[squid-users] icap and https

Hello,

I am trying to use Squid as proxy so that traffic goes through an icap
service I built and continues to intended site. I will have several clients
(browsers) that are accessing several server sites.
I need help configuring https correctly :(

I tried testing out my configuration using a broswer from ip: 9.148.16.192
I used firefox foxyproxy plugin to direct http traffic to 9.148.26.247:3128
and https to 3129 (machine/ports where my squid is listening, checked this
with netstat)

I started testing two sites, one http and another https:
1. http://mydomain.com/MyCRM/index.php
2. https://9.148.26.247:8443/ - this site runs on tomcat that I
configured with mykey.jks

when I start I get all OK messages:
2011/03/01 08:23:40| Accepting HTTP connections at [::]:3128, FD 15.
2011/03/01 08:23:40| Accepting HTTPS connections at [::]:3129, FD 16.
2011/03/01 08:23:40| HTCP Disabled.
2011/03/01 08:23:40| Configuring Parent 9.148.16.192/3129/0

when I try site 1 (http) all seems to work fine.
however when I try site 2, I get an error:
2011/03/01 08:37:54| clientNegotiateSSL: Error negotiating SSL connection on
FD 12: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy
request (1/-1)

where am I going wrong??
many thanks, Ariel :)

my config is below:
#
# configure https port
#
https_port 3129 key=/root/security/mykey.key.pem
cert=/root/security/mycert.crt.pem vhost
cache_peer 9.148.16.192 parent 3129 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER name=securePeer1
cache_peer_access securePeer1 allow all

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localnet
http_access allow localhost
always_direct allow all
http_access allow all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

icap_log /var/log/squid/icap.log icap_squid
icap_enable on
icap_send_client_ip on
icap_service_failure_limit -1
icap_service_revival_delay 30
icap_service myservice respmod_precache bypass=0
icap://127.0.0.1:1344/myservice
adaptation_access myservice allow all

request_header_access Accept-Encoding deny all
append_domain .haifa.ibm.com

-- 
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/icap-and-https-tp3329449p3329449.html
Sent from the Squid - Users mailing list archive at Nabble.com.