Re: [squid-users] Cache Peer Redirection Based on User Certificate

From: Waldemar Siebert <wsiebert_at_online.de>
Date: Sat, 28 Dec 2013 15:49:26 +0100

Based on a string in client certficate (in my case CN field) I would like to
route an https request to a dedicated webserver by using the
cache_peer_access directive.

E.g.: Client with certificate field CN a111 will be redirected to the parent
P1

Client with certificate field CN a222 will be redirected to the parent P2

That works with acl type "src" but not with acl type user_cert

Thanks
Walt

----- Original Message -----
From: "Eliezer Croitoru" <eliezer_at_ngtech.co.il>
To: <squid-users_at_squid-cache.org>
Sent: Saturday, December 28, 2013 2:43 PM
Subject: Re: [squid-users] Cache Peer Redirection Based on User Certificate

>I am still not sure what you are trying to achieve..
>
> From the docs at:
> http://www.squid-cache.org/Doc/config/acl/
>
> acl aclname user_cert attribute values...
> # match against attributes in a user SSL certificate
> # attribute is one of DN/C/O/CN/L/ST [fast]
>
> It is only there for a basic inspection of the user SSL certificate...
> the same goes for:
> acl aclname ca_cert attribute values...
> # match against attributes a users issuing CA SSL certificate
> # attribute is one of DN/C/O/CN/L/ST [fast]
>
> It is there since 3.1 and the respective aspect on the client side is on
> the side of the "client" which we are talking about "squid" in the manner
> of making squid as a client and user while the "end user" cannot send
> squid certificates for now.
>
> Squid is not a VPN system which allows specific clients access to a
> specific level of the system since it's a very fast piece of software.
> All these levels of SSL connection is not to be used inside of squid.
>
> I must say that I am not the SSL expert and if you need more information
> on the matter it's pretty simple to ask about the whole subject to
> understand it properly.(feel free to contact me or anyone else)
>
> Regards,
> Eliezer
>
> On 28/12/13 15:15, Waldemar Siebert wrote:
>> Hello,
>>
>> what about acl user_cert?
>>
>> It works with http_access, but not with cache_peer_access. See Log bellow
>> I use Squid 3.1.8
>>
>> Thanks
>> Walt
>
Received on Sat Dec 28 2013 - 14:49:30 MST

This archive was generated by hypermail 2.2.0 : Sat Dec 28 2013 - 12:00:06 MST