It's a little off topic - but I'm wondering why, if you want secure communications between the clients and the Squid server, you aren't thinking of using something like IPsec which *should* provide seamless encryption / data authentication..
Sorry, I can't answer your actual question :) Daniel -----Original Message----- From: WEHT.net Webmaster [mailto:[EMAIL PROTECTED] Sent: Wednesday, 22 October 2003 11:16 AM To: [EMAIL PROTECTED] Subject: [squid-users] SSL Tunnel out-of-box? Sorry if there are well known answers to this, I've been looking but not finding... Is there a way to get an SSL Tunnel between the client and squid under 2.5.STABLE4 out-of-box (or with a server side patch?) Client <--- SSL ---> Squid <--- Non-SSL/SSL ---> Internet My conf is posted below, this works fine via non-SSL between the client<->squid (including hitting URI's via SSL on the other side of the squid cache), but when I set my proxy address on the clients to use the SSL port on the squid side, I get this error: Oct 21 21:06:00 sp0090 squid[17038]: clientNegotiateSSL: Error negotiating SSL connection on FD 16: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request Which from what I can gather seems to mean the SSL port is getting non-SSL requests from the client. I guess what I'm wondering is if there is a way to do this out-of-box without having to use something like an SSH tunnel from the client side, i.e. convince the web browsers to open SSL connections to the squid cache all the time? Again, sorry if its an FAQ... # begin config http_port 69.60.1.98:3128 https_port 69.60.1.98:443 cert=/etc/squid/ssl/server-req.pem \ key=/etc/squid/ssl/server-key.pem tcp_outgoing_address 69.60.1.98 httpd_accel_host proxy.example.com httpd_accel_uses_host_header on httpd_accel_host virtual httpd_accel_port 444 httpd_accel_with_proxy on httpd_accel_uses_host_header on redirect_rewrites_host_header off hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param basic program /usr/lib/squid/ncsa_auth \ /usr/lib/squid/etc/authusers.txt auth_param basic children 5 auth_param basic realm proxy.example.com auth_param basic credentialsttl 2 hours acl password proxy_auth REQUIRED acl all src 0.0.0.0/0.0.0.0 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access allow password http_reply_access allow all icp_access allow all -- WEHT.net The Online Compendium of "What Ever Happened To" & "Where Are They Now?"
