On Mon, 23 May 2005, Discussion Lists wrote:
Okay, I'll just start over. First of all, I should never have used the term "redirect" That is more of a firewall term, and it should have been left out. All I want to do is reverse-proxy SSL connections, hopefully several of them. Each time you set up one of these connections, you have to add in a line similar to below into squid.conf:
"https_port 443 cert=/path/to/cert.cert key=/path/to/key.key accel your.site.name protocol http"
For squid-3 you would use something like the above yes. Correct syntax is
https_port 443 cert=/path/to/cert.cert key=/path/to/key.key accel defaultsite=your.site.name protocol=http
in addition you need to specify the server(s) to connect to
cache_peer address.of.server 80 0 no-query originserver or for an https server cache_peer address.of.server 443 0 no-query originserver ssl
and when you have multiple sites use cache_peer_access (or cache_peer_domain) to indicate what requests should be sent to each server.
In Squid-2.5 the situation is somewhat different, and the support for accelerating more than one site is not as easy to configure. There is no options to https_port other than the certificate info and you instead use the httpd_accel_* directives to control reverse proxy function. Depending on your servers you may be able to use the cache_peer based forwarding outlined above in combination with never_direct but not to all servers and not very efficiently (no support for persistent connections in such accelerator configuration of 2.5). The more efficient method for Squid-2.5 is to specify the server addresses in /etc/hosts or a private DNS.
In both cases need you to set up access controls indicating which domains is allowed to be requested via the accelerator / reverse proxy. This is similar to the client based access controls in a normal proxy but using the dstdomain acl instead of src.
acl mydomains dstdomain accelerated.domain1 accelerated.domain2 ... acl http protocol http https acl httpport port 80 443 http_access allow mydomains http httpport http_access deny all
This will reverse-proxy any request for "your.site.name" from what I understand. But that is just one site. Suppose I have another site that I want available for SSL? Could I just add another line similar to the above, but for the second, third or more sites?
You add as many as you have sites. Each certificate needs to specify a unique [ip:]port. Or in other words as you normally run https sites on port 443 each site needs it's own IP. The exception is is you have a wildcard certificate covering all/several of the sites. These can then share the same https_port as they share the same certificate.
Okay here's the second question. The above line is an example of how to reverse-proxy from SSL to http, or port 443, to port 80 right? Now, suppose I want to reverse-proxy several SSL connections, similar to above, but instead of changing from SSL to http, (443 -> 80 as above) I am reverse-proxying straight SSL (443 -> 443).
If you want straight SSL where the SSL is between the browser and the server then you need to publish the server port directly to the client, either by direct connection, NAT or TCP plug.
Squid(3) can act as an https proxy, decrypting the requests and then re-encrypting them again. You do this by not specifying the protocol=http on the https_line (or specifying protocol=https) and use the ssl option to cache_peer.
Squid-2.5 as shipped does not have https proxy capabilities, but support can be added by the SSL update patch available from devel.squid-cache.org. The support in reverse-proxy mode is however somewhat limited and you in practice must use the cache_peer forwarding method described above.
Is this possible for multiple sites?
Yes.
If it is, is there some way that I could make it so I would not need a certificate on the firewall for each connection and just have the backend server handle certificate requests?
Yes, but not by using Squid. See above.
Lastly, I found information on the internet about how to create your own certificates, but nothing about how to import them from somewhere else. Anyone know of any tutorials that deal with this?
You need to find methods to export them from your servers into PEM format.
If the servers are already using PEM format certificate files (for example Apache mod_ssl) then all you need is to copy the certificate+key over to your Squid.
If the servers use some other format for their exported certificates you need to find a way to convert them to PEM format. Some servers exports certificates in DER format and you then convert them using the openssl tool. Some such as IIS has their own formats.. If you look for guides on how to move the certificate from the type of server you have to Apache mod_ssl then you should find the required steps. The certificate requirements for mod_ssl and Squid is the same (as is it for most other servers using openssl).
Regards Henrik
