Search squid archive

handling different two way ssl-request via a proxy system

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

Currently we’ve got the following situation in our production environment:

Clients —HTTP—> Apache —HTTPS TWO-WAY SSL VIA EXTERNAL PROXY —> HTTPS SERVERS

Just to be clear, the following services are used during this flow:

http client (firefox, chrome, curl, wget, etc.) —> Apache (which setups two-way ssl) —> Squid (which simply proxies https connect) —> HTTPS services of other parties on the internet, supporting two-way ssl

We’ve realized this using the following configuration on the apache service:

LoadModule ssl_module modules/mod_ssl.so

Listen *:3128

<VirtualHost *:3128>

  SSLProxyEngine On
  SSLProxyVerify require
  SSLProxyVerifyDepth 10
  SSLProxyMachineCertificateFile /etc/httpd/certs/client.pem
  SSLProxyCACertificateFile      /etc/httpd/certs/ca.crt

  RewriteEngine On
  RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [NC,P]


  ProxyPreserveHost On
  ProxyPass            /  https://$1/
  ProxyPassReverse     /  https://$1/

  ProxyRemote https http://192.168.68.102:3128
</VirtualHost>

We’re trying to replace the apache service by using squid. I’ve installed squid 3.1.10 on CentOS 6.6 and have realized in a development environment a two-way ssl:

http client —> Squid 3.1.10 —> https two-way ssl directly —> https.example.com

http_port 3128 defaultsite=https.example.com vhost
cache_peer https.example.com parent 443 0 no-query originserver ssl sslcert=/etc/squid/certs/client.crt sslkey=/etc/squid/certs/client.key name=httpToHttps2way sslcafile=/etc/squid/certs/ca.crt
cache_peer_access httpToHttps2way allow all
cache deny all

There are two thing I haven’t realized in the development environment, because I don’t know how:
1. Making the Squid 3.1.10 to use a proxy system, because that’s our policy to communicate to the outside world. In apache we use the following directive: “ProxyRemote https http://192.168.68.102:3128"
2. Making the configuration variable as much as possible. So the Squid 3.1.10 handles all different http client requests to different https servers and send them as a https two-way ssl. Currently it only handles request for https.example.com.

Any help is welcome.

Abdelouahed
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux