Multiple SSL certificates with Squid reverse proxy

centos ssl https reverse-proxy squid

9,262

Squid doesn't support SNI what is written here. So to have in Squid:

https://server1.com (cert for server1.com) => http://mylanip1
https://server2.com (cert for server2.com) => http://mylanip2

you have to:

Put the addresses on different IPs, because a certificate is assigned to a uniqe pair [IP, port].
Configure Squid like this:

https_port server1.com:443 cert=/etc/ssl/server1.pem vhost
https_port server2.com:443 cert=/etc/ssl/server2.pem vhost

cache_peer mylanip1 parent 80 0 name=lanip1 no-query originserver
cache_peer_domain lanip1 server1.com

cache_peer mylanip2 parent 80 0 name=lanip2 no-query originserver
cache_peer_domain lanip2 server2.com

It would be better if you had servers on subdomains of a domain for which you have a wildcard certificate (e.g. s1.myserver.com, s2.myserver.com, certificate for *.myserver.com). Then you could use only one https_port entry

https_port 443 cert=/etc/ssl/wildcard.myserver.com.pem vhost

So it's possible in squid.

But such simple case is much easier to do with httpd and Name-based Virtual Hosts. You will save one public IP. In Centos 6 openssl and httpd versions support SNI. It's visible from openssl version. (See here and here)

9,262

DJ-P.I.M.P

Updated on September 18, 2022

Comments

DJ-P.I.M.P over 1 year
I have been upgrading my network from using an apache reverse proxy (Not quite powerful enough) to a Squid proxy configured just for reverse use.

My squid proxy is on a CentOS 6 VM, and currently running alongside my pre-existent apache proxy - so I still have the squid running on port 3128.

I have this setup in my /etc/squid/squid.conf,
```
http_port 3128 accel vhost
visible_hostname squid

cache_peer 192.168.0.13 parent 80 0 no-query originserver name=server1
cache_peer_domain server1 www.server1.com server1.com

cache_peer 192.168.0.14 parent 80 0 no-query originserver name=server2
cache_peer_domain server2 www.server2.com server2.com

cache_peer 192.168.0.15 parent 80 0 no-query originserver name=server3
cache_peer_domain server3 www.server3.com server3.com

http_access allow all
```
This works perfectly for all HTTP connections.

It directs
```
www.server1.com:3128
```
to
```
192.168.0.13:80
```
I have been trying to implement SSL certs for two of the three domains. Last night I managed to get some successful config for a fully working HTTPS connection to one of my domains.

I added this config before the HTTP settings:
```
https_port 443 accel ssl-bump transparent vhost cert=/usr/ssl/CA/server1.crt key=/usr/ssl/CA/server1.key

cache_peer 192.168.0.12 parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=server1_ssl
cache_peer_domain server1_ssl ssl www.server1.com server1.com
```
This seemed to be ok last night. It would connect to
```
https:// www.domain1.com
```
fully encrypted. Because of one of the options (trial and error - can't remember which), it decrypts the packets, and directs the HTTPS request to the correct VM. The VM already had the SSL cert installed, so would recognise HTTPS requests, and the whole pageload from start to finish was encrypted.

I could visit https:// www.domain2.com and it would say the connection was partially encrypted, and would show a cert error, that the cert was for www.domain1.com

However, today, this was really interfering with the HTTP connection to domain1, and my browser was saying the page was being redirected in a way that will never complete.

I have since removed the whole SSL connection config from the config file, and I am running standard HTTP only.

Are there any ways I can get https:// www.domain1.com to read cert domain1.crt and direct to domain1's VM, and https:// www.domain2.com to read cert domain2.crt and direct to domain2's VM ?

Sorry for such a long question, but its a very specific issue I have been having, and I tried to give as much info as possible.

Thanks
- Michael Hampton over 10 years
  
  I don't think Squid properly supports this scenario. Better to use a more well developed reverse proxy, such as nginx, varnish, etc.
- DJ-P.I.M.P over 10 years
  
  @MichaelHampton Thanks, I wasnt aware nginx had the capabilities. I was under the impression it was a PIMPed up version of apache... A google search found me this... digitalocean.com/community/articles/… ... Looks very interesting... Thanks !
- Michael Hampton over 10 years
  
  nginx does reverse proxying and caching and SSL termination with SNI support. It's probably your best bet if you want a single package.
- DJ-P.I.M.P over 10 years
  
  ive been trying to install nginx with SNI support on centos 6 with no joy,,, package isnt in YUM, so added repo... Didnt come with SNI support. Had major issues trying to set the flag on ./configure section, to compile with SNI... Its never easy for us programmers, is it ? :)
- Michael Hampton over 10 years
  
  The nginx from their repo certainly supports SNI out of the box. You should start over.
- DJ-P.I.M.P over 10 years
  
  got it working !!! thanks... NGINX is really powerful and fast,.. I tried setting up standard HTTP alongside, and it works really well too - If i disable IPTABLES. I have set up a rule to allow all TCP traffic on port 80, but it still wont work. Is there any reason it shouldnt? Does nginx use another protocol than TCP ? Im baffled... Ive tried every combination, but with no joy. If i disable IPTABLES, everything works well :) so thanks very much for the tip...