Re: [squid-users] squid AND ssl

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 22 Apr 2009 21:18:46 +1200

joe ryan wrote:
> Hi,
> I have a simple webserver that listens on port 80 for requests. I
> would like to secure access to this webserver using squid and SSL. I
> can access the simple website through http without any issue. When I

As your config shows. Squid is never involved with port 80 inbound traffic.

> try and access it using https: I get a message in the cache file. See
> attached.
> The web page error show up as Connection to 192.168.0.1 Failed
> The system returned:
> (13) Permission denied
>
> I am running Squid stable 2.7 and I used openssl to generate the cert and key.
> I have attached my conf file and cache errors.
> Can squid secure an unsecure webserver the way i am trying to do do
>

 From your config:
> http_port 192.168.0.1:8080
  ...
> http_access allow all

This is not a secure configuration. Either use accel options on the port
  line to set default handling security. Or explicitly permit and deny
specific access to things using ACL.

Also this:

> acl webSrv dst 192.168.0.1
> acl webPrt port 80
> http_access allow webSrv webprt

Is even less secure. As an accelerator clients will never visit squid
asking for port 80, since squid does not listen there.

These two lines:
> https_port 192.168.0.1:443 accel <snip>
> cache_peer 192.168.0.1 parent 443 0 no-query <snip>

explicitly state that all incoming HTTPS requests are to be looped from
squid into squid ... infinity.

But luckily for you ...

> always_direct allow all

... prevents any cache_peer ever being used.

I believe you need to chop your http_port and http_access configuration
back to the defaults then reconstruct along these guidelines for the
HTTP portion:
  http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator

At which point you should have both HTTP and HTTPS accepted by squid and
passed to the HTTPS-enabled web server.

For Squid to be a proper reverse-proxy/accelerator you need Squid to
listen on port 192.168.0.1:80 and the app to listen on some other IP
port 80 (127.0.0.1:80 is commonly used in these circumstances).

I also get the impression the web server is not HTTPS enabled. Therefore
you probably do not actually want any SSL options on the cache_peer
line. Then HTTPS will be on the public clients->squid link and internal
link plain HTTP.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
   Current Beta Squid 3.1.0.7
Received on Wed Apr 22 2009 - 09:18:50 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 22 2009 - 12:00:02 MDT