Multiple SSL certificates with Squid reverse proxy
Squid doesn't support SNI what is written here. So to have in Squid:
https://server1.com (cert for server1.com) => http://mylanip1
https://server2.com (cert for server2.com) => http://mylanip2
you have to:
- Put the addresses on different IPs, because a certificate is assigned to a uniqe pair [IP, port].
- Configure Squid like this:
https_port server1.com:443 cert=/etc/ssl/server1.pem vhost
https_port server2.com:443 cert=/etc/ssl/server2.pem vhost
cache_peer mylanip1 parent 80 0 name=lanip1 no-query originserver
cache_peer_domain lanip1 server1.com
cache_peer mylanip2 parent 80 0 name=lanip2 no-query originserver
cache_peer_domain lanip2 server2.com
It would be better if you had servers on subdomains of a domain for which you have a wildcard certificate (e.g. s1.myserver.com, s2.myserver.com, certificate for *.myserver.com). Then you could use only one https_port entry
https_port 443 cert=/etc/ssl/wildcard.myserver.com.pem vhost
So it's possible in squid.
But such simple case is much easier to do with httpd and Name-based Virtual Hosts. You will save one public IP. In Centos 6 openssl and httpd versions support SNI. It's visible from openssl version. (See here and here)
Related videos on Youtube
DJ-P.I.M.P
Updated on September 18, 2022Comments
-
DJ-P.I.M.P over 1 year
I have been upgrading my network from using an apache reverse proxy (Not quite powerful enough) to a Squid proxy configured just for reverse use.
My squid proxy is on a CentOS 6 VM, and currently running alongside my pre-existent apache proxy - so I still have the squid running on port 3128.
I have this setup in my /etc/squid/squid.conf,
http_port 3128 accel vhost visible_hostname squid cache_peer 192.168.0.13 parent 80 0 no-query originserver name=server1 cache_peer_domain server1 www.server1.com server1.com cache_peer 192.168.0.14 parent 80 0 no-query originserver name=server2 cache_peer_domain server2 www.server2.com server2.com cache_peer 192.168.0.15 parent 80 0 no-query originserver name=server3 cache_peer_domain server3 www.server3.com server3.com http_access allow all
This works perfectly for all HTTP connections.
It directs
www.server1.com:3128
to
192.168.0.13:80
I have been trying to implement SSL certs for two of the three domains. Last night I managed to get some successful config for a fully working HTTPS connection to one of my domains.
I added this config before the HTTP settings:
https_port 443 accel ssl-bump transparent vhost cert=/usr/ssl/CA/server1.crt key=/usr/ssl/CA/server1.key cache_peer 192.168.0.12 parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=server1_ssl cache_peer_domain server1_ssl ssl www.server1.com server1.com
This seemed to be ok last night. It would connect to
https:// www.domain1.com
fully encrypted. Because of one of the options (trial and error - can't remember which), it decrypts the packets, and directs the HTTPS request to the correct VM. The VM already had the SSL cert installed, so would recognise HTTPS requests, and the whole pageload from start to finish was encrypted.
I could visit https:// www.domain2.com and it would say the connection was partially encrypted, and would show a cert error, that the cert was for www.domain1.com
However, today, this was really interfering with the HTTP connection to domain1, and my browser was saying the page was being redirected in a way that will never complete.
I have since removed the whole SSL connection config from the config file, and I am running standard HTTP only.
Are there any ways I can get https:// www.domain1.com to read cert domain1.crt and direct to domain1's VM, and https:// www.domain2.com to read cert domain2.crt and direct to domain2's VM ?
Sorry for such a long question, but its a very specific issue I have been having, and I tried to give as much info as possible.
Thanks
-
Michael Hampton over 10 yearsI don't think Squid properly supports this scenario. Better to use a more well developed reverse proxy, such as nginx, varnish, etc.
-
DJ-P.I.M.P over 10 years@MichaelHampton Thanks, I wasnt aware nginx had the capabilities. I was under the impression it was a PIMPed up version of apache... A google search found me this... digitalocean.com/community/articles/… ... Looks very interesting... Thanks !
-
Michael Hampton over 10 yearsnginx does reverse proxying and caching and SSL termination with SNI support. It's probably your best bet if you want a single package.
-
DJ-P.I.M.P over 10 yearsive been trying to install nginx with SNI support on centos 6 with no joy,,, package isnt in YUM, so added repo... Didnt come with SNI support. Had major issues trying to set the flag on ./configure section, to compile with SNI... Its never easy for us programmers, is it ? :)
-
Michael Hampton over 10 yearsThe nginx from their repo certainly supports SNI out of the box. You should start over.
-
DJ-P.I.M.P over 10 yearsgot it working !!! thanks... NGINX is really powerful and fast,.. I tried setting up standard HTTP alongside, and it works really well too - If i disable IPTABLES. I have set up a rule to allow all TCP traffic on port 80, but it still wont work. Is there any reason it shouldnt? Does nginx use another protocol than TCP ? Im baffled... Ive tried every combination, but with no joy. If i disable IPTABLES, everything works well :) so thanks very much for the tip...
-