[squid-users] SSL Virtual Hosting Problem
Mario Theodoridis
mario.theodoridis at regify.com
Tue Nov 28 15:58:18 UTC 2023
Thank you Amos and Alex,
this is a config i managed to get working for http and https
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
# listeners
https_port 0.0.0.0:443 accel defaultsite=regify.com \
tls-cert=/etc/ssl/certs/regify.com.pem \
tls-key=/etc/ssl/private/regify.com.key
http_port 0.0.0.0:80 accel
# incoming
http_access deny !Safe_ports
http_access deny manager
# plain
acl vplain dstdomain -n plain.regify.com
http_access allow vplain
cache_peer plain.de.regify.com parent 80 0 \
proxy-only originserver no-digest no-netdb-exchange name=plain
cache_peer_access plain allow vplain
cache_peer_access plain deny all
# test1
acl stest1 ssl::server_name test1.regify.com
http_access allow stest1
cache_peer test1.de.regify.com parent 443 0 tls ssldomain=test1.regify.com \
proxy-only originserver no-digest no-netdb-exchange name=test1
cache_peer_access test1 allow stest1
cache_peer_access test1 deny all
# test2
acl stest2 ssl::server_name test2.regify.com
http_access allow stest2
cache_peer test1.de.regify.com parent 443 0 tls ssldomain=test2.regify.com \
proxy-only originserver no-digest no-netdb-exchange name=test2
cache_peer_access test2 allow stest2
cache_peer_access test2 deny all
# fallback
http_access deny all
Mit Freundlichen Grüßen / Kind regards
Mario Theodoridis
regify GmbH
Römerstrasse 39 | D-78183 Hüfingen-Behla
Amtsgericht Freiburg HRB 709343
Telefon: +49 771 8978 4238
On 28/11/23 14:57, Amos Jeffries wrote:
> On 28/11/23 23:29, Mario Theodoridis wrote:
>> Hello everyone,
>>
>> i'm trying to use squid as a TLS virtual hosting proxy on a system
>> with a public IP in front of several internal systems running TLS web
>> servers.
>>
>> I would like to proxy the incoming connections to the appropriate
>> backend servers based on the hostname using SNI.
>>
>> I'm using the following config to just try this with 1 backend to
>> test with and fail already
>>
>> Here the config:
>>
>> http_port 3128
>> debug_options ALL,2
>> pinger_enable off
>> shutdown_lifetime 1 second
>> https_port 0.0.0.0:443 tproxy ssl-bump tls-cert=/root/dummy.pem
>
> That should be:
>
> https_port 443 accel defaultsite=example.com \
> tls-cert=/etc/squid/example.com.pem
>
> The PEM file needs to be valid for all the domains served.
>
>
>> acl tlspls ssl::server_name_regex -i test\.regify\.com
>> cache_peer test.de.regify.com parent 443 0 proxy-only originserver
>> no-digest no-netdb-exchange name=test
>
> Missing "tls" option to enable TLS when talking to this peer.
>
>
>> ssl_bump peek all
>> ssl_bump splice all
>> http_access allow all
>> cache_peer_access test allow all
>
> I appreciate this is a test. But be sure to keep the default Squid
> security rules ("deny !Safe_ports" etc) and only allow the hosted
> domains instead of "all". These DoS and attack protections are
> particularly important on a reverse-proxy where the general public has
> access.
>
> FYI; "test what you will use" is important for proxies. One of the
> "irrelevant" config details may kill your real-world production setup
> where testing works fine without any security.
>
>
>>
>> ...
>> I've been reading the squid docs and other internet resources, but am
>> failing to figure out why this is not working.
>>
>> Any clue sticks would be appreciated.
>>
>> Also appreciated would be advise on where to find this documented.
>>
>
> The Squid wiki ConfigExamples section has all the typical
> configuration types and a few of the more uncommon ones as well.
> The one you are needing is
> <https://wiki.squid-cache.org/ConfigExamples/Reverse/HttpsVirtualHosting>
>
>
> Cheers
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list