Re: [squid-users] Reverse Proxy Configuration

From: Amos Jeffries <>
Date: Sat, 31 Dec 2011 00:18:52 +1300

>> On Wed, 28 Dec 2011, Roman Gelfand wrote:
>>> Consider the following configuration lines
>>> https_port 443 cert=/etc/apache2/certs/server.pem
>>> key=/etc/apache2/certs/server.key vhost vport
>>> cache_peer parent 8443 0 ssl no-query originserver
>>> sslflags=DONT_VERIFY_PEER front-end-https login=PASS
>>> What if there is more site ssl sites which I would like to forward,
>>> how can I accomplish that?
>>> Also, it appears that alternate CN names are not being recognized.
>>> Is there anything to do about that?
>>> Thanks in advance

On 29/12/2011 7:22 a.m., Roman Gelfand wrote:
> version 3.16.
> On Wed, Dec 28, 2011 at 1:21 PM, Pieter De Wit wrote:
>> Hi Roman,
>> What version of Squid are you using ?

And how do you define "more site ssl sites which I would like to
forward" ... multiple sites with the same certificate passed to several
backend servers? or, multiple sites with separate certificates?

Noting that the certificate in 3.1 and earlier Squid is hard-coded into
the config file as one certificate per https_port.

For multiple different certificates on one port you will need the
"dynamic certificate generator" feature from Squid-3.2. It was created
for ssl-bump ports but with a little tweaking could be used to supply
several certs on a https_port with vhost when the clients send SNI
information. No idea if it actually works yet though, nobody who has
tried it has reported back.

Received on Fri Dec 30 2011 - 11:18:58 MST

This archive was generated by hypermail 2.2.0 : Sun Jan 01 2012 - 12:00:03 MST