RE: [squid-users] SSL reverse-proxy questions (was "redirect")

On Mon, 23 May 2005, Discussion Lists wrote:

> Okay, I'll just start over. First of all, I should never have used the
> term "redirect" That is more of a firewall term, and it should have
> been left out. All I want to do is reverse-proxy SSL connections,
> hopefully several of them. Each time you set up one of these
> connections, you have to add in a line similar to below into squid.conf:
>
> "https_port 443 cert=/path/to/cert.cert key=/path/to/key.key accel
> your.site.name protocol http"

For squid-3 you would use something like the above yes. Correct syntax is

https_port 443 cert=/path/to/cert.cert key=/path/to/key.key accel defaultsite=your.site.name protocol=http

in addition you need to specify the server(s) to connect to

cache_peer address.of.server 80 0 no-query originserver
or for an https server
cache_peer address.of.server 443 0 no-query originserver ssl

and when you have multiple sites use cache_peer_access (or
cache_peer_domain) to indicate what requests should be sent to each
server.

In Squid-2.5 the situation is somewhat different, and the support for
accelerating more than one site is not as easy to configure. There is no
options to https_port other than the certificate info and you instead use
the httpd_accel_* directives to control reverse proxy function. Depending
on your servers you may be able to use the cache_peer based forwarding
outlined above in combination with never_direct but not to all servers and
not very efficiently (no support for persistent connections in such
accelerator configuration of 2.5). The more efficient method for Squid-2.5
is to specify the server addresses in /etc/hosts or a private DNS.

In both cases need you to set up access controls indicating which domains
is allowed to be requested via the accelerator / reverse proxy. This is
similar to the client based access controls in a normal proxy but using
the dstdomain acl instead of src.

acl mydomains dstdomain accelerated.domain1 accelerated.domain2 ...
acl http protocol http https
acl httpport port 80 443
http_access allow mydomains http httpport
http_access deny all

> This will reverse-proxy any request for "your.site.name" from what I
> understand. But that is just one site. Suppose I have another site
> that I want available for SSL? Could I just add another line similar to
> the above, but for the second, third or more sites?

You add as many as you have sites. Each certificate needs to specify a
unique [ip:]port. Or in other words as you normally run https sites on
port 443 each site needs it's own IP. The exception is is you have a
wildcard certificate covering all/several of the sites. These can then
share the same https_port as they share the same certificate.

> Okay here's the second question. The above line is an example of how to
> reverse-proxy from SSL to http, or port 443, to port 80 right? Now,
> suppose I want to reverse-proxy several SSL connections, similar to
> above, but instead of changing from SSL to http, (443 -> 80 as above) I
> am reverse-proxying straight SSL (443 -> 443).

If you want straight SSL where the SSL is between the browser and the
server then you need to publish the server port directly to the client,
either by direct connection, NAT or TCP plug.

Squid(3) can act as an https proxy, decrypting the requests and then
re-encrypting them again. You do this by not specifying the
protocol=http on the https_line (or specifying protocol=https) and use
the ssl option to cache_peer.

Squid-2.5 as shipped does not have https proxy capabilities, but support
can be added by the SSL update patch available from devel.squid-cache.org.
The support in reverse-proxy mode is however somewhat limited and you in
practice must use the cache_peer forwarding method described above.

> Is this possible for multiple sites?

Yes.

> If it is, is there some way that I could make it so I would not need a
> certificate on the firewall for each connection and just have the
> backend server handle certificate requests?

Yes, but not by using Squid. See above.

> Lastly, I found information on the internet about how to create your own
> certificates, but nothing about how to import them from somewhere else.
> Anyone know of any tutorials that deal with this?

You need to find methods to export them from your servers into PEM format.

If the servers are already using PEM format certificate files (for example
Apache mod_ssl) then all you need is to copy the certificate+key over to
your Squid.

If the servers use some other format for their exported certificates you
need to find a way to convert them to PEM format. Some servers exports
certificates in DER format and you then convert them using the openssl
tool. Some such as IIS has their own formats.. If you look for guides on
how to move the certificate from the type of server you have to Apache
mod_ssl then you should find the required steps. The certificate
requirements for mod_ssl and Squid is the same (as is it for most other
servers using openssl).

Regards
Henrik
Received on Thu May 26 2005 - 22:03:39 MDT