Re: [squid-users] Re: squid as forward proxy for portal run on tomcat

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 21 Mar 2011 19:42:48 +1300

On 19/03/11 08:25, arielf wrote:
> Hi Amos, thanks for your response.
> I'll try to clarify.
>
> I want my browser (a client's browser) to always go through a squid proxy
> for accessing any website (target application). This is because I have an
> icap service working on the data. Thus to my understanding this is a forward
> proxy.
>
> Since I want it to work for both http and https sites, I configured squid to
> work with ssl-bump as shown above. I have tested this configuration, by
> setting firefox proxy settings to go to squid on port 3128, and it seems to
> work fine :)
>
> Now I have an additional target application. This application happens to be
> a portal that is run on tomcat. Furthermore, it is a tomcat that I
> configured the security settings for. Thus I have browser -> squid -> portal
> (run on tomcat).
> To my understanding this is still part of the same forward proxy? am I wrong
> here?

Ah, understood. Thanks.

Yes from the browser viewpoint it is a forward proxy. From your admin
viewpoint this is a forward proxy with one specific domain using a
cache_peer parent with originserver flag.

The squid is entering into a strange multi-mode handling though. The
requests enters as forward proxy and exits as reverse.

The handing of CONNECT and ssl-bump are a bit broken when this mode
change takes place internally to Squid. I have just days ago added
changes that look like fixing CONNECT, these will be in 3.1.12. But
ssl-bump remains broken.
  Using ssl-bump Squid will pass the tomcat requests with absolute
https:// URLs.

>
> Unfortunately, on this particular setting I get the failure I showed above.
>> From cache.log:
>> -----BEGIN SSL SESSION PARAMETERS-----
>> MHECAQECAgMBBAIANQQg0b4mR/aJ5Vez5HNh6dSwUL4vs/d+v+ceEwKpWxHdFoME
>> MI3ZqOI/+MjpLLsjIoFchf9dxA/wD9aoZZgrbiq6GRtvOTWRRFeaQA1KFfVgmFo7
>> FaEGAgRNgfR5ogQCAgEspAIEAA==
>> -----END SSL SESSION PARAMETERS-----
>> 2011/03/17 07:46:01| SSL unknown certificate error 18 in
>> /C=IL/ST=NA/L=NA/O=IBM/OU=HRL/CN=Magen
>> 2011/03/17 07:46:01| fwdNegotiateSSL: Error negotiating SSL connection on
>> FD
>> 13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>> verify failed (1/-1/0)
>
> I guess I am still understanding something badly, please point me to it.

I think this should work for passing requests to the tomcat:

   cache_peer <tomcat-IP> parent 443 0 originserver ssl
sslflags=DONT_VERIFY_PEER

Once the requests are getting there you may hit a problem with those
ssl-bump absolute URLs. The Tomcat app might need tweaking to accept
them. Or a re-writer may be needed to strip "https://domain" of the
front of those particular ones.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.11
   Beta testers wanted for 3.2.0.5
Received on Mon Mar 21 2011 - 06:42:51 MDT

This archive was generated by hypermail 2.2.0 : Mon Mar 21 2011 - 12:00:01 MDT