Search squid archive

Re: Multiple SSL certificates on same IP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Could you

 

A – forward to different ports

B – Use Network address translation?

 

Thoughts…

 

From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Patrick Chemla
Sent: 19 December 2018 18:29
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: [squid-users] Multiple SSL certificates on same IP

 

Hi all,

 

Thanks for the great work you do/provide with squid.

 

I am using squid for years, I like it very much, and I am now installing a SSL load-balancing unit for about 80 domains/sub-domains.

 

My OS release is Fedora release 29 (Twenty Nine)

 

My squid version and parameters are :

 

# squid -v

Squid Cache: Version 4.4
Service Name: squid

This binary uses OpenSSL 1.1.1-pre9 (beta) FIPS 21 Aug 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM' '--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '--enable-storeid-rewrite-helpers=file' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--with-pic' '--disable-security-cert-validators' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' 'LDFLAGS=-Wl,-z,relro   -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -pie -Wl,-z,relro -Wl,-z,now -Wl,--warn-shared-textrel' 'CXXFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

 

The problem I have is that all these domains are actually on one IP only, on a single server, running nginx with multiple SSL certificates on one single IP, and I would like to do the same with squid.

 

I did few years ago with HaProxy, but I would prefer to keep squid.

 

3 choices:

 

- Having more than one IP on the server, create SSL certificates from LetsEncrypt including each a list of some domains and sub-domains

- Create a very bing certificate to have squid using it (not the best choice because domains are of different content, far one to the other)

- Having squid managing all certificates on a single IP. (The best because some domains have very high encryption needs, and LetsEncrypt is not their preference)

 

Like a bottle in the sea: Is that possible, multiple certificates, with squid 4.4 on a single IP?

 

Thanks for your help.

 

Patrick

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux