[squid-users] Fwd: reverse proxy HTTPS

Amos Jeffries squid3 at treenet.co.nz
Thu Mar 9 12:41:13 UTC 2017


On 6/03/2017 11:21 p.m., sothy shan wrote:
> Hi,
> 
> I can give precise what I am doing on this part.See the previous mail below
> for my exact requirement.
> 
> //create the keys.
> 
> $openssl req -new -keyout key.pem -nodes -x509 -days 365 -out cert.pem
> 
> Both keys(cert.pem and key.pem) are places in /etc/squid/.
> 
> Then, I make following in squid.
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> https_port 192.168.1.69:443 cert=/etc/squid/cert.pem key=/etc/squid/key.pem

The "accel" mode flag s missing.

It is that alone which makes squid a reverse-proxy. The rest of the
config details are 'agnostic' to the proxy type/mode.


> cache_peer X.Y.Z.Z parent 443 0 no-query originserver
> 
> 
> http_access allow all
> ++++++++++++++++++++++++++++++++++++++++++++++
> 
> When I type in browser like this https://192.168.1.69

Thats okay for a first test, but you should use a domain as soon as
possible so all the domain related validations have a chance to be tested.
 There are cert domain and SNI validations happening at the TLS/SSL
level, and there should also be dstdomain ACLs in squid.conf to ensure
only the wanted domains traffic gets handled by the proxy.

Amos



More information about the squid-users mailing list