Forward Proxy convert http to https

Apache2PROXYsquid

We have access to a remote web API that requires a client cert to access (it's a PKI). I want to allow access to this API for specific servers / IPs in our network without them having to import the client cert into the keystore and also enable them to use http and not https. We cannot use a reverse proxy approach for a couple of reasons I would rather not get into.

Is there any way to talk http from client to proxy and from there use https (with the client-cert) to the server? I have seen ways to achieve this in squid using SslBump but only when https is being used from the client. I have seen a few questions like this for Apache but they all use ProxyPass which according to here Apache Module mod_proxy | apache.org is only for reverse-proxying.

To illustrate:

Client is configured to use proxy mylocalproxy:8999 and calls http://pki.globalpki123.com/rest/
Proxy mylocalproxy connects to https://pki.globalpki123.com/rest/ and presents client cert.

I am open to using squid, apache or any web server that provides real forward proxy capabilities.

Best Answer

A Squid server configured as a forward proxy is able to receive plain HTTP requests from clients and forward HTTPS requests to upstream servers transparently. However, an external URL rewrite program is needed.

Write the following URL rewriting program into /etc/squid/urlrewrite.pl:

#!/usr/bin/perl
select(STDOUT);
$| = 1;
while (<>) {
    if (/^(|\d+\s+)((\w+):\/+)([^\/:]+)(|:(\d+))(|\/\S*)(|\s.*)$/) {
        my $channel = $1;
        my $protocolClean = $3;
        my $domain = $4;
        my $port = $5;
        my $portClean = $6;
        my $urlPath = $7;
        if ($protocolClean eq 'http' && ($port eq '' || $portClean eq '80')) {
            print STDOUT "${channel}OK rewrite-url=\"https://${domain}${urlPath}\"\n";
        } else {
            print STDOUT "${channel}ERR\n";
        }
    }
}

Then, add these configuration parameters into /etc/squid/squid.conf:

acl pkiRestDomain dstdomain -n pki.globalpki123.com
acl pkiRestUrlPath urlpath_regex ^/rest(|\/.*)$
url_rewrite_program /etc/squid/urlrewrite.pl
url_rewrite_access allow pkiRestDomain pkiRestUrlPath
sslproxy_client_certificate /etc/pki/squid/certs/mylocalproxy.crt
sslproxy_client_key /etc/pki/squid/private/mylocalproxy.key

Adjust sslproxy_client_certificate and sslproxy_client_key according to the actual path of the client certificate that Squid will use.

Related Solutions

Centos – Multiple SSL certificates with Squid reverse proxy

Squid doesn't support SNI what is written here. So to have in Squid:

https://server1.com (cert for server1.com) => http://mylanip1
https://server2.com (cert for server2.com) => http://mylanip2

you have to:

Put the addresses on different IPs, because a certificate is assigned to a uniqe pair [IP, port].
Configure Squid like this:

https_port server1.com:443 cert=/etc/ssl/server1.pem vhost
https_port server2.com:443 cert=/etc/ssl/server2.pem vhost

cache_peer mylanip1 parent 80 0 name=lanip1 no-query originserver
cache_peer_domain lanip1 server1.com

cache_peer mylanip2 parent 80 0 name=lanip2 no-query originserver
cache_peer_domain lanip2 server2.com

It would be better if you had servers on subdomains of a domain for which you have a wildcard certificate (e.g. s1.myserver.com, s2.myserver.com, certificate for *.myserver.com). Then you could use only one https_port entry

https_port 443 cert=/etc/ssl/wildcard.myserver.com.pem vhost

So it's possible in squid.

But such simple case is much easier to do with httpd and Name-based Virtual Hosts. You will save one public IP. In Centos 6 openssl and httpd versions support SNI. It's visible from openssl version. (See here and here)

Configure Squid as an HTTPS forward proxy

@David , as per your thread in Squid ML - I would suggest going with Stunnel solution. Your authentication would be the SSL certs on both ends of the tunnel, the rest goes "clear text" within that tunnel, or you could do Digest as you wish.

I have used similar solution to "authenticate" NFS endpoints with great success.

Sample use of such authentication could be seen in LinuxGazette's Secure Communication with stunnel

Best Answer

Related Solutions

Centos – Multiple SSL certificates with Squid reverse proxy

Configure Squid as an HTTPS forward proxy

Related Topic