Hi,
We were able to set up the squid in a host to container infrastructure. That is saying the squid is installed on host, proxying traffic from the container on the same host. With transparent proxy including SSL traffic. Another feature we enabled is request_header_access and request_header_replace, to spoof and modify token in HTTP headers sending to target dstdomain. The issue we are having right now is the certificate installed on the container is a self signed cert, we were trying to migrate this cert to a real trusted CA cert, or a Baltimore root cert. The issues seems to be in the subject name of the cert. In the self signed cert, I simply leave everything blank. In the Baltimore root cert(squid.key and squid.crt in below squid.conf example, request through Microsoft internal service and it is Baltimore root), even if I have the dstdomain in squid.conf as subject name(abc.microsoft.com in below squid.conf example), I am still getting “server certificate verification failed” error in CURL. Is there anything I am missing or it simply doesn’t support? In my understanding, it should has no difference with squid as root CA signer in self signed cert? P.S. I do notice that it is illegal for a trusted CA to issue official cert to squid because squid itself is man-in-the-middle, so Squid can only accept self signed cert and squid as root CA? I tried to search the email archive but no luck. I have such a squid.conf acl abc dstdomain .abc.microsoft.com request_header_access Authorization deny abc request_header_replace Authorization Basic whateverYourTokeisButForBasicItHasToBeBase64Encoded request_header_access All allow all https_port 3129 cert=/etc/squid3/squid.crt key=/etc/squid3/squid.key ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB acl SSL_port port 443 http_access allow SSL_port acl allowed_https_sites ssl::server_name "/etc/squid3/ssl_sites.txt" ssl_bump server-first all always_direct allow all acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 all ssl_bump peek step2 allowed_https_sites ssl_bump splice step3 allowed_https_sites Thanks, Lei
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
