[squid-users] Trusted CA Certificate with ssl_bump

Patrick Chemla patrick.chemla at performance-managers.com
Wed Nov 16 17:33:18 UTC 2016

Thanks for your answers, I am not doing anything illegal, I am trying to 
build a performant platform.

I have a big server running about 10 different websites.

I have on this server virtual machines, each specialized for one-some 
websites, and squid help me to send the traffic to the destination 
website on the internal VM according to the URL.

Some VMs are paired, so squid will loadbalance the traffic on group of 
VMs according to the URL/acls.

All this works in HTTP, thanks to Amos advices few weeks ago.

Now, I need to set SSL traffic, and because the domains are different I 
need to use different IPs:443 to be able to use different certificates.

I tried many times in the past to make squid working in SSL and never 
succeed because of so many options, and this question: Does the traffic 
between squid and the backend should be SSL? If yes, it's OK for me. 
nothing illegal.

The second question: How to set up the SSL link on squid getting the SSL 
request and sending to the backend. Actually the backend can handle SSL 
traffic, it's OK for me if I find the way to make squid handle the 
traffic, according to the acls. squid must decrypt the request, compute 
the acls, then re-crypt to send to the backend.

The reason I asked not to reencrypt is because of performances. All this 
is on the same server, from the host to the VMs and decrypt, the 
reencrypt, then decrypt will be ressources consumming. But I can do it 
like that.

Now, do you have any Howto, clear, that will help? I found many on 
Google and not any gave me the solution working.

The other question is about Trusted Certificates. We have on the 
websites trusted certificates. Should we use the same on the squid?

Thanks for appeciate help


Le 16/11/2016 à 14:27, Amos Jeffries a écrit :
> On 16/11/2016 9:11 p.m., Patrick Chemla wrote:
>> Hi,
>> I have same problem, and I need to use trusted CA certificates, so what
>> is the solution?
> Not to do illegal bad things that violate your contract with the CA.
> Any CA which lets you intercept traffic by generating sub-certificates
> with their root *will* be blacklisted and effectively "thrown off the
> Internet". It has happened already for several CA who thought that was
> an idle threat.
>> I have a squid 3.5.20 used for multiple domains, multiple backends,
>> using both HTTP and HTTPS.
> As Alex said, what you describe here sounds a lot more like
> reverse-proxy than interception.
> Sergey who started this thread was intercepting HTTPS traffic sent by
> clients to an explicit proxy. All answers so far have been about that
> topic, which is probably *not* what you are facing.
> The configurations and limitations are very different. So first thing to
> do is be clear about what actually you are trying to do.
>> So questions:
>> 1/ Should I set up the squid certificate with ONLY self-signed, or there
>> is a way to use Trusted certificates? So if only self-signed, the user
>> will be always forced to accept the self-signed certificate on first
>> time? not really good for commercial sites.
> Are you the owner of the website(s) or an authorized CDN/Hosting
> provider for them ?
>> 2/ Should the backend cache_peer set as ssl on port 443, or could it be
>> simple http 80 (backends are internal VMs onto the same server, no
>> external network between squid and backends)?
> That depends on your answer to the above.
>> 3/ Will the acls rules work OK to affect each request to the right
>> backend according to domain, even in HTTPS?
> Yes. But the detail may not be what you expect. It depends on the above
> answers.
>> 4/ Do you know some clear and easy howto, examples, for such settings,
>> from where I could get how to do?
> <http://wiki.squid-cache.org/ConfigExamples/> contains all of the
> configurations you might need. But which one(s) are correct for you
> depends on what you are actually needing to do.
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list