[squid-users] Multiple SSL certificates on same IP

Squid users squidusers at daltontech.co.uk
Wed Dec 19 18:35:00 UTC 2018 

Could you

A – forward to different ports
B – Use Network address translation?

Thoughts…

From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Patrick Chemla
Sent: 19 December 2018 18:29
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Multiple SSL certificates on same IP

Hi all,

Thanks for the great work you do/provide with squid.

I am using squid for years, I like it very much, and I am now installing a SSL load-balancing unit for about 80 domains/sub-domains.

My OS release is Fedora release 29 (Twenty Nine)

My squid version and parameters are :

# squid -v
Squid Cache: Version 4.4
Service Name: squid

This binary uses OpenSSL 1.1.1-pre9 (beta) FIPS 21 Aug 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM' '--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '--enable-storeid-rewrite-helpers=file' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--with-pic' '--disable-security-cert-validators' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' 'LDFLAGS=-Wl,-z,relro   -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -pie -Wl,-z,relro -Wl,-z,now -Wl,--warn-shared-textrel' 'CXXFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

The problem I have is that all these domains are actually on one IP only, on a single server, running nginx with multiple SSL certificates on one single IP, and I would like to do the same with squid.

I did few years ago with HaProxy, but I would prefer to keep squid.

3 choices:

- Having more than one IP on the server, create SSL certificates from LetsEncrypt including each a list of some domains and sub-domains
- Create a very bing certificate to have squid using it (not the best choice because domains are of different content, far one to the other)
- Having squid managing all certificates on a single IP. (The best because some domains have very high encryption needs, and LetsEncrypt is not their preference)

Like a bottle in the sea: Is that possible, multiple certificates, with squid 4.4 on a single IP?

Thanks for your help.

Patrick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20181219/ec244495/attachment-0001.html>

More information about the squid-users mailing list