Thank you Amos and Alex,
this is a config i managed to get working for http and https
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
# listeners
https_port 0.0.0.0:443 accel defaultsite=regify.com \
tls-cert=/etc/ssl/certs/regify.com.pem \
tls-key=/etc/ssl/private/regify.com.key
http_port 0.0.0.0:80 accel
# incoming
http_access deny !Safe_ports
http_access deny manager
# plain
acl vplain dstdomain -n plain.regify.com
http_access allow vplain
cache_peer plain.de.regify.com parent 80 0 \
proxy-only originserver no-digest no-netdb-exchange name=plain
cache_peer_access plain allow vplain
cache_peer_access plain deny all
# test1
acl stest1 ssl::server_name test1.regify.com
http_access allow stest1
cache_peer test1.de.regify.com parent 443 0 tls ssldomain=test1.regify.com \
proxy-only originserver no-digest no-netdb-exchange name=test1
cache_peer_access test1 allow stest1
cache_peer_access test1 deny all
# test2
acl stest2 ssl::server_name test2.regify.com
http_access allow stest2
cache_peer test1.de.regify.com parent 443 0 tls ssldomain=test2.regify.com \
proxy-only originserver no-digest no-netdb-exchange name=test2
cache_peer_access test2 allow stest2
cache_peer_access test2 deny all
# fallback
http_access deny all
Mit Freundlichen Grüßen / Kind regards
Mario Theodoridis
regify GmbH
Römerstrasse 39 | D-78183 Hüfingen-Behla
Amtsgericht Freiburg HRB 709343
Telefon: +49 771 8978 4238
On 28/11/23 14:57, Amos Jeffries wrote:
On 28/11/23 23:29, Mario Theodoridis wrote:
Hello everyone,
i'm trying to use squid as a TLS virtual hosting proxy on a system
with a public IP in front of several internal systems running TLS web
servers.
I would like to proxy the incoming connections to the appropriate
backend servers based on the hostname using SNI.
I'm using the following config to just try this with 1 backend to
test with and fail already
Here the config:
http_port 3128
debug_options ALL,2
pinger_enable off
shutdown_lifetime 1 second
https_port 0.0.0.0:443 tproxy ssl-bump tls-cert=/root/dummy.pem
That should be:
https_port 443 accel defaultsite=example.com \
tls-cert=/etc/squid/example.com.pem
The PEM file needs to be valid for all the domains served.
acl tlspls ssl::server_name_regex -i test\.regify\.com
cache_peer test.de.regify.com parent 443 0 proxy-only originserver
no-digest no-netdb-exchange name=test
Missing "tls" option to enable TLS when talking to this peer.
ssl_bump peek all
ssl_bump splice all
http_access allow all
cache_peer_access test allow all
I appreciate this is a test. But be sure to keep the default Squid
security rules ("deny !Safe_ports" etc) and only allow the hosted
domains instead of "all". These DoS and attack protections are
particularly important on a reverse-proxy where the general public has
access.
FYI; "test what you will use" is important for proxies. One of the
"irrelevant" config details may kill your real-world production setup
where testing works fine without any security.
...
I've been reading the squid docs and other internet resources, but am
failing to figure out why this is not working.
Any clue sticks would be appreciated.
Also appreciated would be advise on where to find this documented.
The Squid wiki ConfigExamples section has all the typical
configuration types and a few of the more uncommon ones as well.
The one you are needing is
<https://wiki.squid-cache.org/ConfigExamples/Reverse/HttpsVirtualHosting>
Cheers
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
