Re: [squid-users] SSL client cert configuration and provision

From: Stephan Hügel <urschrei_at_gmail.com>
Date: Mon, 23 May 2011 16:01:13 +0100

On 23 May 2011 10:46, Stephan Hügel <urschrei_at_gmail.com> wrote:
> On 23 May 2011 00:59, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On Sun, 22 May 2011 11:34:48 +0100, Stephan Hügel wrote:
>>>
>>> On 22 May 2011 04:01, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>>>
>>>> On 22/05/11 06:09, Stephan Hügel wrote:
>>>>>
>>>>> Hello,
>>>>> Apologies in advance for the (presumably) repetitive question:
>>>>> I'd like to set up squid to provide an SSL cert required for access to
>>>>> a certain site on behalf of my users. I've converted the cert (it was
>>>>> provided in PFX format) to PEM format, and generated a key (though I'm
>>>>> not entirely sure that's necessary).
>>>>> I've installed squid 2.7.STABLE9 on Ubuntu 11.04, and configured http
>>>>> access for users on my subnet, and this is working correctly:
>>>>>
>>>>> http_port 3128
>>>>> acl all src all
>>>>> acl manager proto cache_object
>>>>> acl localhost src 127.0.0.1/32
>>>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
>>>>> acl localnet src 10.10.10.0/24
>>>>> [snip]
>>>>> http_access allow localnet
>>>>> icp_access allow localnet
>>>>>
>>>>> But I haven't been able to find a HOWTO for transparently providing
>>>>> the required SSL cert on behalf of clients when they connect to the
>>>>> site which requires it.
>>>>> I assume I have to provide a https_port (443?) , and https_allow
>>>>> localnet, but I'm not sure about anything else.
>>>>>
>>>>> TIA
>>>>
>>>> https_port is for reverse-proxy when the certificate is to be presented
>>>> to
>>>> the *client*.
>>>>
>>>> From what you say, it seems clients are supposed to present a unique
>>>> identifier certificate to the *server* and you want to forge from Squid?
>>>>
>>>>
>>>> Before we give you any config, which of those completely different setups
>>>> do
>>>> you actually want?
>>>>
>>>>
>>> Amos,
>>> The latter; I'd like Squid to present the cert on behalf of the clients.
>>
>> Then the https_port end for squid<->client is irrelevant.
>>
>> The cert needs to go on a cache_peer line pointing Squid at the origin
>> server. Similar to reverse-proxy but not quite:
>>
>>  cache_peer example.com parent 443 0 originserver ssl
>> sslcert=/path/to/cert.pem name=AB
>>  acl site dstdomain example.com
>>  cache_peer_access AB allow site
>>  never_direct allow site
>>
>> Note: port and http_access are left alone so your regular forwarding
>> permissions take control. Only never_direct is added to prevent Squid
>> connecting via direct links without the cert.
>>
>> Amos
>>
>>
> Amos,
> Many thanks. I've pasted in those config lines, and substituted my own
> details for example.com and the cert path, but upon restart I can't
> reach any sites using http or https. Neither cache.log nor access.log
> show any errors or activity. I've confirmed that commenting the new
> lines out restores access. My PEM key file looks fine (I can view it
> in an editor, and it includes the private key). I inserted your lines
> just before my own two:
> http_access allow localnet
> icp_access allow localnet
> which are at the very end of the conf. What should I try next?

After rebuilding on Ubuntu with SSL support enabled, Squid is now
working with the above config, but does not appear to be passing the
SSL cert on when the site in question is requested.

-- 
steph
Received on Mon May 23 2011 - 15:01:21 MDT

This archive was generated by hypermail 2.2.0 : Mon May 23 2011 - 12:00:02 MDT