Re: [squid-users] Proxy and cache of SSL with client auth?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 20 May 2009 15:14:27 +1200 (NZST)

> This may sound insane, but here goes. I've got a file distribution
> system that relies on client certificate authentication through SSL
> (https) to authenticate clients prior to delivery of files. Typical
> apache with ssl and client cert setup. I have reached a situation,
> however, where it would be convenient to create a tiered system of
> caches of said files. My thought was to use squid to do this as follows:
>
> Server stays the same - requires client cert to return a file.
>
> Squid proxy is set up on a box with a valid client cert, setting up
> sslproxy_* to point to valid client certs. Squid is also configured
> with https to require client certs for connection to Squid (this last
> part is less important - the clients in this particular setup are
> actually on a private network that is not considered at risk). When the
> client makes a request for a file, squid makes the request using its
> authorized cert, and then serves the file down-stream.
>
> From my initial reading of the squid configs and documentation I could
> find, it seemed like this would be possible. I have tried it, and it
> doesn't seem to be working. I get the (apparently common) SSL 'CONNECT'
> error:
>
>> clientNegotiateSSL: Error negotiating SSL connection on FD 11:
>> error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request
>> (1/-1)
>
> Is what I'm trying to do even possible with Squid? I'm using version
> 2.6.STABLE6 on Centos 5.2. I'd be happy to send my squid configs if
> that'd help. Any help would be apprecaited ;-)
>
> Justin Binns
>

Are you using squid as a regular forward-proxy? or as a reverse-proxy/CDN
for this system?

Amos
Received on Wed May 20 2009 - 03:14:37 MDT

This archive was generated by hypermail 2.2.0 : Wed May 20 2009 - 12:00:02 MDT