[squid-users] handling different two way ssl-request via a proxy system

Abdelouahed Haitoute ahaitoute at rinis.nl
Tue Apr 14 11:57:47 UTC 2015 

Hello,

Currently we’ve got the following situation in our production environment:

Clients —HTTP—> Apache —HTTPS TWO-WAY SSL VIA EXTERNAL PROXY —> HTTPS SERVERS

Just to be clear, the following services are used during this flow:

http client (firefox, chrome, curl, wget, etc.) —> Apache (which setups two-way ssl) —> Squid (which simply proxies https connect) —> HTTPS services of other parties on the internet, supporting two-way ssl

We’ve realized this using the following configuration on the apache service:

LoadModule ssl_module modules/mod_ssl.so

Listen *:3128

<VirtualHost *:3128>

  SSLProxyEngine On
  SSLProxyVerify require
  SSLProxyVerifyDepth 10
  SSLProxyMachineCertificateFile /etc/httpd/certs/client.pem
  SSLProxyCACertificateFile      /etc/httpd/certs/ca.crt

  RewriteEngine On
  RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 <https://%{HTTP_HOST}$1> [NC,P]


  ProxyPreserveHost On
  ProxyPass            /  https://$1/ <https://$1/>
  ProxyPassReverse     /  https://$1/ <https://$1/>

  ProxyRemote https http://192.168.68.102:3128 <http://192.168.68.102:3128/>
</VirtualHost>

We’re trying to replace the apache service by using squid. I’ve installed squid 3.1.10 on CentOS 6.6 and have realized in a development environment a two-way ssl:

http client —> Squid 3.1.10 —> https two-way ssl directly —> https.example.com <http://https.example.com/>

http_port 3128 defaultsite=https.example.com vhost
cache_peer https.example.com parent 443 0 no-query originserver ssl sslcert=/etc/squid/certs/client.crt sslkey=/etc/squid/certs/client.key name=httpToHttps2way sslcafile=/etc/squid/certs/ca.crt
cache_peer_access httpToHttps2way allow all
cache deny all

There are two thing I haven’t realized in the development environment, because I don’t know how:
1. Making the Squid 3.1.10 to use a proxy system, because that’s our policy to communicate to the outside world. In apache we use the following directive: “ProxyRemote https http://192.168.68.102:3128 <http://192.168.68.102:3128/>"
2. Making the configuration variable as much as possible. So the Squid 3.1.10 handles all different http client requests to different https servers and send them as a https two-way ssl. Currently it only handles request for https.example.com <http://https.example.com/>.

Any help is welcome.

Abdelouahed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150414/94507dda/attachment-0001.html>

More information about the squid-users mailing list