Re: [squid-users] SSL Reverse Proxy Domain Mismatch

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 02 May 2013 14:00:04 +1200

On 1/05/2013 8:56 a.m., Paul Carew wrote:
> Hi
>
> I have Squid 3.3.4 setup as an SSL reverse proxy for web based mail.
> The domain name on the outside is something like mail.example.org and
> the domain name on the inside is something like webmail.example.local.
> I am getting a TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH error when
> trying to connect.
>
> My https_port line looks like so:
>
> https_port 443 accel cert=/etc/squid/ssl_certs/mail.crt
> key=/etc/squid/ssl_certs/mail.key cafile=/etc/squid/ssl_certs/mail.ca
> defaultsite=webmail.example.local
>
> The cache_peer line:
>
> cache_peer 192.168.0.42 parent 443 0 no-query originserver login=PASS
> ssl front-end-https=on name=webmailServer
>
> The certificate on the web based mail server, inside, is issued to
> webmail.example.local with a SAN of mail.example.org. The certificate
> used on the Squid https_port config line is issued to mail.example.com
> with no SAN.
>
> I can understand why the DOMAIN_MISMATCH is occurring but was hoping
> someone could recommend a work around?

Because webmail.example.local != mail.example.org. Your clients will be
requesting one and Squid relays the client request with as few changes
as possible.

You can use forcedomain=mail.example.com on the peer line, or make the
domain mail.example.com point at Squid for clients to use in their URLs
(the best way).

Amos
Received on Thu May 02 2013 - 02:00:19 MDT

This archive was generated by hypermail 2.2.0 : Thu May 02 2013 - 12:00:03 MDT