Search squid archive

Re: SSL Virtual Hosting Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 28/11/23 23:29, Mario Theodoridis wrote:

Hello everyone,
i'm trying to use squid as a TLS virtual hosting proxy on a system with a public IP in front of several internal systems running TLS web servers.
I would like to proxy the incoming connections to the appropriate backend servers based on the hostname using SNI.
I'm using the following config to just try this with 1 backend to test with and fail already 

Here the config:

http_port 3128
debug_options ALL,2
pinger_enable off
shutdown_lifetime 1 second
https_port 0.0.0.0:443 tproxy ssl-bump tls-cert=/root/dummy.pem


That should be:

  https_port 443 accel defaultsite=example.com \
    tls-cert=/etc/squid/example.com.pem

The PEM file needs to be valid for all the domains served.



acl tlspls ssl::server_name_regex -i test\.regify\.com
cache_peer test.de.regify.com parent 443 0 proxy-only originserver no-digest no-netdb-exchange name=test 

Missing "tls" option to enable TLS when talking to this peer.



ssl_bump peek all
ssl_bump splice all
http_access allow all
cache_peer_access test allow all
I appreciate this is a test. But be sure to keep the default Squid security rules ("deny !Safe_ports" etc) and only allow the hosted domains instead of "all". These DoS and attack protections are particularly important on a reverse-proxy where the general public has access.
FYI; "test what you will use" is important for proxies. One of the "irrelevant" config details may kill your real-world production setup where testing works fine without any security. 




...
I've been reading the squid docs and other internet resources, but am failing to figure out why this is not working. 

Any clue sticks would be appreciated.

Also appreciated would be advise on where to find this documented.
The Squid wiki ConfigExamples section has all the typical configuration types and a few of the more uncommon ones as well. The one you are needing is <https://wiki.squid-cache.org/ConfigExamples/Reverse/HttpsVirtualHosting> 


Cheers
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux