[squid-users] forward proxy to reverse proxy to app

[Amos Jeffries]

On 17/11/17 20:33, Bernhard Dübi wrote:
> Hi,
> 
> I try to configure squid for a very special usecase but can't get it
> to work. So, if you could give me some hints on how to do it right,
> that would be great
> 
> Here's what I try to achieve:
> 
> the browser has proxy:8080 configured as manual proxy
> from the browser I access some websites
> when the request is plain http then the reply must be a redirect to https
> when the request is https then the ssl connection must be termintaed
> on the proxy and the request must be forwarded as http to the
> application server


A forward/explicit proxy like yours is required to ensure that the 
security level of traffic remains unchanged across both client and 
server connections. Never downgraded without explicit knowledge by both 
endpoints. Bad problems ensue if you downgrade with either endpoint 
thinking it is secure end-to-end.


> 
> I know, I could just forget about ssl an go directly the app server
> with http bt the customer insists on that particular setup
> 
> we use several domains like app1.doma.com, app2.domb.biz, app3.domc.org
> in order to return the correct certificate for each request, I need a
> dedicated ip:port combination for each certificate

That is only relevant for *reverse-proxy*, not a forward/explicit proxy 
like yours.

If you have a explicit TLS connection between the clients and Squid 
forward/explicit you only need a certificate confirming Squid's hostname 
to the client.

If you are using SSL-Bump to decrypt the HTTPS traffic Squid can 
auto-generate certificates on the client connection based on the 
upstream server cert details.


Amos