[squid-users] Reverse Proxy

[Amos Jeffries]

On 11/06/19 6:24 pm, afkout wrote:
> i try ssl_bump and header_replace , not working
> TCP_MISS/503 5452 GET https://steamcommunity.com/ cjm
> ROUNDROBIN_PARENT/72.246.190.104 text/html
> 
> config
> acl sc ssl::server_name steamcommunity.com
> cache_peer steamuserimages-a.akamaihd.net parent 443 7 no-query proxy-only
> round-robin name=ak1 tls tls-min-version=1.2 originserer
> cache_peer_access ak1 allow sc
> http_port 3128  ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/cacert.pem
> key=/etc/squid/cakey.pem
> 

Ah. This is not a reverse-proxy config. This is a regular forward-proxy
that decrypts / MITM's any HTTPS going through it.


This would be a reverse-proxy for the steamcommunity.com domain:

  https_port 443 accel \
    cert=/etc/squid/cacert.pem \
    key=/etc/squid/cakey.pem

  cache_peer steamuserimages-a.akamaihd.net parent 443 0 name=ak1 \
    originserver no-query proxy-only tls-min-version=1.2

  acl sc dstdomain .steamcommunity.com
  cache_peer_access ak1 allow sc
  http_access allow sc


For multiple domains in that same https_port (note the 's') your
cert/key need to cover all of them. That could be a wildcard cert, or
one with multiple domains in its CN SubjectAltName.

Alternatively you can have multiple https_port lines with different IPs
for different certs.

If you are using the latest Squid-4, then GnuTLS builds (not OpenSSL)
can also support multiple certs. Bundle the key+cert (plus any relevant
CA chain) into one PEM file for each domain and load each file with
tls-cert= option. Like so:

  https_port 443 accel \
    tls-cert=/etc/squid/example.com.pem \
    tls-cert=/etc/squid/example.net.pem \
    tls-cert=/etc/squid/example.org.pem


Amos