Ravda
>
> http_access allow reteravda
> http_access allow portatile
> http_access deny all
>
>
> --------------------
>
> Now I want to add certification authentication to the 2nd site
> pingu.regione.vda.it --> 10.1.0.199 (itaca.regione.vda.it)
>
> Can someone help my ?
>
> I don't know also if the options: "no-query originserver front-end-https
> proxy-only no-digest" are alle correct ...

proxy-only - will prevent all caching of static content. This removes
most of the bandwidth savings of squid as an accelerator.

front-end-https - sounds right, but I'm not too up in that area yet.

no-query, no-digest - good for a non-squid peer. Prevent cache-to-cache
protocols being used. maybe also no-netdb-exchange if netdb is built in.

>
> Adrian Chadd <adrian@creative.net.au> wrote on 11/16/2007 01:07:23 PM:
>
>> On Fri, Nov 16, 2007, i.linty@regione.vda.it wrote:
>>> Hi,
>>>
>>> I'm new in this mailing list. Greetings to all!
>>>
>>> Can someone tell me if using squid is possible to make a proxy https
> to
>>> http in order to securize some intranet sites.
>> Yes its entirely possible. :)
>>
>>
>>
>>
>> Adrian
>>
>
Received on Fri Nov 16 2007 - 15:57:31 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST