Ssl – Squid and SSL Reverse Proxy

reverse-proxysquidssl

I'd like to locate a server overseas and run squid as a reverse proxy for our site. Say the site is:

eu.website.com

This would point to

www.website.com

through squid. My issue is SSL. I know I'll have to buy a certificate for eu.website.com, but can I pass through the SSL to www.site.com? The setup would look like this

eu.website.com <–> Squid server <–> www.website.com

This whole chain of communication needs to be secure.

Best Answer

If your certificate on www.website.com is publicly signed (opposed to self signed) you should not have any problems. If the certificate on www.website.com if self signed you will need to either specify the CA cert in squid for www.website.com or tell squid to ignore certificate errors (I recommend the first option though).

Plus a cert for eu.website.com to resecure all comms it replies to.

So you will need either a wildcard certificate for *.website.com or certs for both domains. Publicly or self signed.

The only point of unsecured communications then is the actual squid server that just decrypts requests and passes them secuarly on to www.website.com

Related Solutions

Ssl – Squid reverse proxy with optional SSL

UPDATE (actually tried this from my squid...):

acl is_ssl port 443
https_port 443 cert=<yourcert> key=<yourkey> accel name=site_ssl defaultsite=<y\
our_external_site>
cache_peer <your_internal_ssl> parent 443 0 no-query originserver ssl sslflags=\
DONT_VERIFY_PEER name=site_ssl
cache_peer_access site_ssl allow is_ssl
cache_peer_access site_ssl deny !is_ssl

acl nonssl port 80
http_port 80 accel defaultsite=<your_external_site>  name=site_nonssl
cache_peer <your_internal_nonssl> parent 80 0 no-query name=site_nonssl origins\
erver
cache_peer_access site_nonssl allow nonssl
cache_peer_access site_nonssl deny !is_nonssl

ORIGINAL ANSWER BELOW HERE:

you want something like

cache_peer 10.0.0.11 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=site_ssl
acl sites_server_3 dstdomain site_ssl
cache_peer_access site_ssl allow ssl_servers
http_access allow ssl_servers

Ssl – Reverse proxy with SSL and IP passthrough

Since you need to do URL rewrite, you can use ARR (Application Request Routing) with IIS 7 (or higher).There is an option to disable "SSL offloading" if you do not wish to terminate SSL on proxy end.

http://www.iis.net/learn/extensions/configuring-application-request-routing-(arr)/http-load-balancing-using-application-request-routing

To ensure that Client IPs are carried over, you can install ARRHelper as per http://blogs.iis.net/anilr/archive/2009/03/03/client-ip-not-logged-on-content-server-when-using-arr.aspx. I assume your web site is running IIS.

Alternatively, for something quick and dirty on Windows, use netsh portproxy to proxy all TCP 443 (SSL) traffic over.

netsh interface portproxy add v4tov4 listenport=443 listenaddress=100.0.0.1 connectport=443 connectaddress=10.0.0.2

See http://technet.microsoft.com/en-us/library/cc731068(v=ws.10).aspx#BKMK_1

Make sure IIS is not installed, and take note that client IP is not carried over.

Best Answer

Related Solutions

Ssl – Squid reverse proxy with optional SSL

Ssl – Reverse proxy with SSL and IP passthrough

Related Topic