Re: [squid-users] SSL client cert configuration and provision

From: Stephan Hügel <urschrei_at_gmail.com>
Date: Sun, 22 May 2011 11:34:48 +0100

On 22 May 2011 04:01, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 22/05/11 06:09, Stephan Hügel wrote:
>>
>> Hello,
>> Apologies in advance for the (presumably) repetitive question:
>> I'd like to set up squid to provide an SSL cert required for access to
>> a certain site on behalf of my users. I've converted the cert (it was
>> provided in PFX format) to PEM format, and generated a key (though I'm
>> not entirely sure that's necessary).
>> I've installed squid 2.7.STABLE9 on Ubuntu 11.04, and configured http
>> access for users on my subnet, and this is working correctly:
>>
>> http_port 3128
>> acl all src all
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32
>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
>> acl localnet src 10.10.10.0/24
>> [snip]
>> http_access allow localnet
>> icp_access allow localnet
>>
>> But I haven't been able to find a HOWTO for transparently providing
>> the required SSL cert on behalf of clients when they connect to the
>> site which requires it.
>> I assume I have to provide a https_port (443?) , and https_allow
>> localnet, but I'm not sure about anything else.
>>
>> TIA
>
> https_port is for reverse-proxy when the certificate is to be presented to
> the *client*.
>
> From what you say, it seems clients are supposed to present a unique
> identifier certificate to the *server* and you want to forge from Squid?
>
>
> Before we give you any config, which of those completely different setups do
> you actually want?
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.12
>  Beta testers wanted for 3.2.0.7 and 3.1.12.1
>
Amos,
The latter; I'd like Squid to present the cert on behalf of the clients.

-- 
steph
Received on Sun May 22 2011 - 10:34:55 MDT

This archive was generated by hypermail 2.2.0 : Mon May 23 2011 - 12:00:02 MDT