Squid 3.4 transparent https proxy

httpsPROXYsquid

I'm trying to get a transparent https proxy setup working. I'm not looking to intercept or anything, I would like the https traffic to just be forwarded to the real host.

In squid I have something like:
https_port 3130 cert=/etc/ssl/certs/host1.crt key=/etc/ssl/private/host1.key

However when I make a web request I'm prompted with the ssl certificate is invalid warning screen.

Am I doing something wrong? I tried adding 'transparent' to https_port and squid 3.4 won't start.

Best Answer

You have to generate a certificate request and then get it signed by a certification authority. You will have to use openssl for that.

You also have to redirect https incoming traffic from port 443 to port 3130. I think iptables is most suitable for that.

I would suggest to read this : http://ajayadas.com/e110body-anchor/

Hope this helps a little.

Related Solutions

Centos – Multiple SSL certificates with Squid reverse proxy

Squid doesn't support SNI what is written here. So to have in Squid:

https://server1.com (cert for server1.com) => http://mylanip1
https://server2.com (cert for server2.com) => http://mylanip2

you have to:

Put the addresses on different IPs, because a certificate is assigned to a uniqe pair [IP, port].
Configure Squid like this:

https_port server1.com:443 cert=/etc/ssl/server1.pem vhost
https_port server2.com:443 cert=/etc/ssl/server2.pem vhost

cache_peer mylanip1 parent 80 0 name=lanip1 no-query originserver
cache_peer_domain lanip1 server1.com

cache_peer mylanip2 parent 80 0 name=lanip2 no-query originserver
cache_peer_domain lanip2 server2.com

It would be better if you had servers on subdomains of a domain for which you have a wildcard certificate (e.g. s1.myserver.com, s2.myserver.com, certificate for *.myserver.com). Then you could use only one https_port entry

https_port 443 cert=/etc/ssl/wildcard.myserver.com.pem vhost

So it's possible in squid.

But such simple case is much easier to do with httpd and Name-based Virtual Hosts. You will save one public IP. In Centos 6 openssl and httpd versions support SNI. It's visible from openssl version. (See here and here)

Configure Squid as an HTTPS forward proxy

@David , as per your thread in Squid ML - I would suggest going with Stunnel solution. Your authentication would be the SSL certs on both ends of the tunnel, the rest goes "clear text" within that tunnel, or you could do Digest as you wish.

I have used similar solution to "authenticate" NFS endpoints with great success.

Sample use of such authentication could be seen in LinuxGazette's Secure Communication with stunnel

Best Answer

Related Solutions

Centos – Multiple SSL certificates with Squid reverse proxy

Configure Squid as an HTTPS forward proxy

Related Topic