Ssl – How to get squid peers to talk SSL to each other

squidssl

How would I set up a pair of squid proxies so that one uses the other as a parent and all traffic between them is encrypted using SSL? I've read the cache_peer documentation, but it's all very fuzzy to me which certs I need to create (and how), which server uses which cert, and so on. Is there a straightforward HOW-TO for this somewhere?

Just to be clear, I don't want to know how to setup squid to proxy https requests, or as a reverse proxy for a web server that uses https.

Best Answer

You don't specify the squid version, and the cache peer/parenting has changed a bit recently.

Under squid 2.7 the client side should look a little like:

cache_peer parent.fqdn parent SSL-PORT 0 ssl
always_direct deny all
never_direct allow all

You may want client certs if you want to authenticate both sides, however that requires building a CA and even a simple one is painful.

The server end there's more options.

Related Solutions

Macs behind a proxy, using squid for SSL and HTTP traffic

Or just use Authoxy.

Centos – Multiple SSL certificates with Squid reverse proxy

Squid doesn't support SNI what is written here. So to have in Squid:

https://server1.com (cert for server1.com) => http://mylanip1
https://server2.com (cert for server2.com) => http://mylanip2

you have to:

Put the addresses on different IPs, because a certificate is assigned to a uniqe pair [IP, port].
Configure Squid like this:

https_port server1.com:443 cert=/etc/ssl/server1.pem vhost
https_port server2.com:443 cert=/etc/ssl/server2.pem vhost

cache_peer mylanip1 parent 80 0 name=lanip1 no-query originserver
cache_peer_domain lanip1 server1.com

cache_peer mylanip2 parent 80 0 name=lanip2 no-query originserver
cache_peer_domain lanip2 server2.com

It would be better if you had servers on subdomains of a domain for which you have a wildcard certificate (e.g. s1.myserver.com, s2.myserver.com, certificate for *.myserver.com). Then you could use only one https_port entry

https_port 443 cert=/etc/ssl/wildcard.myserver.com.pem vhost

So it's possible in squid.

But such simple case is much easier to do with httpd and Name-based Virtual Hosts. You will save one public IP. In Centos 6 openssl and httpd versions support SNI. It's visible from openssl version. (See here and here)

Best Answer

Related Solutions

Macs behind a proxy, using squid for SSL and HTTP traffic

Centos – Multiple SSL certificates with Squid reverse proxy

Related Topic