[squid-users] Trusted CA Certificate with ssl_bump

Patrick Chemla patrick.chemla at performance-managers.com
Wed Nov 16 18:16:36 UTC 2016

Many Thanks Alex. I will try in the next hours and let you if I am 


Le 16/11/2016 à 20:04, Alex Crow a écrit :
> On 16/11/16 17:33, Patrick Chemla wrote:
>> Thanks for your answers, I am not doing anything illegal, I am trying to
>> build a performant platform.
>> I have a big server running about 10 different websites.
>> I have on this server virtual machines, each specialized for one-some
>> websites, and squid help me to send the traffic to the destination
>> website on the internal VM according to the URL.
>> Some VMs are paired, so squid will loadbalance the traffic on group of
>> VMs according to the URL/acls.
>> All this works in HTTP, thanks to Amos advices few weeks ago.
>> Now, I need to set SSL traffic, and because the domains are different I
>> need to use different IPs:443 to be able to use different certificates.
>> I tried many times in the past to make squid working in SSL and never
>> succeed because of so many options, and this question: Does the traffic
>> between squid and the backend should be SSL? If yes, it's OK for me.
>> nothing illegal.
>> The second question: How to set up the SSL link on squid getting the SSL
>> request and sending to the backend. Actually the backend can handle SSL
>> traffic, it's OK for me if I find the way to make squid handle the
>> traffic, according to the acls. squid must decrypt the request, compute
>> the acls, then re-crypt to send to the backend.
>> The reason I asked not to reencrypt is because of performances. All this
>> is on the same server, from the host to the VMs and decrypt, the
>> reencrypt, then decrypt will be ressources consumming. But I can do it
>> like that.
>> Now, do you have any Howto, clear, that will help? I found many on
>> Google and not any gave me the solution working.
>> The other question is about Trusted Certificates. We have on the
>> websites trusted certificates. Should we use the same on the squid?
>> Thanks for appeciate help
>> Patrick
> You are using a reverse proxy/web accelerator setup. Nothing you do
> there will be illegal if you're using it for your own servers! You
> should be able to use HTTP to the backend and just offer HTTPS from
> squid. This will avoid loading the backend with encryption cycles. You
> don't need any certificate generation as AFAIK you already have all the
> certs you need.
> See:
> http://wiki.squid-cache.org/SquidFaq/ReverseProxy
> for starters. You can adapt the wildcard example; if you have specific
> certs for each domain, just listen on a different IP for each domain and
> set up multiple https_port with a different listening IP for each site.
> If you have a wildcard cert, ie *.mydomain.com, follow it directly.
> Here's a couple more:
> http://wiki.univention.com/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy
> (I found the above with a simple google for "squid reverse ssl proxy".
> Google is your friend here... )
> http://www.squid-cache.org/Doc/config/https_port/
> That's as far as my knowledge goes on reverse in Squid, at my site we
> use nginx.But AFAIK if you're doing what I think you're doing that
> should be enough. Squid does have a lot of config parameters, but then
> so does any other fully capable proxy server. Just focus on the parts
> you need for your role and it will be much easier. Specifically ignore
> bump/peek+splice, it's just for forward proxy.
> Alex
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list