reverse proxy HTTPS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

reverse proxy HTTPS

sothy shan
Hello friends,

I am using squid 4.0.18. It works for reverse proxy HTTP.

Now I need to make HTTPS. I am not sure configure squid server and ssl keys.

If you have any pointer or procedures in Ubuntu 16.04, please let me know.

Thanks for your reponse.


Best regards
Sothy

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fwd: reverse proxy HTTPS

sothy shan
Hi,

I can give precise what I am doing on this part.See the previous mail below for my exact requirement.

//create the keys.

$openssl req -new -keyout key.pem -nodes -x509 -days 365 -out cert.pem

Both keys(cert.pem and key.pem) are places in /etc/squid/.

Then, I make following in squid.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
https_port 192.168.1.69:443 cert=/etc/squid/cert.pem key=/etc/squid/key.pem
cache_peer X.Y.Z.Z parent 443 0 no-query originserver


http_access allow all
++++++++++++++++++++++++++++++++++++++++++++++

When I type in browser like this https://192.168.1.69

I got an error in browser

The requested URL could not be retrieved

When see terminal, I show this error:

HTTP/1.1 400 Bad Request
Server: squid/4.0.18
Mime-Version: 1.0
Date: Mon, 06 Mar 2017 10:19:42 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3522
X-Squid-Error: ERR_INVALID_URL 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from Host-004
Via: 1.1 Host-004 (squid/4.0.18)
Connection: close
///////////////////////////////////////////////////////////////////

May I ask why I'm getting this error?

Thanks for your help.

Best regards
Sothy


---------- Forwarded message ----------
From: sothy shan <[hidden email]>
Date: Mon, Mar 6, 2017 at 10:44 AM
Subject: reverse proxy HTTPS
To: [hidden email]


Hello friends,

I am using squid 4.0.18. It works for reverse proxy HTTP.

Now I need to make HTTPS. I am not sure configure squid server and ssl keys.

If you have any pointer or procedures in Ubuntu 16.04, please let me know.

Thanks for your reponse.


Best regards
Sothy


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: reverse proxy HTTPS

Amos Jeffries
Administrator
On 6/03/2017 11:21 p.m., sothy shan wrote:

> Hi,
>
> I can give precise what I am doing on this part.See the previous mail below
> for my exact requirement.
>
> //create the keys.
>
> $openssl req -new -keyout key.pem -nodes -x509 -days 365 -out cert.pem
>
> Both keys(cert.pem and key.pem) are places in /etc/squid/.
>
> Then, I make following in squid.
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> https_port 192.168.1.69:443 cert=/etc/squid/cert.pem key=/etc/squid/key.pem

The "accel" mode flag s missing.

It is that alone which makes squid a reverse-proxy. The rest of the
config details are 'agnostic' to the proxy type/mode.


> cache_peer X.Y.Z.Z parent 443 0 no-query originserver
>
>
> http_access allow all
> ++++++++++++++++++++++++++++++++++++++++++++++
>
> When I type in browser like this https://192.168.1.69

Thats okay for a first test, but you should use a domain as soon as
possible so all the domain related validations have a chance to be tested.
 There are cert domain and SNI validations happening at the TLS/SSL
level, and there should also be dstdomain ACLs in squid.conf to ensure
only the wanted domains traffic gets handled by the proxy.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: reverse proxy HTTPS

sothy shan


On Thu, Mar 9, 2017 at 1:41 PM, Amos Jeffries <[hidden email]> wrote:
On 6/03/2017 11:21 p.m., sothy shan wrote:
> Hi,
>
> I can give precise what I am doing on this part.See the previous mail below
> for my exact requirement.
>
> //create the keys.
>
> $openssl req -new -keyout key.pem -nodes -x509 -days 365 -out cert.pem
>
> Both keys(cert.pem and key.pem) are places in /etc/squid/.
>
> Then, I make following in squid.
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> https_port 192.168.1.69:443 cert=/etc/squid/cert.pem key=/etc/squid/key.pem

The "accel" mode flag s missing.

It is that alone which makes squid a reverse-proxy. The rest of the
config details are 'agnostic' to the proxy type/mode.
Yes. I made it like that. It worked!


> cache_peer X.Y.Z.Z parent 443 0 no-query originserver
>
>
> http_access allow all
> ++++++++++++++++++++++++++++++++++++++++++++++
>
> When I type in browser like this https://192.168.1.69

Thats okay for a first test, but you should use a domain as soon as
possible so all the domain related validations have a chance to be tested.
 There are cert domain and SNI validations happening at the TLS/SSL
level, and there should also be dstdomain ACLs in squid.conf to ensure
only the wanted domains traffic gets handled by the proxy.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...