Re: [squid-users] Reverse proxy HTTPS redirection before SSL cert has been readed

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 11 Jun 2012 22:39:46 +1200

On 11/06/2012 9:53 p.m., David Benach wrote:
> Hello all.
>
> We have a squid 3.0.STABLE15 used as reverse proxy on a SUSE SLES 11
> SP0. This squid serves the Internet access to some of our portals. The
> communication with the webservers is in HTTP and, for one of the
> domains, the squid serves an SSL certificate bought to a known CA
>
> By the moment, all works fine and we have not problems about operation.
>
> Now, we need to enable HTTPS communication from another domain but
> without using (and buying) another SSL certificate because we want to
> change this URL in the browser by the one who works in HTTPS correctly.
>
> The URL redirection is going well, but a ssl_error_bad_cert_domain
> appears in the web browser because the SSL certificate had been read
> before.
> Is it possible to do the redirection before the SSL certificate has
> been readed? We have been searching for a solution with no positive
> result. Can you help us?

No. The connection setup has a specific order:
  * TCP handshake
  * TLS certificate exchange
  - (connection is now ready for use)
  * HTTP request
  * HTTP response (redirect)
...

You cannot place the redirect before the HTTP request, and that request
required the TLS to be completed first.

>
> This is an extract of the actual configuration (the redirection works
> but the cert error appears on the client):
>
> http_port 80 vhost defaultsite=www.domain1.com
> https_port 443 vhost defaultsite=www.domain1.com
> key=/etc/ssl/certs/unencrypt_vsdomain1.key
> cert=/etc/ssl/certs/vsdomain1.cert
> capath=/etc/ssl/certs/intermediateCA.cert

All domains servied by Squid on port 443 are sharing this one certificate.

You can make the certificate a wildcard certificate covering mutiple
sub-domians. Or open several specific IP:port for Squid to listen on
with different certificates. One domain resolving to each of thise
IP:port's.

Amos
Received on Mon Jun 11 2012 - 10:39:57 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 11 2012 - 12:00:03 MDT