[squid-users] Re: How to set up a reverse proxy server over SSL?

Hello,
I got success to set up a reverse proxy server over SSL.
The following is my experience:

1, compile squid with --enable-ssl and optional --with-openssl= if your
ssl-devel not in /usr/include/openssl f.e.
--with-openssl=/usr/local/include

./configure --enable-ssl --with-openssl=/usr/local/ssl/include

2. cd /usr/local/squid/etc
mkdir demoCA
cd demoCA
touch index.txt
echo "01" > serial
mkdir private
mkdir newcerts

generate CA certificate (self-signed)
/usr/local/ss/bin/openssl req -new -x509 -keyout
/usr/local/squid/etc/demoCA/private/cakey.pem -out
/usr/local/squid/etc/demoCA/cacert.pem -days 365 -subj
/CA=US/ST=xxxx/L=xxxxx/OU=xxxx/O=xxxx/CN=yourdomain/emailAddress=youremail@address.com

3. generate certificate
/usr/local/ssl/bin/openssl req -new -keyout key.pem -out req.pem -days 365
where req.pem - certificate request

4. Remove the password from the key.
cd /usr/local/squid/etc
cp key.pem key.pem.old
/usr/local/ssl/bin/openssl rsa -in key.pem.old -out key.pem

5.sign this certificate with your CA cert
/usr/local/ssl/bin/openssl ca -in /usr/local/squid/etc/req.pem -out
/usr/local/squid/etc/cert.pem

6.remove unneeded lines from cert.pem (usually you only need
lines beetwen
-----BEGIN CERTIFICATE-----
.........................
......................
-----END CERTIFICATE-----

7. add this in squid.conf

https_port [ip_address:]port cert=/where/cert.pem key=/where/key.pem

Here are the keys for the config of squid:

acl huanghuagang.org dstdomain huanghuagang.org
acl our_networks src 192.168.0.0/24

http_access allow huanghuagang.org
http_access allow our_networks

https_port 8888 accel vhost cert=/usr/local/squid/etc/cert.pem
key=/usr/local/squid/etc/key.pem
cafile=/usr/local/squid/etc/demoCA/cacert.pem defaultsite=xxx.fr

cache_peer huanghuagang.org parent 80 0 no-query originserver name=huanghuagang

cache_peer_access huanghuagang allow huanghuagang.org

If I need another site, I would assign 8889 to this site and repeat
everything above. I do not know if there is a better way. But this way
is easy to understand.

On 7/3/06, frankpeng@netscape.net <frankpeng@netscape.net> wrote:
> Yes. I have finished to set up reverse proxy server without SSL. It is
> fast! I love it! Now it is an issue to add SSL on it.I think it will
> not be hard. I will post the whole procedure and the actual woking
> squid.conf file once I got success.
>
> Thank you!
>
>
>
> -----Original Message-----
> From: Henrik Nordstrom <henrik@henriknordstrom.net>
> To: fulan Peng <fulanpeng@gmail.com>
> Cc: squid-users@squid-cache.org; Visolve Squid <squid@visolve.com>
> Sent: Mon, 03 Jul 2006 07:34:54 +0200
> Subject: Re: [squid-users] How to set up a reverse proxy server over
> SSL?
>
> mån 2006-07-03 klockan 09:17 +0530 skrev Visolve Squid:
>
> > Hello Peng,
> >
> > The following steps are used to configure the squid-3.0 with SSL
> >
> > Compile squid with the ssl support option
> >
> > ./configure --prefix=/usr/local/squid --enable-ssl
> >
> > Edit the squid configuration for squid with SSL support (Reverse
> proxy)
> >
> > https_port 443 protocol=http
> > cert=/path/to/server/certificate/server_cert.pem
> > key=/path/to/server/key/server_priv_key.pem vport=<port in which the
> > back end server listen>
>
> almost... you should primarily use defaultsite=your.main.site to enable
> reverse proxy mode and maybe vhost is you need to support domain based
> virtual hosting. vport is normally not needed. The port number is
> specified in cache_peer.
>
> As hinted above you also need a cache_peer line defining the origin
> server address and port.
>
> > acl SSL method CONNECT
> > never_direct allow SSL
>
> The CONNECT mthod is not applicable to reverse proxies and should
> probably be denied entirely...
>
> Regards
> Henrik
>
Received on Mon Jul 03 2006 - 08:08:14 MDT