Search squid archive

Re: Trusted CA Certificate with ssl_bump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for your answers, I am not doing anything illegal, I am trying to build a performant platform.

I have a big server running about 10 different websites.

I have on this server virtual machines, each specialized for one-some websites, and squid help me to send the traffic to the destination website on the internal VM according to the URL.

Some VMs are paired, so squid will loadbalance the traffic on group of VMs according to the URL/acls.

All this works in HTTP, thanks to Amos advices few weeks ago.

Now, I need to set SSL traffic, and because the domains are different I need to use different IPs:443 to be able to use different certificates.

I tried many times in the past to make squid working in SSL and never succeed because of so many options, and this question: Does the traffic between squid and the backend should be SSL? If yes, it's OK for me. nothing illegal.

The second question: How to set up the SSL link on squid getting the SSL request and sending to the backend. Actually the backend can handle SSL traffic, it's OK for me if I find the way to make squid handle the traffic, according to the acls. squid must decrypt the request, compute the acls, then re-crypt to send to the backend.

The reason I asked not to reencrypt is because of performances. All this is on the same server, from the host to the VMs and decrypt, the reencrypt, then decrypt will be ressources consumming. But I can do it like that.

Now, do you have any Howto, clear, that will help? I found many on Google and not any gave me the solution working.

The other question is about Trusted Certificates. We have on the websites trusted certificates. Should we use the same on the squid?

Thanks for appeciate help

Patrick



Le 16/11/2016 à 14:27, Amos Jeffries a écrit :
On 16/11/2016 9:11 p.m., Patrick Chemla wrote:
Hi,

I have same problem, and I need to use trusted CA certificates, so what
is the solution?
Not to do illegal bad things that violate your contract with the CA.

Any CA which lets you intercept traffic by generating sub-certificates
with their root *will* be blacklisted and effectively "thrown off the
Internet". It has happened already for several CA who thought that was
an idle threat.

I have a squid 3.5.20 used for multiple domains, multiple backends,
using both HTTP and HTTPS.
As Alex said, what you describe here sounds a lot more like
reverse-proxy than interception.

Sergey who started this thread was intercepting HTTPS traffic sent by
clients to an explicit proxy. All answers so far have been about that
topic, which is probably *not* what you are facing.

The configurations and limitations are very different. So first thing to
do is be clear about what actually you are trying to do.


So questions:

1/ Should I set up the squid certificate with ONLY self-signed, or there
is a way to use Trusted certificates? So if only self-signed, the user
will be always forced to accept the self-signed certificate on first
time? not really good for commercial sites.

Are you the owner of the website(s) or an authorized CDN/Hosting
provider for them ?


2/ Should the backend cache_peer set as ssl on port 443, or could it be
simple http 80 (backends are internal VMs onto the same server, no
external network between squid and backends)?

That depends on your answer to the above.

3/ Will the acls rules work OK to affect each request to the right
backend according to domain, even in HTTPS?

Yes. But the detail may not be what you expect. It depends on the above
answers.

4/ Do you know some clear and easy howto, examples, for such settings,
from where I could get how to do?

<http://wiki.squid-cache.org/ConfigExamples/> contains all of the
configurations you might need. But which one(s) are correct for you
depends on what you are actually needing to do.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux