Re: [squid-users] Reverse proxy with multiple SSL sites

From: dweimer <>
Date: Mon, 09 Jun 2014 10:52:16 -0500

On 06/09/2014 10:31 am, Eliezer Croitoru wrote:
> Hey Roberto,
> Yes but with limitations.
> Squid can use only one certificate per ip:port pair.
> This leaves you with the only option of using squid with one
> certificate that overlaps multiple domains in the form of
> "*" which will include all and subdomains.
> There is a function which is not in use by squid that is called SNI
> which allows the client to request a specific site\domain on the first
> stages of the SSL negotiation which allows the service to send a
> specific certificate as default and others in a case of a matched
> domain from by SNI.
> As far as I can tell and remember apache and nginx supports SNI.
> Regards,
> Eliezer
> On 06/09/2014 06:15 PM, Roberto Carna wrote:
>> Dear, just one it possible to use a Squid reverse proxy
>> with several SSL sites/certificates, all listening in TCP/443 in the
>> same public IP ???
>> Thanks a lot,
>> Roberto

There is a third option, using Subject Alternative Names on the
certificate (sometimes called UCC, Unified Communications Certificate).
This allows it to be valid for,,,
etc. Far cheaper than a * certificate, however the
certificate vendor will have limit as to how many you can use, and
charge more for the additional domains. I use this option on our Squid
Reverse proxy at work (using a 15 domain ucc from, however
you should note that all domain names are listed on the certificate. In
our case we are hosting websites for multiple divisions of the same
parent company. It would not be wise to do this if hosting websites for
third party customers, as you wouldn't want to give the impression that
company1 has something to do with company2, and so on.

    Dean E. Weimer
Received on Mon Jun 09 2014 - 15:52:28 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 09 2014 - 12:00:04 MDT