Re: SSL Virtual Hosting Problem

[Mario Theodoridis <mario.theodoridis@xxxxxxxxxx>]

I do have one more problem at this point.

Using openssl i can work with what i have below, but i cannot add a 2nd 
certificate

https_port 0.0.0.0:443 accel defaultsite=regify.com \
    tls-cert=/etc/ssl/certs/regify.com.pem \
    tls-cert=/etc/ssl/certs/foo.com.pem

gives me

ERROR: OpenSSL does not support multiple server certificates. Ignoring 
addional cert= parameters.


If i instead use gnutls, i get dinged for using ssl::server

FATAL: Bungled /etc/squid/squid.conf line 29: acl stest1 
ssl::server_name test1.regify.com

is there a way to get the SNI host with gnutls?

http://www.squid-cache.org/Doc/config/acl/ did not answer that for me.

Alternatively, can i get openssl to cope with multiple certs somehow?


Mit Freundlichen Grüßen / Kind regards

Mario Theodoridis

regify GmbH
Römerstrasse 39 | D-78183 Hüfingen-Behla
Amtsgericht Freiburg HRB 709343
Telefon: +49 771 8978 4238

On 28/11/23 16:58, Mario Theodoridis wrote:
> Thank you Amos and Alex,
>
> this is a config i managed to get working for http and https
>
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 443         # https
>
> # listeners
> https_port 0.0.0.0:443 accel defaultsite=regify.com \
>     tls-cert=/etc/ssl/certs/regify.com.pem \
>     tls-key=/etc/ssl/private/regify.com.key
> http_port 0.0.0.0:80 accel
>
> # incoming
> http_access deny !Safe_ports
> http_access deny manager
>
>
> # plain
> acl vplain dstdomain -n plain.regify.com
> http_access allow vplain
> cache_peer plain.de.regify.com parent 80 0 \
>     proxy-only originserver no-digest no-netdb-exchange name=plain
> cache_peer_access plain allow vplain
> cache_peer_access plain deny all
>
> # test1
> acl stest1 ssl::server_name test1.regify.com
> http_access allow stest1
> cache_peer test1.de.regify.com parent 443 0 tls 
> ssldomain=test1.regify.com \
>     proxy-only originserver no-digest no-netdb-exchange name=test1
> cache_peer_access test1 allow stest1
> cache_peer_access test1 deny all
>
> # test2
> acl stest2 ssl::server_name test2.regify.com
> http_access allow stest2
> cache_peer test1.de.regify.com parent 443 0 tls 
> ssldomain=test2.regify.com \
>     proxy-only originserver no-digest no-netdb-exchange name=test2
> cache_peer_access test2 allow stest2
> cache_peer_access test2 deny all
>
> # fallback
> http_access deny all
>
>
>
> Mit Freundlichen Grüßen / Kind regards
>
> Mario Theodoridis
>
> regify GmbH
> Römerstrasse 39 | D-78183 Hüfingen-Behla
> Amtsgericht Freiburg HRB 709343
> Telefon: +49 771 8978 4238
>
> On 28/11/23 14:57, Amos Jeffries wrote:
> > On 28/11/23 23:29, Mario Theodoridis wrote:
> > > Hello everyone,
> > >
> > > i'm trying to use squid as a TLS virtual hosting proxy on a system 
> > > with a public IP in front of several internal systems running TLS 
> > > web servers.
> > >
> > > I would like to proxy the incoming connections to the appropriate 
> > > backend servers based on the hostname using SNI.
> > >
> > > I'm using the following config to just try this with 1 backend to 
> > > test with and fail already
> > >
> > > Here the config:
> > >
> > > http_port 3128
> > > debug_options ALL,2
> > > pinger_enable off
> > > shutdown_lifetime 1 second
> > > https_port 0.0.0.0:443 tproxy ssl-bump tls-cert=/root/dummy.pem
> >
> > That should be:
> >
> >   https_port 443 accel defaultsite=example.com \
> >     tls-cert=/etc/squid/example.com.pem
> >
> > The PEM file needs to be valid for all the domains served.
> >
> >
> > > acl tlspls ssl::server_name_regex -i test\.regify\.com
> > > cache_peer test.de.regify.com parent 443 0 proxy-only originserver 
> > > no-digest no-netdb-exchange name=test
> >
> > Missing "tls" option to enable TLS when talking to this peer.
> >
> >
> > > ssl_bump peek all
> > > ssl_bump splice all
> > > http_access allow all
> > > cache_peer_access test allow all
> >
> > I appreciate this is a test. But be sure to keep the default Squid 
> > security rules ("deny !Safe_ports" etc) and only allow the hosted 
> > domains instead of "all". These DoS and attack protections are 
> > particularly important on a reverse-proxy where the general public 
> > has access.
> >
> > FYI; "test what you will use" is important for proxies. One of the 
> > "irrelevant" config details may kill your real-world production setup 
> > where testing works fine without any security.
> >
> >
> > > ...
> > > I've been reading the squid docs and other internet resources, but 
> > > am failing to figure out why this is not working.
> > >
> > > Any clue sticks would be appreciated.
> > >
> > > Also appreciated would be advise on where to find this documented.
> >
> > The Squid wiki ConfigExamples section has all the typical 
> > configuration types and a few of the more uncommon ones as well.
> > The one you are needing is 
> > <https://wiki.squid-cache.org/ConfigExamples/Reverse/HttpsVirtualHosting>
> >
> >
> > Cheers
> > Amos
> > _______________________________________________
> > squid-users mailing list
> > squid-users@xxxxxxxxxxxxxxxxxxxxx
> > https://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users