<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div apple-content-edited="true" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hello,</div><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""></div><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Currently we’ve got the following situation in our production environment:</div>
</div>
<br class=""><div class="">Clients —HTTP—> Apache —HTTPS TWO-WAY SSL VIA EXTERNAL PROXY —> HTTPS SERVERS</div><div class=""><br class=""></div><div class="">Just to be clear, the following services are used during this flow:</div><div class=""><br class=""></div><div class="">http client (firefox, chrome, curl, wget, etc.) —> Apache (which setups two-way ssl) —> Squid (which simply proxies https connect) —> HTTPS services of other parties on the internet, supporting two-way ssl</div><div class=""><br class=""></div><div class="">We’ve realized this using the following configuration on the apache service:</div><div class=""><br class=""></div><div class=""><div class="">LoadModule ssl_module modules/mod_ssl.so</div><div class=""><br class=""></div><div class="">Listen *:3128</div><div class=""><br class=""></div><div class=""><VirtualHost *:3128></div><div class=""><br class=""></div><div class=""> SSLProxyEngine On</div><div class=""> SSLProxyVerify require</div><div class=""> SSLProxyVerifyDepth 10</div><div class=""> SSLProxyMachineCertificateFile /etc/httpd/certs/client.pem</div><div class=""> SSLProxyCACertificateFile /etc/httpd/certs/ca.crt</div><div class=""><br class=""></div><div class=""> RewriteEngine On</div><div class=""> RewriteRule ^(.*)$ <a href="https://%{HTTP_HOST}$1" class="">https://%{HTTP_HOST}$1</a> [NC,P]</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""> ProxyPreserveHost On</div><div class=""> ProxyPass / <a href="https://$1/" class="">https://$1/</a></div><div class=""> ProxyPassReverse / <a href="https://$1/" class="">https://$1/</a></div><div class=""><br class=""></div><div class=""> ProxyRemote https <a href="http://192.168.68.102:3128" class="">http://192.168.68.102:3128</a></div><div class=""></VirtualHost></div></div><div class=""><br class=""></div><div class="">We’re trying to replace the apache service by using squid. I’ve installed squid 3.1.10 on CentOS 6.6 and have realized in a development environment a two-way ssl:</div><div class=""><br class=""></div><div class="">http client —> Squid 3.1.10 —> https two-way ssl directly —> <a href="http://https.example.com" class="">https.example.com</a></div><div class=""><br class=""></div><div class=""><div class=""><div class="">http_port 3128 defaultsite=<a href="http://https.example.com" class="">https.example.com</a> vhost</div><div class="">cache_peer <a href="http://https.example.com" class="">https.example.com</a> parent 443 0 no-query originserver ssl sslcert=/etc/squid/certs/client.crt sslkey=/etc/squid/certs/client.key name=httpToHttps2way sslcafile=/etc/squid/certs/ca.crt</div><div class="">cache_peer_access httpToHttps2way allow all</div><div class="">cache deny all</div></div></div><div class=""><br class=""></div><div class="">There are two thing I haven’t realized in the development environment, because I don’t know how:</div><div class="">1. Making the Squid 3.1.10 to use a proxy system, because that’s our policy to communicate to the outside world. In apache we use the following directive: “ProxyRemote https <a href="http://192.168.68.102:3128" class="">http://192.168.68.102:3128</a>"</div><div class="">2. Making the configuration variable as much as possible. So the Squid 3.1.10 handles all different http client requests to different https servers and send them as a https two-way ssl. Currently it only handles request for <a href="http://https.example.com" class="">https.example.com</a>.</div><div class=""><br class=""></div><div class="">Any help is welcome.</div><div class=""><br class=""></div><div class="">Abdelouahed</div></body></html>