[squid-users] Fwd: reverse proxy HTTPS

sothy shan sothy.e98 at gmail.com
Thu Mar 9 12:54:49 UTC 2017


On Thu, Mar 9, 2017 at 1:41 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 6/03/2017 11:21 p.m., sothy shan wrote:
> > Hi,
> >
> > I can give precise what I am doing on this part.See the previous mail
> below
> > for my exact requirement.
> >
> > //create the keys.
> >
> > $openssl req -new -keyout key.pem -nodes -x509 -days 365 -out cert.pem
> >
> > Both keys(cert.pem and key.pem) are places in /etc/squid/.
> >
> > Then, I make following in squid.
> > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > https_port 192.168.1.69:443 cert=/etc/squid/cert.pem
> key=/etc/squid/key.pem
>
> The "accel" mode flag s missing.
>
> It is that alone which makes squid a reverse-proxy. The rest of the
> config details are 'agnostic' to the proxy type/mode.
>
Yes. I made it like that. It worked!

>
>
> > cache_peer X.Y.Z.Z parent 443 0 no-query originserver
> >
> >
> > http_access allow all
> > ++++++++++++++++++++++++++++++++++++++++++++++
> >
> > When I type in browser like this https://192.168.1.69
>
> Thats okay for a first test, but you should use a domain as soon as
> possible so all the domain related validations have a chance to be tested.
>  There are cert domain and SNI validations happening at the TLS/SSL
> level, and there should also be dstdomain ACLs in squid.conf to ensure
> only the wanted domains traffic gets handled by the proxy.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170309/eeb89c95/attachment.html>


More information about the squid-users mailing list