Forum OpenACS Q&A: Re: how to config for multiple aolserver instances

Collapse
25: Re: how to config for multiple aolserver instances (response to 1)
Posted by Brad Duell on 08/08/03 05:51 PM
Bart,

Hmmm.  All I can say is that something must be wrong with your certificate, or referencing the certificate.  On the off-chance, I replaced my self-signed certs with one's by Thawte, and lo-and-behold the certification path *does* show correctly.

If your certificate works directly, but not through the proxy, the only thing I can think of is you might be referencing the wrong files in your squid.conf.

Collapse
26: Re: how to config for multiple aolserver instances (response to 25)
Posted by Bart Teeuwisse on 08/08/03 11:23 PM
Finally worked it out. The missing piece is indeed the CA cert. In AOLserver, one specifies the server cert, the server key and the CA cert. Squid on the other hand only accepts the server cert and the server key.

What I couldn't figure out is where Squid gets the CA cert from. After several hours of reading code and googling I finally traced the location of the CA certs. Squid relies on the CA certs provided with openssl. This explains why it worked for Brad but not for me. Our CA cert was not included in the default openssl list of CA certs.

The openssl CA certs are listed in /usr/share/ssl/cert.pem. Adding our CA cert to this list resolved the issue.

/Bart

Collapse
27: Re: how to config for multiple aolserver instances (response to 26)
Posted by Bart Teeuwisse on 08/12/03 02:53 AM

It appears that redirecting HTTP to HTTPS in Squid 2.5 is not trivial. From the squid-users archives:

Squid-2.5 has the peculiar limitation that requests accepted by https_port will internally be processed as http:// requests, meaning that http:// is sent to redirectors etc.

What you can do to differentiate http_port from https_port in squid-2.5 is to enable httpd_accel_port virtual, then look for the port number in your redirector, clean up the url etc.

Another option is to look into Squid-3.0 where this is a whole lot easier and does not require a redirector helper.

/Bart