[squid-users] forward/reverse proxying with TLS.

Tony Albers tony.albers at gmx.com
Wed Apr 12 11:48:35 UTC 2023 

Hiya,

I'm quite new to squid, so please bear with me.

OS is Debian Bullseye.

What I want to do is "hide" an application behind squid, so that the 
application receives http traffic, and sends http traffic. This traffic 
then goes through squid in both directions, so that squid receives https 
on the external IP and forwards it to the application which is listening 
on the loopback interface, and squid receives outgoing traffic from the 
application on the loopback interface and then sends it out over the 
external IP with https.

Kinda like so:
Incoming: exthost1(HTTPS)->thishostname:443-> squid 
->127.0.0.1(HTTP)->127.0.0.1:1080

Outgoing: 127.0.0.1(HTTP)->127.0.0.1:8080-> squid
->exthost2:443(HTTPS)


I have the application running in a container on the host.
On the same host I also have squid installed.

The application listens on 127.0.0.1:1080 on HOST
Squid is set up as a reverse proxy, listening to https on the external 
if on HOST:443 and forwards everything as http to 127.0.0.1:1080
(this works fine)

When the application then transmits something via http, it uses 
localhost:8080 as proxy, where squid picks it up and then forwards it as 
https.
(this doesn't work)

At least that#s what I want it to do..

However, when I use squid as outgoing proxy, the server in the other 
end(88.24.12.40) says that squid doesn't present a client certificate 
and drops the connection.

But I got the impression that tls_outgoing_options is for exactly that.. 
Have I misunderstood something?


My squid config looks like this:

# prefer DNS over IPv4
dns_v4_first on

# define hosts/networks that we use
acl exthost src 88.24.12.60/32
acl inthosts src 172.27.2.0/24
acl internal src 127.0.0.1/32

# access lists
http_access allow exthost
http_access allow inthosts
http_access allow internal

# reverse SSL proxy converting to noSSL
https_port 172.27.2.118:443 accel
tls-cert=/etc/squid/certs/thishostname.crt
tls-key=/etc/squid/keys/thishostname-privkey.pem
defaultsite=thishostname
cache_peer 127.0.0.1 parent 1080 0 no-query proxy-only originserver 
name=thishostname

# forward proxy converting to SSL
http_port 127.0.0.1:8080
acl extnet dstdomain -n .somedomain.dk
acl extip dstdomain 88.24.12.40
acl intip dstdomain -n .someotherdomain.dk
url_rewrite_program /etc/squid/urlrewrite.py
tls_outgoing_options cert=/etc/squid/certs/thishostname.crt
tls_outgoing_options key=/etc/squid/keys/thishostname-privkey.pem
tls_outgoing_options cafile=/etc/squid/certs/thishostnameCA.pem
tls_outgoing_options capath=/etc/ssl/certs
tls_outgoing_options domain=somedomain.dk
never_direct deny extnet
never_direct deny extip
never_direct allow all

cache_peer_access thishostname allow exthosts
cache_peer_access thishostname allow inthosts
cache_peer_access thishostname allow internal
cache_peer_access thishostname deny all

# disable local caching
cache deny all

Thanks in advance,

Tony

More information about the squid-users mailing list