Squid reverse proxy with multiple SSL-certificates via SNI


Does Proxy Server offer the possibility to supply multiple SSL certificates to it?

I have a server with various virtual machines running Apache web servers for different customers. As an economic alternative to sell customers one dedicated IP address I would like to at least (explain the consequences of and) offer them a solution using on the server machine's shared IP.

So let's say we have a Server with 4 domains: domain1a.com, domain1b.com, domain2a.com and domain2b.com. Domain domaina1.com and domainb1.com are hosted by the same Apache instance within a virtual machine, and so are the other two domains. Each virtual machine has a NAT translated, local IPv4 IP address, to which the requests ought to be sent.

All HTTP(S) requests shall go through a caching proxy server for speed and sharing the server IP. Thus, the solution should offer SSL termination and SNI.

Back in 2013 the answer to this question pointed out Squid's incapability of SNI. However, since Squid 3.5 it supports SNI with peek-and-splice.

As far as I found out, the options with Squid I have are

  1. use a self-signed CA and dynamic certificate generation , or
  2. use a certificate with multiple SAN names listing all domains hosted on the (physical) server.

(1) does not work obviously, because we can't install a self-signed CA cert on every website visitor's computer (thankfully!).

(2) does not work for me, because it would be very inflexible and reveal each and every domain hosted on the (physical) server machine.

Did I miss something here? Can I provide Squid with multiple SSL certificates for SNI? If that is not possible: what alternatives would match my situation?

Thanks in advance!

Best Answer

Unfortunately the answer is still no. The current reason is just that the final bits of necessary plumbing does not exist yet. All the components needed exist in Squid-4 and are used for TLS interception. But they still have yet to be joined up in a way suitable for use in reverse-proxy.