ok this makes sense with never_direct and both squid servers pointing to the same webserver. I put everything in place but I'm getting the (71) protocol error. The hint from the FAQ that squid could be blocked lead me to the cache.log where I'm getting errors with the negotion of the ssl certificate:
SQUID1 is showing 2003/03/27 16:44:46| TCP connection to 10.10.1.73/443 failed 2003/03/27 16:44:46| SSL unknown certificate error 18 in /C=US/ST=XX/L=XXXXXX/O=XXXXXX/CN=SQUID2 2003/03/27 16:44:46| fwdNegotiateSSL: Error negotiating SSL connection on FD 13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1) SQUID2 is showing 2003/03/27 11:40:00| clientNegotiateSSL: Error negotiating SSL connection on FD 10: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) the above is duplicate after having recreated the key, cert (on SQUID2) with: "openssl req -new -x509 -nodes -keyout test_key.pem -out test_cert.pem" do I need to copy anything over to SQUID1 (any keys?) or perhaps set anymore directives in regards to SSL on SQUID2 ? (I notice cache_peer has further ssl options for keys) Again, Henrick I appreciate your time and patience while I'm newly learning squid and the ssl world. ----- Original Message ----- From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "mlister" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, March 26, 2003 7:19 PM Subject: Re: [squid-users] ssl between squid accellerators > mlister wrote: > > > Anyways I will compile Squid-3 and start working with it, but I am curious > > if you (Henrik, or any of the listers) have any sample configuration files > > or could give me cache_peer directive examples to where I have something to > > mold. > > > > client <---SSL-->SQUID1<---SSL--->SQUID2<---HTTP-->webserver > > > Squid-3: > > SQUID1: > > https_port 443 cert=... accel defaultsite=www.your.domain > cache_peer squid2 parent 443 0 ssl no-query originserver > > SQUID2: > > https_port 443 cert=... accel defaultsite=www.your.domain > cache_peer webserver parent 80 0 no-query originserver > > > Squid-2.5+ssl update: > > SQUID1: > > https_port 443 cert=... > httpd_accel_host www.your.domain > httpd_accel_port 80 > cache_peer squid2 parent 443 0 ssl no-query > never_direct allow all > > alternatively instead of using cache_peer+never_direct, use a redirector > which rewrites the requests as https://www.your.domain/ and register > www.your.domain into /etc/hosts with the address of SQUID2. > > SQUID2: > > https_port 443 cert=.. > httpd_accel_host www.your.domain > > and put www.your.domain into /etc/hosts with the address of the real web > server. > > > > > In all cases you should also configure http_access to only allow access > to www.your.domain.. > > > > > Regards > Henrik
