Re: [squid-users] Reverse proxy: http to https and certificate authentication

From: Mailing List SVR <lists_at_svrinformatica.it>
Date: Sun, 01 Feb 2009 10:49:25 +0100

Il giorno dom, 01/02/2009 alle 22.10 +1300, Amos Jeffries ha scritto:
> Mailing List SVR wrote:
> > Il giorno dom, 01/02/2009 alle 21.56 +1300, Amos Jeffries ha scritto:
> >> Mailing List SVR wrote:
> >>> Il giorno dom, 01/02/2009 alle 20.28 +1300, Amos Jeffries ha scritto:
> >>>> Mailing List SVR wrote:
> >>>>> Hi all,
> >>>>>
> >>>>> I have a soap client using python ZSI, the other end is oracle soa
> >>>>> 10.1.3.1.0 all works fine since some months. The last week oracle soa
> >>>>> was configured to accept client certificate authentication over https.
> >>>>> If I try to use the standard python httplib.HTTPSConnection library it
> >>>>> fails with the infamous "bad record mac" error and so also ZSI that use
> >>>>> httplib. Other java tools such as soapui works just fine with oracle
> >>>>> soa.
> >>>>>
> >>>>> Can squid do the hard work for me in the following configuration?
> >>>>>
> >>>>> ZSI soap client -> squid proxy over http -> oracle soa https
> >>>>>
> >>>>> however squid could be authenticate to oracle soa loading the cert file
> >>>>> and the cert key from a local file.
> >>>>>
> >>>>> So I would like to send my soap request to squid over http and squid
> >>>>> could connect to oracle soa over https presenting its own client
> >>>>> certificate (not send from my application but load from local file).
> >>>>>
> >>>>> Is this configuration possible?
> >>>>>
> >>>>> thanks
> >>>>> Nicola
> >>>>>
> >>>>>
> >>>> Yes Squid can certainly act as a HTTP->HTTPS proxy for you.
> >>>> Just configure a normal cache_peer pointing at oracle to using SSL,
> >>>> http://www.squid-cache.org/Doc/config/cache_peer/
> >>>> and configure ZSI to connect to the Squid HTTP port without SSL.
> >>> thanks but squid need to present a client certificate to authenticate
> >>> against oracle, cache peer seems lack directive to specify certificate,
> >>>
> >> Look again:
> >> ssl
> >> sslcert=/path/to/ssl/certificate
> >> sslkey=/path/to/ssl/key
> >> sslversion=1|2|3|4
> >> sslcipher=...
> >> ssloptions=...
> >>
> >>
> >
> > You are right but I'm ot a squid expert so I need some more directions
> > please.
> >
> > I added this line to squid.conf
> >
> > cache_peer <oraclesoahostname> parent 443 0 no-query no-digest
> > no-netdb-exchange proxy-only default ssl
> > sslcert=/etc/squid/cert/clients1.crt sslkey=/etc/squid/cert/clients1.key
> > sslversion=1
> >
> > <oraclesoahostanme> is in my hosts file,
> >
> > now how squid redirect the request to <oraclesoahostname> and how I can
> > connect to squid? On standard 3128 port (for example wget
> > http://<squidip>:squidport/<what here?>>) or I have to use it as http
> > proxy (export HTTP_PROXY=...)?
> >
> > thanks for your patience,
> >
> > Nicola
> >
>
> Depends on whether Squid is listening on.
> Normal http_port 3128 is connected to normally as any other proxy with
> HTTP to port 3128.
>
> If the certificate is working, squid will startup and mention that its
> read and checked the cert. And requests go out to the peer.

Ok thanks seems to work just fine using my test server (apache with
client auth certificate), here are the relevant config options:

http_port 3128 accel defaultsite=<test apache site>

cache_peer <test apache site> parent 443 0 no-query no-digest
no-netdb-exchange ssl sslcert=/etc/squid/cert/clients1.crt
sslkey=/etc/squid/cert/clients1.key sslversion=1 originserver
sslflags=DONT_VERIFY_PEER proxy-only default

I'm able to use soap ui towards <squid ip>:3128 and works fine,

however zsi works in my test environment too, oracle soa is a different
beast (curl, wget python httplib all fails with oracle soa and works
with both apache and iis https with client certificate), tommorrow I'll
try with squid in front of it ...

thanks again
Nicola

>
> Amos
Received on Sun Feb 01 2009 - 09:49:39 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 02 2009 - 12:00:03 MST