[squid-users] Trusted CA Certificate with ssl_bump

Wed Nov 16 18:04:55 UTC 2016

On 16/11/16 17:33, Patrick Chemla wrote:
> Thanks for your answers, I am not doing anything illegal, I am trying to
> build a performant platform.
> 
> I have a big server running about 10 different websites.
> 
> I have on this server virtual machines, each specialized for one-some
> websites, and squid help me to send the traffic to the destination
> website on the internal VM according to the URL.
> 
> Some VMs are paired, so squid will loadbalance the traffic on group of
> VMs according to the URL/acls.
> 
> All this works in HTTP, thanks to Amos advices few weeks ago.
> 
> Now, I need to set SSL traffic, and because the domains are different I
> need to use different IPs:443 to be able to use different certificates.
> 
> I tried many times in the past to make squid working in SSL and never
> succeed because of so many options, and this question: Does the traffic
> between squid and the backend should be SSL? If yes, it's OK for me.
> nothing illegal.
> 
> The second question: How to set up the SSL link on squid getting the SSL
> request and sending to the backend. Actually the backend can handle SSL
> traffic, it's OK for me if I find the way to make squid handle the
> traffic, according to the acls. squid must decrypt the request, compute
> the acls, then re-crypt to send to the backend.
> 
> The reason I asked not to reencrypt is because of performances. All this
> is on the same server, from the host to the VMs and decrypt, the
> reencrypt, then decrypt will be ressources consumming. But I can do it
> like that.
> 
> Now, do you have any Howto, clear, that will help? I found many on
> Google and not any gave me the solution working.
> 
> The other question is about Trusted Certificates. We have on the
> websites trusted certificates. Should we use the same on the squid?
> 
> Thanks for appeciate help
> 
> Patrick
> 
> 

You are using a reverse proxy/web accelerator setup. Nothing you do
there will be illegal if you're using it for your own servers! You
should be able to use HTTP to the backend and just offer HTTPS from
squid. This will avoid loading the backend with encryption cycles. You
don't need any certificate generation as AFAIK you already have all the
certs you need.

See:

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

for starters. You can adapt the wildcard example; if you have specific
certs for each domain, just listen on a different IP for each domain and
set up multiple https_port with a different listening IP for each site.
If you have a wildcard cert, ie *.mydomain.com, follow it directly.

Here's a couple more:

http://wiki.univention.com/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy

(I found the above with a simple google for "squid reverse ssl proxy".
Google is your friend here... )

http://www.squid-cache.org/Doc/config/https_port/

That's as far as my knowledge goes on reverse in Squid, at my site we
use nginx.But AFAIK if you're doing what I think you're doing that
should be enough. Squid does have a lot of config parameters, but then
so does any other fully capable proxy server. Just focus on the parts
you need for your role and it will be much easier. Specifically ignore
bump/peek+splice, it's just for forward proxy.

Alex