[squid-users] SSL Virtual Hosting Problem

Amos Jeffries squid3 at treenet.co.nz
Tue Nov 28 13:57:32 UTC 2023 

On 28/11/23 23:29, Mario Theodoridis wrote:
> Hello everyone,
> 
> i'm trying to use squid as a TLS virtual hosting proxy on a system with 
> a public IP in front of several internal systems running TLS web servers.
> 
> I would like to proxy the incoming connections to the appropriate 
> backend servers based on the hostname using SNI.
> 
> I'm using the following config to just try this with 1 backend to test 
> with and fail already
> 
> Here the config:
> 
> http_port 3128
> debug_options ALL,2
> pinger_enable off
> shutdown_lifetime 1 second
> https_port 0.0.0.0:443 tproxy ssl-bump tls-cert=/root/dummy.pem

That should be:

   https_port 443 accel defaultsite=example.com \
     tls-cert=/etc/squid/example.com.pem

The PEM file needs to be valid for all the domains served.


> acl tlspls ssl::server_name_regex -i test\.regify\.com
> cache_peer test.de.regify.com parent 443 0 proxy-only originserver 
> no-digest no-netdb-exchange name=test

Missing "tls" option to enable TLS when talking to this peer.


> ssl_bump peek all
> ssl_bump splice all
> http_access allow all
> cache_peer_access test allow all

I appreciate this is a test. But be sure to keep the default Squid 
security rules ("deny !Safe_ports" etc) and only allow the hosted 
domains instead of "all". These DoS and attack protections are 
particularly important on a reverse-proxy where the general public has 
access.

FYI; "test what you will use" is important for proxies. One of the 
"irrelevant" config details may kill your real-world production setup 
where testing works fine without any security.


> 
> ...
> I've been reading the squid docs and other internet resources, but am 
> failing to figure out why this is not working.
> 
> Any clue sticks would be appreciated.
> 
> Also appreciated would be advise on where to find this documented.
> 

The Squid wiki ConfigExamples section has all the typical configuration 
types and a few of the more uncommon ones as well.
The one you are needing is 
<https://wiki.squid-cache.org/ConfigExamples/Reverse/HttpsVirtualHosting>


Cheers
Amos

More information about the squid-users mailing list