Hoping someone can help out a squid newbie ....

I have reverse proxy on HTTP working great for 3 sites... But I also need to do some SSL for some VDI testing.

I have created the cert for Squid using openssl and when I enable SSL in the squid.conf file you can connect to 443 and it shows the SSL warning, which is fine, but when you accept it, the connection doesnt seem to go to through to the backend server, and it also breaks my HTTP which worked before adding the SSL lines to the config.

The certs on the backend servers are self signed, so there would be a warning - Is that causing my issue? (The fact that the Squid server is being asking to accept the SSL??)

Heres my squid.conf - Squid is running 3.1.xxx on CentOS and was compiled with SSL.

https_port 10.2.1.146:1443 cert=/etc/squid/server.pem key=/etc/squid/server.key defaultsite=www.domain.com vhost
http_port 10.2.1.146:81 defaultsite=domain.com vhost
forwarded_for on

#refresh_pattern ^ftp: 1440 20% 10080
#refresh_pattern ^gopher: 1440 0% 1440
#refresh_pattern . 0 20% 4320

cache_peer 10.2.1.2 parent 80 0 no-query no-digest originserver login=PASS name=web1
acl sites_web1 dstdomain xxx.domain.com
cache_peer_access web1 allow sites_web1

cache_peer 10.2.1.99 parent 80 0 no-query no-digest originserver login=PASS name=web2
acl sites_web2 dstdomain xxx.domain.com domain.com
cache_peer_access web2 allow sites_web2

cache_peer 10.2.1.91 parent 9443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=web3
acl sites_web3 dstdomain vc.domain.com
cache_peer_access web3 allow sites_web3

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
#acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT

http_access allow sites_web1 all
http_access allow sites_web2 all
http_access allow sites_web3 all
http_access allow manager all
http_access allow manager
#http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
#http_access deny all


Thanks for anything anyone can come up with....

Hallo:

Not sure where is the problem, but it can be:

Your squid is connecting to the backend server, but it doesn't recognize the certificate the backend server is sending to squid.
How can you solve the problem?
- If the server is in your lan and your are sure that there is no problem about its security (don't need the certificate) you can say squid not to verify the certificate. It's done adding
https_port 443 accel defaultsite=server.domain vhost vport=8081 cert=server.cer key=server.pem sslflags=DONT_VERIFY_PEER

It didn't worked for me in some squid releases so you can add this lines:
sslproxy_flags DONT_VERIFY_PEER
But in this case, if won't verify any backed server certificate.

- Another option is to add all the CA your server is going to connect in a file and include it squid.conf with:
sslproxy_cafile /dirtofile/CAservers.cer

- Another option if you don't need https form squid to backend server is to use https from user to squid and change from https to http from squid to backend server. It's done with:
https_port 443 accel defaultsite=server.domain vhost vport=8081 cert=server.cer key=server.pem sslflags=DONT_VERIFY_PEER protocol=http

If it doesn't work, pleas tell me.

Regards

Hey Felipe -

Thanks for the reply, I appreciate any input....

I tried the sslproxy_flags DONT_VERIFY_PEER parameter and it didnt work, so I was going to try the adding the CAs to the Squid Server but that will take some time

I was debating just making all the backend servers 80, which I can do for some but two have to stay 443 (one is a VMware View 5 Server for VDI)

In the access.log I can see the request coming into the Squid :

TCP_MISS/200 294 GET http://xxx.domain.com/vsphere-client - FIRST_UP_PARENT/web3 -
TCP_MISS/200 294 GET http://xxx.domain.com/favicon.ico - FIRST_UP_PARENT/web3 -

I really dont understand why HTTP stops working when I enable HTTPS on squid. I did discover that HTTP works internally still when I enable HTTPS, but externally it stops working completely...

If you neeed configure different backend servers, with different ports, you ca use a sintax like this:

cache_peer 10.12.23.45 parent 80 0 no-query originserver name=backend1
cache_peer 10.12.24.44 parent 2080 0 no-query originserver name=backend2
cache_peer 10.12.23.14 parent 80 0 no-query originserver name=backend3

And later assign acl to each backend:
acl aclBackend1 urlpath_regex ^/site1/
acl aclBackend2 urlpath_regex ^/site2/
acl aclBackend3 urlpath_regex ^/site3/
acl aclBackend3 urlpath_regex ^/site4/
acl aclBackend3 ....

cache_peer_access backend1 allow aclBackend1
cache_peer_access backend2 allow aclBackend2
cache_peer_access backend3 allow aclBackend3


About the problem of https, in order to know if its a problem of certificate, you can try with the connection of http form squid to backend serve with:
https_port 443 ... protocol=http