squid 3.5 reverse proxy https configuration problem

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

squid 3.5 reverse proxy https configuration problem

sjmeyer
I have a squid configured as a reverse proxy on RHEL 7.8

the certificates on the squid box seem okay the squid -k parse passes,
however when I attempt to access the back-end server via squid I get

 Error negotiating SSL connection on FD 13: error:14094416:SSL
routines:ssl3_read_bytes:sslv3 alert certificate unknown (1/0)

It'd my understanding to resolve the SSL error I need to add the CA of the
backend sever to the RHEL trust store - I have done that, copied the ca to
/etc/pki/ca-trust/source/anchors/
ran update-ca-trust extract,
confirmed the CA is in the file
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

however no change. I have seen references to the ssl_crtd project however
from the examples I've seen that isn't required. is this my issue?

Contents of my squid.conf file are below, would appreciate
# reverse proxy site
#
acl localnet src 10.0.0.0/8
# - debug options
# 0 client database
# 1 start up and main loop
# 2 Unlink Daemon
# 3 configuration file parsing
# 4 error generation
# 5 socket functions
# 11 HTTP
# 23 URL parsing
debug_options All,1 9


acl SSL_ports port 5443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 8902
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 5443
acl Safe_ports port 1025-65535
acl CONNECT method CONNECT


http_port 3128 transparent

http_access allow Safe_ports
#http_access deny !Safe_ports

http_access allow localnet




https_port 5443 accel defaultsite=10.234.48.183
cert=/etc/squid/tls/devi_public.pem key=/etc/squid/tls/devi_private.key
cafile=/etc/squid/tls/devi_ca.crt vhost


sslproxy_options NO_SSLv2:NO_SSLv3:NO_TLSv1:NO_TLSv1_1




cache_peer 10.234.49.188 parent 5443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER connection-auth=off name=dev-api

acl BrokenButTrustedServers dstdomain 10.234.49.188 devi.mlms.cms.gov
#sslproxy_cert_error allow BrokenButTrustedServers
sslproxy_cert_error allow all
#sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER

#ssl_bump splice #localhost
# configure backend

acl our_sites dstdomain dev.app.lb.local 10.234.49.188
http_access allow our_sites
cache_peer_access dev-int allow our_sites
cache_peer_access dev-api allow our_sites



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 3.5 reverse proxy https configuration problem

Alex Rousskov
On 5/20/20 12:20 PM, sjmeyer wrote:
> I have a squid configured as a reverse proxy on RHEL 7.8
>
> the certificates on the squid box seem okay the squid -k parse passes,
> however when I attempt to access the back-end server via squid I get
>
> Error negotiating SSL connection on FD 13: error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown (1/0)

AFAICT, your client (e.g., a browser) probably does not trust Squid's
certificate (i.e., /etc/squid/tls/devi_public.pem). Should it? What does
the client say?


> It'd my understanding to resolve the SSL error I need to add the CA of the
> backend sever to the RHEL trust store

If my understanding about the scope of the error is correct, then the
backend server is irrelevant. The error is between the TLS/HTTPS client
and Squid, not Squid and cache_peer. Squid has not yet contacted the
cache_peer at the time of this error.


HTH,

Alex.


> - I have done that, copied the ca to
> /etc/pki/ca-trust/source/anchors/
> ran update-ca-trust extract,
> confirmed the CA is in the file
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
>
> however no change. I have seen references to the ssl_crtd project however
> from the examples I've seen that isn't required. is this my issue?
>
> Contents of my squid.conf file are below, would appreciate
> # reverse proxy site
> #
> acl localnet src 10.0.0.0/8
> # - debug options
> # 0 client database
> # 1 start up and main loop
> # 2 Unlink Daemon
> # 3 configuration file parsing
> # 4 error generation
> # 5 socket functions
> # 11 HTTP
> # 23 URL parsing
> debug_options All,1 9
>
>
> acl SSL_ports port 5443
> acl Safe_ports port 80
> acl Safe_ports port 21
> acl Safe_ports port 443
> acl Safe_ports port 8902
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl Safe_ports port 5443
> acl Safe_ports port 1025-65535
> acl CONNECT method CONNECT
>
>
> http_port 3128 transparent
>
> http_access allow Safe_ports
> #http_access deny !Safe_ports
>
> http_access allow localnet
>
>
>
>
> https_port 5443 accel defaultsite=10.234.48.183
> cert=/etc/squid/tls/devi_public.pem key=/etc/squid/tls/devi_private.key
> cafile=/etc/squid/tls/devi_ca.crt vhost
>
>
> sslproxy_options NO_SSLv2:NO_SSLv3:NO_TLSv1:NO_TLSv1_1
>
>
>
>
> cache_peer 10.234.49.188 parent 5443 0 no-query originserver ssl
> sslflags=DONT_VERIFY_PEER connection-auth=off name=dev-api
>
> acl BrokenButTrustedServers dstdomain 10.234.49.188 devi.mlms.cms.gov
> #sslproxy_cert_error allow BrokenButTrustedServers
> sslproxy_cert_error allow all
> #sslproxy_cert_error deny all
> sslproxy_flags DONT_VERIFY_PEER
>
> #ssl_bump splice #localhost
> # configure backend
>
> acl our_sites dstdomain dev.app.lb.local 10.234.49.188
> http_access allow our_sites
> cache_peer_access dev-int allow our_sites
> cache_peer_access dev-api allow our_sites
>
>
>
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users