We are working on a functionality in order to import contacts from :
- yahoo
- twitter
- gmail
- Facebook
- … …
Our service PAB (personal address book) is placed on 6 solaris backend (each one with 2 instances of service). In order to import contacts backend server (where is placed PAB) needs to talk directly with Internet. Since it is not great as architecture (I mean a backend which talks directly with internet) we added a frontend proxy (Squid).
Here my notes about :
#1 Generate Certificate (autosigned)
#2 Configuration of Squid
Warning : what is here reported is just my work note without any double check.
#1 Generate Certificate (auto signed)
Flow :
+----+ +---------------+
+---------+ | | xxxxxx | |
| | | | xxxx xxxxx | |
| | | | xxx xxxxxx | |
| | SSL 1 | | SSL 2 xx xxx xxxx SSL 2 | |
| PAB +------------>+-------------> x +------------------> |
| | | | x x | |
| | | | xx xx | |
+---------+ | | xxxx xx | Remote Server |
Backend Server | | xxxxxxxxxxxxx | |
+----+ +---------------+
Squid internet
FrontendCommunication [1] requires SSL (in our scenario but isn’t mandatory) so we need to generate certificate.
Steps in order to autosign a certificate :
Generate private key
openssl genrsa -des3 -out squid-server.key 1024openssl x509 -req -days 365 -in squid-server.csr -signkey squid-proxy.key -out squid-proxy.crt
Generate CSR ( Certificate Signing Request ) using private key
openssl req -new -key squid-server.key -out squid-server.csr
openssl rsa -in squid-server.key -out squid-proxy.key
Self-sign with private key CSR and generate Certificate
As we’ll see later : squid-proxy.crt and squid-proxy.key will be used in order to configure Squid.
Note #0 :
Warning : 365 is time validity of certificate (you can increase it)
Note #1 :
in order to check certificate validity / expiration date :
openssl x509 -in squid-proxy.crt -noout -enddate
notAfter=Jul 14 13:48:44 2012 GMT
Note #2
If we have problem in [1] (for example your server doesn’t accept certificate and it hangs the SSL negotiation) then squid’s log shows below error message :
clientNegotiateSSL: Error negotiating SSL connection on FD 20: error:1407609B …
Mainly you need that server which opens connection to Squid recognise as valid certificate the certificate that you generated (self-signed) above. Since certificate is self-signed (and we are not a trusted CA) we need to add on server-side the certificate : squid-proxy.crt
How to do that depends how server works : in our case PAB has a directory where copy squid-proxy.crt.
So I don’t report how to add certificate.
#2 Configure certificate for Squid
+ 2.1 Certificate (autosigned) for point SSL 1
+----+ +---------------+
+---------+ | | xxxxxx | |
| | | | xxxx xxxxx | |
| | | | xxx xxxxxx | |
| | SSL 1 | | SSL 2 xx xxx xxxx SSL 2 | |
| PAB +------------>+-------------> x +------------------> |
| | | | x x | |
| | | | xx xx | |
+---------+ | | xxxx xx | Remote Server |
Backend Server | | xxxxxxxxxxxxx | |
+----+ +---------------+
Squid internet
Frontend(communication between Backend Server <-> FrontEnd Squid)
configure : /etc/squid/squid.conf
http_port 80
https_port 443 cert=/usr/local/squid/ssl/squid-proxy.crt key=/usr/local/squid/ssl/squid-proxy.key
(Probably you need to create : /usr/local/squid/ssl/)
squid-proxy.key and squid-proxy.crt are files generated in #1
443 is https (SSL) port used in [SSL 1]
80 is http port used in [SSL 1]
+2.2 Certificate for point SSL 2
+----+ +---------------+
+---------+ | | xxxxxx | |
| | | | xxxx xxxxx | |
| | | | xxx xxxxxx | |
| | SSL 1 | | SSL 2 xx xxx xxxx SSL 2 | |
| PAB +------------>+-------------> x +------------------> |
| | | | x x | |
| | | | xx xx | |
+---------+ | | xxxx xx | Remote Server |
Backend Server | | xxxxxxxxxxxxx | |
+----+ +---------------+
Squid internet
Frontend(communication between FrontEnd Squid <->Internet )
if you have “different” certificate to use in [SSL 2] configure /etc/squid/squid.conf :
sslproxy_capath /usr/local/squid/sslclient/tls/CACertificates/
sslproxy_flags NO_DEFAULT_CA
Path /usr/local/squid/sslclient/tls/CACertificates/ is where you have stored trusted CA.
or if you need to ignore certificate in [SSL 2] :
sslproxy_flags DONT_VERIFY_PEER #(isn't recommended this setting : it is too permissive)
+ 2.3 common config
-> Bebug
Debug level is :
debug_options ALL,1 33,2 #(isn't recommended this setting for live environment)
-> ACL
Access Control List :
http_access allow localhost
#http_access deny all
http_access allow all #(isn’t recommended this setting : it is too permissive)
if you have problem with ACL this is line in Squid log
TCP_DENIED/403 1352 GET XXXXXXXXX – NONE/- text/html
Incoming search terms:
- no valid signing ssl certificate configured for https_port
- clientnegotiatessl error negotiating ssl
- generate openssl squid 3 https_port
- how to create certificate for squid server
- No valid signing SSL certificate configured for HTTP_port [::]:3128 squid
- squid ssl
- squid ssl mutual authentication
The post Squid – SSL Certificate appeared first on Busylog.net.