Centos – Multiple SSL certificates with Squid reverse proxy

I have been upgrading my network from using an apache reverse proxy (Not quite powerful enough) to a Squid proxy configured just for reverse use.

My squid proxy is on a CentOS 6 VM, and currently running alongside my pre-existent apache proxy – so I still have the squid running on port 3128.

I have this setup in my /etc/squid/squid.conf,

http_port 3128 accel vhost
visible_hostname squid

cache_peer 192.168.0.13 parent 80 0 no-query originserver name=server1
cache_peer_domain server1 www.server1.com server1.com

cache_peer 192.168.0.14 parent 80 0 no-query originserver name=server2
cache_peer_domain server2 www.server2.com server2.com

cache_peer 192.168.0.15 parent 80 0 no-query originserver name=server3
cache_peer_domain server3 www.server3.com server3.com

http_access allow all

This works perfectly for all HTTP connections.

It directs

www.server1.com:3128

192.168.0.13:80

I have been trying to implement SSL certs for two of the three domains.
Last night I managed to get some successful config for a fully working HTTPS connection to one of my domains.

I added this config before the HTTP settings:

https_port 443 accel ssl-bump transparent vhost cert=/usr/ssl/CA/server1.crt key=/usr/ssl/CA/server1.key

cache_peer 192.168.0.12 parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=server1_ssl
cache_peer_domain server1_ssl ssl www.server1.com server1.com

This seemed to be ok last night. It would connect to

https:// www.domain1.com

fully encrypted. Because of one of the options (trial and error – can't remember which), it decrypts the packets, and directs the HTTPS request to the correct VM. The VM already had the SSL cert installed, so would recognise HTTPS requests, and the whole pageload from start to finish was encrypted.

I could visit https:// www.domain2.com and it would say the connection was partially encrypted, and would show a cert error, that the cert was for www.domain1.com

However, today, this was really interfering with the HTTP connection to domain1, and my browser was saying the page was being redirected in a way that will never complete.

I have since removed the whole SSL connection config from the config file, and I am running standard HTTP only.

Are there any ways I can get https:// www.domain1.com to read cert domain1.crt and direct to domain1's VM, and https:// www.domain2.com to read cert domain2.crt and direct to domain2's VM ?

Sorry for such a long question, but its a very specific issue I have been having, and I tried to give as much info as possible.

Thanks

https_port server1.com:443 cert=/etc/ssl/server1.pem vhost https_port server2.com:443 cert=/etc/ssl/server2.pem vhost cache_peer mylanip1 parent 80 0 name=lanip1 no-query originserver cache_peer_domain lanip1 server1.com cache_peer mylanip2 parent 80 0 name=lanip2 no-query originserver cache_peer_domain lanip2 server2.com

Best Answer

Squid doesn't support SNI what is written here. So to have in Squid:

https://server1.com (cert for server1.com) => http://mylanip1
https://server2.com (cert for server2.com) => http://mylanip2

you have to:

Put the addresses on different IPs, because a certificate is assigned to a uniqe pair [IP, port].
Configure Squid like this:

It would be better if you had servers on subdomains of a domain for which you have a wildcard certificate (e.g. s1.myserver.com, s2.myserver.com, certificate for *.myserver.com). Then you could use only one https_port entry

https_port 443 cert=/etc/ssl/wildcard.myserver.com.pem vhost

So it's possible in squid.

But such simple case is much easier to do with httpd and Name-based Virtual Hosts. You will save one public IP. In Centos 6 openssl and httpd versions support SNI. It's visible from openssl version. (See here and here)

Best Answer

Related Solutions

Ssl – IIS6 Multiple SSL websites to a single HTTP website

Ssl – How to get squid peers to talk SSL to each other

Related Topic