Hello, I got success to set up a reverse proxy server over SSL. The following is my experience: 1, compile squid with --enable-ssl and optional --with-openssl= if your ssl-devel not in /usr/include/openssl f.e. --with-openssl=/usr/local/include ./configure --enable-ssl --with-openssl=/usr/local/ssl/include 2. cd /usr/local/squid/etc mkdir demoCA cd demoCA touch index.txt echo "01" > serial mkdir private mkdir newcerts generate CA certificate (self-signed) /usr/local/ss/bin/openssl req -new -x509 -keyout /usr/local/squid/etc/demoCA/private/cakey.pem -out /usr/local/squid/etc/demoCA/cacert.pem -days 365 -subj /CA=US/ST=xxxx/L=xxxxx/OU=xxxx/O=xxxx/CN=yourdomain/emailAddress=youremail@xxxxxxxxxxx 3. generate certificate /usr/local/ssl/bin/openssl req -new -keyout key.pem -out req.pem -days 365 where req.pem - certificate request 4. Remove the password from the key. cd /usr/local/squid/etc cp key.pem key.pem.old /usr/local/ssl/bin/openssl rsa -in key.pem.old -out key.pem 5.sign this certificate with your CA cert /usr/local/ssl/bin/openssl ca -in /usr/local/squid/etc/req.pem -out /usr/local/squid/etc/cert.pem 6.remove unneeded lines from cert.pem (usually you only need lines beetwen -----BEGIN CERTIFICATE----- ......................... ...................... -----END CERTIFICATE----- 7. add this in squid.conf https_port [ip_address:]port cert=/where/cert.pem key=/where/key.pem Here are the keys for the config of squid: acl huanghuagang.org dstdomain huanghuagang.org acl our_networks src 192.168.0.0/24 http_access allow huanghuagang.org http_access allow our_networks https_port 8888 accel vhost cert=/usr/local/squid/etc/cert.pem key=/usr/local/squid/etc/key.pem cafile=/usr/local/squid/etc/demoCA/cacert.pem defaultsite=xxx.fr cache_peer huanghuagang.org parent 80 0 no-query originserver name=huanghuagang cache_peer_access huanghuagang allow huanghuagang.org If I need another site, I would assign 8889 to this site and repeat everything above. I do not know if there is a better way. But this way is easy to understand. On 7/3/06, frankpeng@xxxxxxxxxxxx <frankpeng@xxxxxxxxxxxx> wrote:
Yes. I have finished to set up reverse proxy server without SSL. It is fast! I love it! Now it is an issue to add SSL on it.I think it will not be hard. I will post the whole procedure and the actual woking squid.conf file once I got success. Thank you! -----Original Message----- From: Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx> To: fulan Peng <fulanpeng@xxxxxxxxx> Cc: squid-users@xxxxxxxxxxxxxxx; Visolve Squid <squid@xxxxxxxxxxx> Sent: Mon, 03 Jul 2006 07:34:54 +0200 Subject: Re: How to set up a reverse proxy server over SSL? mån 2006-07-03 klockan 09:17 +0530 skrev Visolve Squid: > Hello Peng, > > The following steps are used to configure the squid-3.0 with SSL > > Compile squid with the ssl support option > > ./configure --prefix=/usr/local/squid --enable-ssl > > Edit the squid configuration for squid with SSL support (Reverse proxy) > > https_port 443 protocol=http > cert=/path/to/server/certificate/server_cert.pem > key=/path/to/server/key/server_priv_key.pem vport=<port in which the > back end server listen> almost... you should primarily use defaultsite=your.main.site to enable reverse proxy mode and maybe vhost is you need to support domain based virtual hosting. vport is normally not needed. The port number is specified in cache_peer. As hinted above you also need a cache_peer line defining the origin server address and port. > acl SSL method CONNECT > never_direct allow SSL The CONNECT mthod is not applicable to reverse proxies and should probably be denied entirely... Regards Henrik
