Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm confronted with a problem using Squid 3 and https. It simply doesn't work.
I have a dedicated server installed with Debian 5.0, compiled, installed and configured Squid_3.0.STABLE16 and created my own CA and subsequently wildcard certificate.
Squid will be used as a reverse proxy with caching and LDAP authentication. I have all of those working in a testing environment. I get the popup for the username, my credentials get authenticated correctly with our AD server and all the http sites can be accessed.
When I try to access the, at this time only, https site I always get an error stating 'The connection was interrupted'. Nothing mentioning https is showing in the log files. It seems like Squid is not accepting https connections.
I have been searching with Google for half a day but haven't found the solution yet, so I'm appealing to someone who can help me out on this one. Any help is greatly appreciated.
My config file:
Code:
cache_mgr root
debug_options ALL, 9
# Basic parameters
visible_hostname www.tradisa.com
auth_param basic realm Tradisa Security Portal
# This line indicates the server we will be proxying for
http_port 80 defaultsite=www.tradisa.com vhost
https_port 443 cert=/etc/ssl/tradisacert.pem key=/etc/ssl/tradisakey.pem cafile=/etc/ssl/CA/cacert.pem defaultsite=portal.tradisa.com vhost
forwarded_for on
# And the IP Address for it - adjust the IP and port if necessary
cache_peer 172.25.2.73 parent 80 0 no-query originserver name=tradinet
acl site_tradinet dstdomain tradinet.tradisa.com
cache_peer_access tradinet allow site_tradinet
cache_peer 172.25.2.27 parent 80 0 no-query originserver name=webauto
acl site_webauto dstdomain webauto.tradisa.com
cache_peer_access webauto allow site_webauto
cache_peer 172.25.2.21 parent 80 0 no-query originserver name=webmat
acl site_webmat dstdomain webmat.tradisa.com
cache_peer_access webmat allow site_webmat
cache_peer 172.25.2.84 parent 19080 0 no-query originserver name=portal
acl site_portal dstdomain portal.tradisa.com
cache_peer_access portal allow site_portal
cache_peer 172.25.2.55 parent 80 0 no-query originserver name=wiki
acl site_wiki dstdomain wiki.tradisa.com
cache_peer_access wiki allow site_wiki
acl apache rep_header Server ^Apache
# Where the cache files will be, memory and such
cache_dir ufs /var/spool/squid3 10000 16 256
cache_mem 256 MB
maximum_object_size_in_memory 128 KB
# Log locations and format
#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid3/access.log combined
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
logfile_rotate 10
hosts_file /etc/hosts
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl Safe_ports port 80
acl Safe_ports port 443
acl purge method PURGE
acl CONNECT method CONNECT
auth_param basic program /lib/squid3/squid_ldap_auth -R -b "dc=tradisa,dc=es" -D "cn=trdcomun,cn=Users,dc=tradisa,dc=es" -w "trdcomun" -f sAMAccountName=%s -h 172.25.2.18
auth_param basic children 5
acl ldap_users proxy_auth REQUIRED
http_access allow ldap_users
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access allow localhost
http_access allow all
http_access allow all
http_reply_access allow all
icp_access allow all
cache_effective_group proxy
coredump_dir /var/spool/squid3
emulate_httpd_log on
redirect_rewrites_host_header off
buffered_logs on
# Do not cache cgi-bin, ? urls, posts, etc.
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
acl POST method POST
no_cache deny QUERY
no_cache deny POST
This server is setup in a local temporary environment so I have no problem leaving the IP's in the config file as they are not accessible from anywhere.
So if I understand it correctly port 443 is open and accepting connections (which I already knew from telnet) but apparantly there's something wrong with the ssl handshake. How to I go about this?
Something is funny with your private key and/or cert. Can you put a more generic (self-signed) one in place to prove the point? You said something earlier about a wildcard cert; keep it simple for now to work through the process of elimination.
-------
<deleted comment> -- never mind. I see you're on RFC 1918 private IP space.
As you will notice from that site it's a self signed certificate already. I really don't have any experience with SSL and certificates so I'm walking in the dark right now.
Using the command you provided gave me an error but Googling for that error doesn't make me any wiser, most likely because of my lack of knowledge regarding this topic.
Thanks for helping out, I really appreciate the help and feel that I'm yet about to learn something new.
I've got my Squid up and running, both with HTTP and HTTPS with a wildcard certificate. One small item left. Most of our intranet sites are http, one in particular is https. I can connect succesfully to that one on a https url, but strangly enough also through http. How can I block all ports but 443 but only for that site in Squid 3.
EricTRA - to get your HTTPS issues resolved, was it just following the guide on link you provided that resolved the issue?
I am having the same issues where my old 2.5 squid is working fine, but my newer 3.0 squid is not, but only for some https sites - same error as you though.
I do note that I didn't compile with the openssl switch and am wondering if that could be the case.
No, it wasn't just doing what that link says although I started out with that one . It took me some time to figure out (with help from Google) that I needed to compile Squid and not install just the package.
So I'm almost sure that if you compile Squid with SSL that your SSL sites will work.
Thank you for your help. I also found out that I can use SSL termination on the Squid box. Do you by any chance know if that means that I can have Squid only accept HTTPS secure connections for all sites, but perform the SSL termination on Squid box for the http backend servers. And if so, does this mean that the users connected from the internet maintain a secure connection to the Squid box and through this connection work with the http site?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.