Hi all,
Thanks for the great work you do/provide with squid.
I am using squid for years, I like it very much, and I am now
installing a SSL load-balancing unit for about 80
domains/sub-domains.
My OS release is Fedora release 29 (Twenty Nine)
My squid version and parameters are :
# squid -v
Squid Cache: Version 4.4
Service Name: squid
This binary uses OpenSSL 1.1.1-pre9 (beta) FIPS 21 Aug 2018. For
legal restrictions on distribution see
https://www.openssl.org/source/license.html
configure options: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix='
'--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share'
'--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid'
'--localstatedir=/var' '--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid'
'--disable-dependency-tracking' '--enable-eui'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM'
'--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos'
'--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group'
'--enable-storeid-rewrite-helpers=file' '--enable-cache-digests'
'--enable-cachemgr-hostname=localhost' '--enable-delay-pools'
'--enable-epoll' '--enable-icap-client' '--enable-ident-lookups'
'--enable-linux-netfilter' '--enable-removal-policies=heap,lru'
'--enable-snmp' '--enable-ssl' '--enable-ssl-crtd'
'--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio'
'--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio'
'--with-default-user=squid' '--with-dl' '--with-openssl'
'--with-pthreads' '--disable-arch-native' '--with-pic'
'--disable-security-cert-validators'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
-grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection
-fcf-protection -fPIC' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -pie -Wl,-z,relro
-Wl,-z,now -Wl,--warn-shared-textrel' 'CXXFLAGS=-O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
-grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection
-fcf-protection -fPIC'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
The problem I have is that all these domains are actually on one
IP only, on a single server, running nginx with multiple SSL
certificates on one single IP, and I would like to do the same
with squid.
I did few years ago with HaProxy, but I would prefer to keep
squid.
3 choices:
- Having more than one IP on the server, create SSL certificates
from LetsEncrypt including each a list of some domains and
sub-domains
- Create a very bing certificate to have squid using it (not the
best choice because domains are of different content, far one to
the other)
- Having squid managing all certificates on a single IP. (The
best because some domains have very high encryption needs, and
LetsEncrypt is not their preference)
Like a bottle in the sea: Is that possible, multiple
certificates, with squid 4.4 on a single IP?
Thanks for your help.
Patrick
