Squid 3.4.8 Reverse with multiple SSL Sites and multiple Certs/Domains

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid 3.4.8 Reverse with multiple SSL Sites and multiple Certs/Domains

Maik Linnemann


Dear List,

i use squid3 as reverse Proxy since a while for multiple sites, hosted on different targets. All those sites work with SSL they use a wildcard cert. It works well so far. Now i need to host another site, with a different domain and another ssl certificate. Can i configure squid to use cert by the requested url likewise? i just tried to copy my existing stuff and edit it to another cert, but this doesnt take me far as squid always takes the main cert file. my config is like:

<FROM HERE I AM GOOD>

https_port <IP>:443 accel vhost defaultsite=webmail.somedomain.info cert=/etc/squid3/certs/wildcard/wirldcard.crt key=/etc/squid3/certs/wildcard/wildcard.key
cache_peer 192.168.111.20 parent 443 0 proxy-only no-query no-digest login=PASS connection-auth=off ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN originserver name=webmail
cache_peer_domain webmail ssl webmail.somedomain.info
acl url_allow url_regex -i ^https://webmail.somedomain.info/owa.*$
acl url_allow url_regex -i ^https://webmail.somedomain.info/ecp.*$

cache_peer 192.168.111.51 parent 443 0 proxy-only no-query no-digest login=PASS connection-auth=off ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN originserver name=git
cache_peer_domain git ssl git.somedomain.info
acl url_allow url_regex -i ^https://git.somedomain.info/.*$

<UNTIL HERE I AM GOOD>

<THIS IS NOT REALLY WORKING>

https_port www.anotherdomain.de:443 accel vhost defaultsite=anotherdomain.de cert=/etc/ssl/certs-anotherdomain.de/anotherdomain.de.pem key=/etc/ssl/private-anotherdomain.de/anotherdomain.de.key
cache_peer 192.168.1.1 parent 443 0 proxy-only no-query no-digest login=PASS connection-auth=off ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN originserver name=anotherdomain

<THIS IS NOT REALLY WORKING>

How can i host multiple Sites and tell squid to use the cert i attach to each site or domain?

thanks in advance,

with regards,
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.4.8 Reverse with multiple SSL Sites and multiple Certs/Domains

Amos Jeffries
Administrator
On 11/04/2017 10:44 p.m., Maik Linnemann wrote:
>
>
> Dear List,
>
> i use squid3 as reverse Proxy since a while for multiple sites,
> hosted on different targets. All those sites work with SSL they use a
> wildcard cert. It works well so far. Now i need to host another site,
> with a different domain and another ssl certificate. Can i configure
> squid to use cert by the requested url likewise?

Yes, but currently it requires multiple https_port lines, one for each
certificate. That means you will required multiple IPs since the port
values are both 443.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.4.8 Reverse with multiple SSL Sites and multiple Certs/Domains

Maik Linnemann
Thanks Amos. Unfortunately i only have one public IP to use for the reverse squid. I thought there might be an equivalent to apaches name based hosts or similar.
________________________________________
Von: squid-users [[hidden email]]&quot; im Auftrag von &quot;Amos Jeffries [[hidden email]]
Gesendet: Mittwoch, 12. April 2017 03:22
An: [hidden email]
Betreff: Re: [squid-users] Squid 3.4.8 Reverse with multiple SSL Sites and multiple Certs/Domains

On 11/04/2017 10:44 p.m., Maik Linnemann wrote:
>
>
> Dear List,
>
> i use squid3 as reverse Proxy since a while for multiple sites,
> hosted on different targets. All those sites work with SSL they use a
> wildcard cert. It works well so far. Now i need to host another site,
> with a different domain and another ssl certificate. Can i configure
> squid to use cert by the requested url likewise?

Yes, but currently it requires multiple https_port lines, one for each
certificate. That means you will required multiple IPs since the port
values are both 443.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.4.8 Reverse with multiple SSL Sites and multiple Certs/Domains

Amos Jeffries
Administrator
In reply to this post by Amos Jeffries
On 12/04/2017 7:58 p.m., Maik Linnemann wrote:
> Thanks Amos. Unfortunately i only have one public IP to use for the reverse squid. I thought there might be an equivalent to apaches name based hosts or similar.

TLS protocol does contain SNI feature, but support for that in
reverse-proxy is not yet complete.

You have a few other options that are less pleasing:

 * using a different port number instead of different IP, or

 * finding someone to complete the SNI reverse-proxy code in Squid, or

 * using a non-Squid proxy temporarily in front of Squid to split the
traffic on SNI.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.4.8 Reverse with multiple SSL Sites and multiple Certs/Domains

Eliezer Croitoru
You can try to use haproxy, nginx, varnish or any other proxy.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Wednesday, April 12, 2017 7:13 PM
To: Maik Linnemann <[hidden email]>; [hidden email]
Subject: Re: [squid-users] Squid 3.4.8 Reverse with multiple SSL Sites and multiple Certs/Domains

On 12/04/2017 7:58 p.m., Maik Linnemann wrote:
> Thanks Amos. Unfortunately i only have one public IP to use for the reverse squid. I thought there might be an equivalent to apaches name based hosts or similar.

TLS protocol does contain SNI feature, but support for that in reverse-proxy is not yet complete.

You have a few other options that are less pleasing:

 * using a different port number instead of different IP, or

 * finding someone to complete the SNI reverse-proxy code in Squid, or

 * using a non-Squid proxy temporarily in front of Squid to split the traffic on SNI.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.4.8 Reverse with multiple SSL Sites and multiple Certs/Domains

Maik Linnemann
I figured out that nginx is able to do what i want, at least SNI and multiple certs. I am forced to try that in the meantime. Also i will check varnish. Is there any realistic date when SNI is available in reverse proxy with squid? Is there anyone coding at all for that feature?

-----Urspr√ľngliche Nachricht-----
Von: squid-users [mailto:[hidden email]] Im Auftrag von Eliezer Croitoru
Gesendet: Mittwoch, 12. April 2017 20:16
An: 'Amos Jeffries' <[hidden email]>; Maik Linnemann <[hidden email]>; [hidden email]
Betreff: Re: [squid-users] Squid 3.4.8 Reverse with multiple SSL Sites and multiple Certs/Domains

You can try to use haproxy, nginx, varnish or any other proxy.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Wednesday, April 12, 2017 7:13 PM
To: Maik Linnemann <[hidden email]>; [hidden email]
Subject: Re: [squid-users] Squid 3.4.8 Reverse with multiple SSL Sites and multiple Certs/Domains

On 12/04/2017 7:58 p.m., Maik Linnemann wrote:
> Thanks Amos. Unfortunately i only have one public IP to use for the reverse squid. I thought there might be an equivalent to apaches name based hosts or similar.

TLS protocol does contain SNI feature, but support for that in reverse-proxy is not yet complete.

You have a few other options that are less pleasing:

 * using a different port number instead of different IP, or

 * finding someone to complete the SNI reverse-proxy code in Squid, or

 * using a non-Squid proxy temporarily in front of Squid to split the traffic on SNI.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.4.8 Reverse with multiple SSL Sites and multiple Certs/Domains

Amos Jeffries
Administrator
On 13/04/2017 7:13 a.m., Maik Linnemann wrote:
> I figured out that nginx is able to do what i want, at least SNI and
> multiple certs. I am forced to try that in the meantime. Also i will
> check varnish. Is there any realistic date when SNI is available in
> reverse proxy with squid? Is there anyone coding at all for that
> feature?
>

I've been working on it as part of the  GnuTLS support in Squid-4.
https_port can now be configured with multiple cert= key= parameter
pairs. But loading any past the first pair with OpenSSL builds is still
missing.

I _think_ all that is left now (for OpenSSL builds) is to alter that
logic loading cert= files into the server context. But I have not
investigated those details closely yet.

My focus in the 'free' work is getting GnuTLS working for Debian/Ubuntu
and refactoring for more easy porting to other backend libraries in
future (Fedora, RHEL and Apple want other libraries). I intend for SNI
to be usable out of the box with GnuTLS builds. Someone may do OpenSSL
changes to match by the time it goes public - I cannot test it so that
depends on others.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.4.8 Reverse with multiple SSL Sites and multiple Certs/Domains

Maik Linnemann
Thanks for clarification and support the free work/world! i already tried nginx and it seems doing its job. I will keep an eye on squid 4 and what was said about the issues.
________________________________________
Von: Amos Jeffries [[hidden email]]
Gesendet: Donnerstag, 13. April 2017 00:56
An: Maik Linnemann; [hidden email]
Betreff: Re: AW: [squid-users] Squid 3.4.8 Reverse with multiple SSL Sites and multiple Certs/Domains

On 13/04/2017 7:13 a.m., Maik Linnemann wrote:
> I figured out that nginx is able to do what i want, at least SNI and
> multiple certs. I am forced to try that in the meantime. Also i will
> check varnish. Is there any realistic date when SNI is available in
> reverse proxy with squid? Is there anyone coding at all for that
> feature?
>

I've been working on it as part of the  GnuTLS support in Squid-4.
https_port can now be configured with multiple cert= key= parameter
pairs. But loading any past the first pair with OpenSSL builds is still
missing.

I _think_ all that is left now (for OpenSSL builds) is to alter that
logic loading cert= files into the server context. But I have not
investigated those details closely yet.

My focus in the 'free' work is getting GnuTLS working for Debian/Ubuntu
and refactoring for more easy porting to other backend libraries in
future (Fedora, RHEL and Apple want other libraries). I intend for SNI
to be usable out of the box with GnuTLS builds. Someone may do OpenSSL
changes to match by the time it goes public - I cannot test it so that
depends on others.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users