Encrypt client connection with squid forward proxy using SSL

httpsPROXYsquid

I'm setting up a Squid forward proxy and I'm wondering if I could configure Squid in such a way that the connection from my web browser to squid is https regardless of whether the connection from squid to the destination website is http or https. In other words, I want my connection from my web browser to my forward proxy to be encrypted even though I'm just surfing normal http website through that proxy.

Can it be done?

Best Answer

Squid 3.0 has https_port configuration directive. See this configuration example on Squid Wiki for details.

Related Solutions

Squid url rewrites https>>http

Moving from http:// to https:// is relatively easy: the squid server accepts the TCP connection, then sends a HTTP response telling the client that the content has moved to the new URL. The client then retries the request on the new URL.

Moving from https:// to http:// is harder: you have to establish the TCP connection, and then establish the HTTPS connection - which is going to require that you can supply a certificate that the client will trust as being the certificate of the site it was trying to connect to. Only after doing all that are you able to send the response telling the client it needs to go try the http:// URL.

Generally speaking, your Squid server will never see the URL that the client is requesting - it will just see a request to CONNECT to a specific IP:Port. SSL requires that the connection between the web server and the client is encrypted the whole way - so all Squid can do is proxy the TCP connection. The details of exactly which hostname and path the client wants will not be communicated until after the HTTPS connection is set up - and then they're communicated over the encrypted connection, so the proxy server can't see them.

Centos – Multiple SSL certificates with Squid reverse proxy

Squid doesn't support SNI what is written here. So to have in Squid:

https://server1.com (cert for server1.com) => http://mylanip1
https://server2.com (cert for server2.com) => http://mylanip2

you have to:

Put the addresses on different IPs, because a certificate is assigned to a uniqe pair [IP, port].
Configure Squid like this:

https_port server1.com:443 cert=/etc/ssl/server1.pem vhost
https_port server2.com:443 cert=/etc/ssl/server2.pem vhost

cache_peer mylanip1 parent 80 0 name=lanip1 no-query originserver
cache_peer_domain lanip1 server1.com

cache_peer mylanip2 parent 80 0 name=lanip2 no-query originserver
cache_peer_domain lanip2 server2.com

It would be better if you had servers on subdomains of a domain for which you have a wildcard certificate (e.g. s1.myserver.com, s2.myserver.com, certificate for *.myserver.com). Then you could use only one https_port entry

https_port 443 cert=/etc/ssl/wildcard.myserver.com.pem vhost

So it's possible in squid.

But such simple case is much easier to do with httpd and Name-based Virtual Hosts. You will save one public IP. In Centos 6 openssl and httpd versions support SNI. It's visible from openssl version. (See here and here)

Best Answer

Related Solutions

Squid url rewrites https>>http

Centos – Multiple SSL certificates with Squid reverse proxy

Related Topic