Reverse proxy with HTTPS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Reverse proxy with HTTPS

sothy shan
Hello,

I am trying to test reverse proxy with HTTPS. For example, client makes HTTPS request to squid server which make another HTTPS request to web server.
To test the scenario, what setup I need to do?
If u have any document , please share me or point me key step.

However, after reading on web, I found  information to create reverse proxy using sslwithwildcard certificate. In the setup, I dont know how to create wildcard certificate. But I created certificate authority certificate.

Thanks for your help.

Best regards
Sothy


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy with HTTPS

Matus UHLAR - fantomas
On 03.03.17 10:02, sothy shan wrote:
>I am trying to test reverse proxy with HTTPS. For example, client makes
>HTTPS request to squid server which make another HTTPS request to web
>server.

what point does this have, except disabling client certificates?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy with HTTPS

sothy shan


On Fri, Mar 3, 2017 at 12:59 PM, Matus UHLAR - fantomas <[hidden email]> wrote:
On 03.03.17 10:02, sothy shan wrote:
I am trying to test reverse proxy with HTTPS. For example, client makes
HTTPS request to squid server which make another HTTPS request to web
server.

what point does this have, except disabling client certificates?

Will it work as expect (i.e. reverse HTTPS Proxy) when I disable client certificates?
 
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet. _______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy with HTTPS

Matus UHLAR - fantomas
>> On 03.03.17 10:02, sothy shan wrote:
>>> I am trying to test reverse proxy with HTTPS. For example, client makes
>>> HTTPS request to squid server which make another HTTPS request to web
>>> server.

>On Fri, Mar 3, 2017 at 12:59 PM, Matus UHLAR - fantomas <[hidden email]>
>wrote:
>> what point does this have, except disabling client certificates?

On 03.03.17 14:09, sothy shan wrote:
>Will it work as expect (i.e. reverse HTTPS Proxy) when I disable client
>certificates?

It should work even without disabling client certificates, it just makes
little sense.

Talking to servers using HTTP and thus behaving like SSL accelerator makes
sense.

Behaving like caching accelerator while using SSL on both sides makes little
sense, of course depending on cacheability of the content.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy with HTTPS

sothy shan


On Fri, Mar 3, 2017 at 2:56 PM, Matus UHLAR - fantomas <[hidden email]> wrote:
On 03.03.17 10:02, sothy shan wrote:
I am trying to test reverse proxy with HTTPS. For example, client makes
HTTPS request to squid server which make another HTTPS request to web
server.

On Fri, Mar 3, 2017 at 12:59 PM, Matus UHLAR - fantomas <[hidden email]>
wrote:
what point does this have, except disabling client certificates?

On 03.03.17 14:09, sothy shan wrote:
Will it work as expect (i.e. reverse HTTPS Proxy) when I disable client
certificates?

It should work even without disabling client certificates, it just makes
little sense.

Talking to servers using HTTP and thus behaving like SSL accelerator makes
sense.

Behaving like caching accelerator while using SSL on both sides makes little
sense, of course depending on cacheability of the content.

In order to check first rever proxy with HTTP, I am using squid-4.0.18.
The following changes are added into /etc/squid/squid.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

http_port 192.168.1.69:80 accel defaultsite=www.xxxx.fr
cache_peer X.Y.W.Z parent 80 0 no-query originserver name=myAccel

acl our_sites dstdomain www.lemonde.fr
http_access allow our_sites
cache_peer_acces myAccel allow our_sites
cache_peer_access myAccel deny all

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
After that I am manually running
$sudo squid -d 2 -a 80 -N -X

Squid is not running and stopped in the middle without any error msg.

Do you see where is problem?

Best regards
Sothy
 
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool. _______________________________________________


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy with HTTPS

Alex Rousskov
In reply to this post by Matus UHLAR - fantomas
On 03/03/2017 04:59 AM, Matus UHLAR - fantomas wrote:
> On 03.03.17 10:02, sothy shan wrote:
>> I am trying to test reverse proxy with HTTPS. For example, client makes
>> HTTPS request to squid server which make another HTTPS request to web
>> server.

> what point does this have, except disabling client certificates?

This setup may be useful for several reasons, including:

* caching
* access controls
* content adaptation
* logging
* using different encryption policies with clients and servers

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy with HTTPS

sothy shan


On Fri, Mar 3, 2017 at 4:29 PM, Alex Rousskov <[hidden email]> wrote:
On 03/03/2017 04:59 AM, Matus UHLAR - fantomas wrote:
> On 03.03.17 10:02, sothy shan wrote:
>> I am trying to test reverse proxy with HTTPS. For example, client makes
>> HTTPS request to squid server which make another HTTPS request to web
>> server.

> what point does this have, except disabling client certificates?

This setup may be useful for several reasons, including:

* caching
My question is caching will work during reverse HTTPS proxy? I just want configuration informaton squid-4.0.5?
* access controls
* content adaptation
* logging
* using different encryption policies with clients and servers

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy with HTTPS

Amos Jeffries
Administrator
In reply to this post by sothy shan
On 4/03/2017 3:53 a.m., sothy shan wrote:

> On Fri, Mar 3, 2017 at 2:56 PM, Matus UHLAR - fantomas <[hidden email]>
> wrote:
>
>> On 03.03.17 10:02, sothy shan wrote:
>>>>
>>>>> I am trying to test reverse proxy with HTTPS. For example, client makes
>>>>> HTTPS request to squid server which make another HTTPS request to web
>>>>> server.
>>>>>
>>>>
>> On Fri, Mar 3, 2017 at 12:59 PM, Matus UHLAR - fantomas <[hidden email]
>>>>
>>> wrote:
>>>
>>>> what point does this have, except disabling client certificates?
>>>>
>>>
>> On 03.03.17 14:09, sothy shan wrote:
>>
>>> Will it work as expect (i.e. reverse HTTPS Proxy) when I disable client
>>> certificates?
>>>
>>
>> It should work even without disabling client certificates, it just makes
>> little sense.
>>
>> Talking to servers using HTTP and thus behaving like SSL accelerator makes
>> sense.
>>
>> Behaving like caching accelerator while using SSL on both sides makes
>> little
>> sense, of course depending on cacheability of the content.
>>
>
> In order to check first rever proxy with HTTP, I am using squid-4.0.18.
> The following changes are added into /etc/squid/squid.conf
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> http_port 192.168.1.69:80 accel defaultsite=www.xxxx.fr
> cache_peer X.Y.W.Z parent 80 0 no-query originserver name=myAccel
>
> acl our_sites dstdomain www.lemonde.fr
> http_access allow our_sites
> cache_peer_acces myAccel allow our_sites
> cache_peer_access myAccel deny all
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> After that I am manually running
> $sudo squid -d 2 -a 80 -N -X
>
> Squid is not running and stopped in the middle without any error msg.
>

I very much doubt there is *no* error message. Much more likely that it
is just being sent to a place you are not noticing.

> Do you see where is problem?

You have told Squid to open port 80 on *all* IPs of the machine for
generic proxy traffic (command line parameter "-a 80"), then you have
told Squid to *also* open port 80 on IP 192.168.1.69 for reverse-proxy
traffic.

You cannot open a IP:port twice. Not even with the same application.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy with HTTPS

sothy shan


On Fri, Mar 3, 2017 at 4:55 PM, Amos Jeffries <[hidden email]> wrote:
On 4/03/2017 3:53 a.m., sothy shan wrote:
> On Fri, Mar 3, 2017 at 2:56 PM, Matus UHLAR - fantomas <[hidden email]>
> wrote:
>
>> On 03.03.17 10:02, sothy shan wrote:
>>>>
>>>>> I am trying to test reverse proxy with HTTPS. For example, client makes
>>>>> HTTPS request to squid server which make another HTTPS request to web
>>>>> server.
>>>>>
>>>>
>> On Fri, Mar 3, 2017 at 12:59 PM, Matus UHLAR - fantomas <[hidden email]
>>>>
>>> wrote:
>>>
>>>> what point does this have, except disabling client certificates?
>>>>
>>>
>> On 03.03.17 14:09, sothy shan wrote:
>>
>>> Will it work as expect (i.e. reverse HTTPS Proxy) when I disable client
>>> certificates?
>>>
>>
>> It should work even without disabling client certificates, it just makes
>> little sense.
>>
>> Talking to servers using HTTP and thus behaving like SSL accelerator makes
>> sense.
>>
>> Behaving like caching accelerator while using SSL on both sides makes
>> little
>> sense, of course depending on cacheability of the content.
>>
>
> In order to check first rever proxy with HTTP, I am using squid-4.0.18.
> The following changes are added into /etc/squid/squid.conf
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> http_port 192.168.1.69:80 accel defaultsite=www.xxxx.fr
> cache_peer X.Y.W.Z parent 80 0 no-query originserver name=myAccel
>
> acl our_sites dstdomain www.lemonde.fr
> http_access allow our_sites
> cache_peer_acces myAccel allow our_sites
> cache_peer_access myAccel deny all
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> After that I am manually running
> $sudo squid -d 2 -a 80 -N -X
>
> Squid is not running and stopped in the middle without any error msg.
>

I very much doubt there is *no* error message. Much more likely that it
is just being sent to a place you are not noticing.

> Do you see where is problem?

You have told Squid to open port 80 on *all* IPs of the machine for
generic proxy traffic (command line parameter "-a 80"), then you have
told Squid to *also* open port 80 on IP 192.168.1.69 for reverse-proxy
traffic.

You cannot open a IP:port twice. Not even with the same application.

I changed the configuration
++++++++++++++++++++++++++++++++++++
http_port 192.168.1.69:80 accel defaultsite=www.AAAAA.com
cache_peer 192.168.1.31 parent 80 0 no-query originserver


http_access allow all
 ++++++++++++++++++++++++++++++++++++++++++
It worked well now for HTTP reverse proxy.
Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy with HTTPS

Amos Jeffries
Administrator
On 4/03/2017 4:58 a.m., sothy shan wrote:
> I changed the configuration
> ++++++++++++++++++++++++++++++++++++
> http_port 192.168.1.69:80 accel defaultsite=www.AAAAA.com
> cache_peer 192.168.1.31 parent 80 0 no-query originserver
>
>
> http_access allow all
>  ++++++++++++++++++++++++++++++++++++++++++
> It worked well now for HTTP reverse proxy.

"allow all" is *BAD*. Your server just delivered successful relayed
responses when I asked it for google.com, example.com and some other
domains which do not belong to you.
 It is an open-proxy, not a reverse-proxy.

You should know what domains your system is serving and keep the
dstdomain ACL to allow only that traffic through the proxy.

My point earlier was that you need to choose your method of configuring
the Squid ports. Either use the -a command option, or http_port. Do not
use both for the same port number.
 I suggest removing the -a use, since it cannot be used to configure
reverse-proxy port options.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy with HTTPS

Alex Rousskov
In reply to this post by sothy shan
On 03/03/2017 08:41 AM, sothy shan wrote:

> On Fri, Mar 3, 2017 at 4:29 PM, Alex Rousskov wrote:
>
>     On 03/03/2017 04:59 AM, Matus UHLAR - fantomas wrote:
>     > On 03.03.17 10:02, sothy shan wrote:
>     >> I am trying to test reverse proxy with HTTPS. For example, client makes
>     >> HTTPS request to squid server which make another HTTPS request to web
>     >> server.
>
>     > what point does this have, except disabling client certificates?
>
>     This setup may be useful for several reasons, including:
>
>     * caching
>
> My question is caching will work during reverse HTTPS proxy?

Yes, it should work.


>     * access controls
>     * content adaptation
>     * logging
>     * using different encryption policies with clients and servers

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users