Henrik ok all looks good now using sslflags=DONT_VERIFY_PEER (selfsigned) httpd_accel_with_proxy on
Much thanks for your help. ----- Original Message ----- From: "mlister" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 27, 2003 11:52 AM Subject: Re: [squid-users] ssl between squid accellerators > ok this makes sense with never_direct and both squid servers pointing to the > same webserver. > I put everything in place but I'm getting the (71) protocol error. The hint > from the FAQ that > squid could be blocked lead me to the cache.log where I'm getting errors > with the negotion > of the ssl certificate: > > SQUID1 is showing > 2003/03/27 16:44:46| TCP connection to 10.10.1.73/443 failed > 2003/03/27 16:44:46| SSL unknown certificate error 18 in > /C=US/ST=XX/L=XXXXXX/O=XXXXXX/CN=SQUID2 > 2003/03/27 16:44:46| fwdNegotiateSSL: Error negotiating SSL connection on FD > 13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify failed (1/-1) > > SQUID2 is showing > 2003/03/27 11:40:00| clientNegotiateSSL: Error negotiating SSL connection on > FD 10: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > (1/0) > > the above is duplicate after having recreated the key, cert (on SQUID2) > with: > "openssl req -new -x509 -nodes -keyout test_key.pem -out test_cert.pem" > > do I need to copy anything over to SQUID1 (any keys?) or perhaps set anymore > directives in > regards to SSL on SQUID2 ? (I notice cache_peer has further ssl options for > keys) > > Again, Henrick I appreciate your time and patience while I'm newly learning > squid and the ssl world. > > > ----- Original Message ----- > From: "Henrik Nordstrom" <[EMAIL PROTECTED]> > To: "mlister" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Wednesday, March 26, 2003 7:19 PM > Subject: Re: [squid-users] ssl between squid accellerators > > > > mlister wrote: > > > > > Anyways I will compile Squid-3 and start working with it, but I am > curious > > > if you (Henrik, or any of the listers) have any sample configuration > files > > > or could give me cache_peer directive examples to where I have something > to > > > mold. > > > > > > client <---SSL-->SQUID1<---SSL--->SQUID2<---HTTP-->webserver > > > > > > Squid-3: > > > > SQUID1: > > > > https_port 443 cert=... accel defaultsite=www.your.domain > > cache_peer squid2 parent 443 0 ssl no-query originserver > > > > SQUID2: > > > > https_port 443 cert=... accel defaultsite=www.your.domain > > cache_peer webserver parent 80 0 no-query originserver > > > > > > Squid-2.5+ssl update: > > > > SQUID1: > > > > https_port 443 cert=... > > httpd_accel_host www.your.domain > > httpd_accel_port 80 > > cache_peer squid2 parent 443 0 ssl no-query > > never_direct allow all > > > > alternatively instead of using cache_peer+never_direct, use a redirector > > which rewrites the requests as https://www.your.domain/ and register > > www.your.domain into /etc/hosts with the address of SQUID2. > > > > SQUID2: > > > > https_port 443 cert=.. > > httpd_accel_host www.your.domain > > > > and put www.your.domain into /etc/hosts with the address of the real web > > server. > > > > > > > > > > In all cases you should also configure http_access to only allow access > > to www.your.domain.. > > > > > > > > > > Regards > > Henrik >
