Squid Reverse HTTPS Let's Encrypt

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid Reverse HTTPS Let's Encrypt

erdosain9
Hi.
I have Squid configured as a proxy reverse.
The DNS are configured too. The clients can access from outside without
problem.
It is working well.

But I want to serve web pages with https and I would like to use Let's
Encrypt (or something similar) so clients do not have to accept an invalid
certificate.

I wanted to know if this is possible.

Somebody can give me a hand??

this is my config so far:

---------------------------------------------------------------------------------------------------------------------------

http_port 192.168.1.21:80 accel defaultsite=soporte.mydomain.ar vhost

cache_peer 192.168.1.246 parent 80 0 no-query no-digest originserver
name=soporte
acl soporte_acl dstdomain soporte.mydomain.ar
http_access allow soporte_acl
cache_peer_access soporte allow soporte_acl

cache_peer 192.168.1.223 parent 80 0 no-query no-digest originserver
name=phplists
acl phplists_acl dstdomain phplists.mydomain.ar
http_access allow phplists_acl
cache_peer_access phplists allow phplists_acl

cache_peer 192.168.1.107 parent 80 0 no-query no-digest originserver
name=owncloud
acl owncloud_acl dstdomain owncloud.mydomain.ar
http_access allow owncloud_acl
cache_peer_access owncloud allow owncloud_acl

cache_peer 192.168.1.167 parent 443 0 no-query no-digest originserver
name=micro
acl micro_acl dstdomain microimporta.com.ar
http_access allow micro_acl
cache_peer_access micro allow micro_acl

--------------------------------------------------------------------------------------------------------

I read that i have to put squid earing in 443 like this with the certificate

https_port 443 cert=/path/to/cert.pem key=/path/to/private.key (here is
where i put the let's encrypt certificate?? this will work?)

The servers have to have configured let's encrypt?
Squid has to have configured let's encrypt?
Both have to have them configured?

(is the term "have to have" in English well used? :-)

Greetings and many thanks to all.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Reverse HTTPS Let's Encrypt

Alex Rousskov
On 08/23/2018 07:33 AM, erdosain9 wrote:

> I have Squid configured as a proxy reverse.
> The DNS are configured too. The clients can access from outside without
> problem.
> It is working well.


> But I want to serve web pages with https and I would like to use Let's
> Encrypt (or something similar) so clients do not have to accept an invalid
> certificate.
>
> I wanted to know if this is possible.

It is. You can use any well-known CA, including Let's Encrypt, to obtain
a well-trusted certificate for your reverse proxy.


> The servers have to have configured let's encrypt?

The machine running Squid needs to be configured to use Let's Encrypt.
It usually boils down to installing Let's Encrypt automation
scripts/agents for generating/renewing certificates.

The origin servers behind your reverse proxy do not have to use
encryption and, if they use it, do not have to be configured to use
Let's Encrypt. It is your choice whether to encrypt Squid-origin
communication at all and, if yes, whether to use Let's Encrypt for that
encryption.


> Squid has to have configured let's encrypt?

Squid https_port can be configured with the Let's Encrypt-provided
certificate and private key, but Squid itself does not know where that
certificate and key came from. This is similar to, say, Apache httpd
configuration -- Apache does not know anything about Let's Encrypt, but
Let's Encrypt-generated certificates can be integrated with Apache httpd
configuration.


When you figure all the details out, consider publishing them on Squid
wiki for others to reuse.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users